Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Persistent problem... [Solved]

Started by ThrillCosby , Apr 28 2010 03:22 PM

This topic is locked

#1
ThrillCosby

Posted 28 April 2010 - 03:22 PM

Member

Member
16 posts

Hi! First time posting, nice forum you have here.

A couple weeks ago my poor little netbook got hit hard by a huge package of yuck.
Looks like XP Antispyware 2010, Antimalware Doctor, and several others. They stopped me from running Firefox, getting updates, and downloading fixes.

I eventually got around their sneaky walls and ran Spybot, AdAware, and MBAM.
MBAM found about 20 something hits of activity and deleted it all. The problem went away for about two days, but I still could not get windows updates so I took a bet something was lurking around.

While not as bad, whatever was left over continued to tweak around with my stuff. I downloaded Avast and it found more, deleted those, but would continue to pop up that a threat had been detected (trojan) and was being blocked. This happened about every 20 minutes, sometimes multiple times. That was last night. It hasn't prompted me yet today but I'm still suspicious. Also now on restart, I am continuously prompted that new hardware has been found:
Base System Device.

I checked out the Malware and Spyware Cleaning Guide here, excellent job by the way, and followed the steps. I ran TFC and cleared out all my temp files. Restarted. Ran a MBAM again, which came up clear. But I hit a problem with GMER Rootkit scan.

I unchecked the specified boxes and could run the scan, but about two to five minutes in and my computer gives a split second blue screen error and makes a loud click as it restarts itself without even asking me. I feel so dejected, we've know each other so long.

So I suspect that I am still plagued by something serious yet secret and I hope you friendly folks can help out.

I don't have a GMER log to post,
and the MBAM shows up clean,
but here is the OTL:

OTL logfile created on: 4/28/2010 3:36:17 PM - Run 2
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\Alyson\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,012.00 Mb Total Physical Memory | 312.00 Mb Available Physical Memory | 31.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.17 Gb Total Space | 129.71 Gb Free Space | 89.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ATHENS
Current User Name: Alyson
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/28 06:01:42 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alyson\Desktop\OTL.exe
PRC - [2010/04/28 01:22:17 | 000,212,992 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\Alyson\Local Settings\Temp\RtkBtMnt.exe
PRC - [2010/04/14 12:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/04/01 13:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/08 15:46:02 | 000,524,632 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/03/08 15:46:00 | 001,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/12/08 21:29:44 | 000,240,992 | ---- | M] (Microsoft Corp.) -- C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
PRC - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/08/07 17:15:06 | 000,311,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
PRC - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/05/22 16:30:16 | 000,425,984 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
PRC - [2008/04/14 23:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 22:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

========== Modules (SafeList) ==========

MOD - [2010/04/28 06:01:42 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alyson\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (McSysmon)
SRV - File not found [Unknown | Stopped] -- -- (McShield)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/08 15:46:00 | 001,029,456 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2007/01/04 22:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)

========== Driver Services (SafeList) ==========

DRV - [2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/02/17 16:52:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/02/17 16:52:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2010/02/17 16:52:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/02/17 16:52:10 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2010/01/05 18:04:02 | 000,385,536 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/07/20 14:49:56 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2008/08/07 06:14:56 | 000,111,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/05/20 20:31:26 | 001,312,576 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/05/20 05:53:00 | 004,800,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/24 21:17:10 | 000,225,024 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/04/14 23:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2008/04/14 23:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 23:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2008/04/14 23:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2008/04/14 23:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2008/04/14 23:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2008/04/14 23:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2008/04/14 23:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2008/04/14 23:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2008/04/14 23:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2008/04/14 23:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2008/04/14 23:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2008/04/14 23:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2008/04/14 23:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2008/04/14 23:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2008/04/14 23:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2008/04/14 03:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 03:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/02/15 01:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/10/01 15:59:46 | 001,769,984 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
DRV - [2005/01/13 15:46:16 | 000,069,632 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...a...09&m=aoa150
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer...a...09&m=aoa150

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...a...09&m=aoa150
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8118

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Search"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1
FF - prefs.js..extensions.enabledItems: {27182e60-b5f3-411c-b545-b44205977502}:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/04/17 18:35:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/26 16:16:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/27 03:35:59 | 000,000,000 | ---D | M]

[2009/01/06 22:17:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alyson\Application Data\Mozilla\Extensions
[2010/04/27 22:47:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alyson\Application Data\Mozilla\Firefox\Profiles\iq27tsyi.default\extensions
[2010/03/19 18:59:03 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Alyson\Application Data\Mozilla\Firefox\Profiles\iq27tsyi.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/02/21 11:30:24 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Alyson\Application Data\Mozilla\Firefox\Profiles\iq27tsyi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/03/26 14:51:21 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\Alyson\Application Data\Mozilla\Firefox\Profiles\iq27tsyi.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2010/04/18 01:14:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/04/17 09:16:20 | 000,306,898 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10565 more lines...
O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No CLSID value found.
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
O2 - BHO: (MSN Toolbar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe (sonix)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 166.102.165.11 166.102.165.13
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Alyson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Alyson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/15 13:37:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{767b3617-014a-11de-a63d-00242b0e46e6}\Shell - "" = AutoRun
O33 - MountPoints2\{767b3617-014a-11de-a63d-00242b0e46e6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{767b3617-014a-11de-a63d-00242b0e46e6}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{91d1b0e6-fe67-11de-a676-00242b0e46e6}\Shell - "" = AutoRun
O33 - MountPoints2\{91d1b0e6-fe67-11de-a676-00242b0e46e6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{91d1b0e6-fe67-11de-a676-00242b0e46e6}\Shell\AutoRun\command - "" = D:\DPFMate.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/11/23 06:03:17 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 90 Days ==========

[2010/04/28 06:01:36 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Alyson\Desktop\OTL.exe
[2010/04/26 01:27:30 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/26 01:27:29 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/26 01:27:27 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/26 01:27:25 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/26 01:27:22 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/26 01:27:21 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/26 01:27:20 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/26 01:25:22 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/26 01:25:22 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/26 01:23:43 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/26 01:23:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/23 20:22:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alyson\Application Data\Facebook
[2010/04/22 14:08:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alyson\Desktop\pisc
[2010/04/22 13:33:06 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2010/04/18 10:09:58 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2010/04/17 19:05:04 | 000,079,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/04/17 19:05:04 | 000,040,552 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2010/04/17 19:05:04 | 000,035,272 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/04/17 18:57:45 | 000,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2010/04/17 18:34:25 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar
[2010/04/17 18:31:31 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar Installer
[2010/04/17 18:30:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/17 18:30:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/17 17:01:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2010/04/17 15:54:44 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2010/04/17 15:54:44 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2010/04/17 15:54:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/17 14:55:30 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/04/17 08:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/04/17 08:57:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/04/17 08:57:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/04/16 13:40:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/14 16:32:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/14 14:35:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alyson\Application Data\Malwarebytes
[2010/04/14 14:33:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/14 14:33:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/14 14:33:16 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/14 14:33:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/13 09:05:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/13 04:10:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alyson\Local Settings\Application Data\Threat Expert
[2010/04/13 03:29:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/13 03:29:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/13 03:18:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/13 03:04:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alyson\Application Data\882D26356CCFEBABBF2B4B62E3445296
[2010/03/28 16:11:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alyson\Desktop\Env. Sci. Paper
[2010/03/18 18:46:04 | 000,000,000 | ---D | C] -- C:\Program Files\IrfanView
[2007/04/02 00:40:54 | 000,172,032 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll
[2005/11/22 19:55:32 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll

========== Files - Modified Within 90 Days ==========

[2010/04/28 15:29:21 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/28 15:29:21 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/28 15:29:21 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/28 15:24:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/28 15:23:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/28 15:23:41 | 1061,105,664 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/28 06:59:03 | 007,077,888 | -H-- | M] () -- C:\Documents and Settings\Alyson\NTUSER.DAT
[2010/04/28 06:59:03 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Alyson\ntuser.ini
[2010/04/28 06:58:49 | 004,294,046 | -H-- | M] () -- C:\Documents and Settings\Alyson\Local Settings\Application Data\IconCache.db
[2010/04/28 06:01:42 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alyson\Desktop\OTL.exe
[2010/04/28 00:46:32 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\Alyson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/27 23:15:36 | 000,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/27 23:15:35 | 000,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/27 23:15:33 | 000,524,016 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/26 14:43:13 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/26 01:27:23 | 000,002,639 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/22 20:28:38 | 000,251,088 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/22 17:55:59 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/22 17:04:32 | 000,061,464 | ---- | M] () -- C:\Documents and Settings\Alyson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/20 09:45:35 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/17 18:20:44 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/04/17 18:20:44 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/04/17 18:19:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2010/04/17 18:19:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\WindowsShell.Manifest
[2010/04/17 18:19:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2010/04/17 18:19:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2010/04/17 18:19:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2010/04/17 18:19:43 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2010/04/17 09:17:56 | 000,001,784 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/04/17 09:16:20 | 000,306,898 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/17 09:02:12 | 000,016,384 | -H-- | M] () -- C:\SZKGFS.dat
[2010/04/16 07:20:32 | 000,033,280 | ---- | M] () -- C:\Documents and Settings\Alyson\Desktop\Final Draft.doc
[2010/04/16 04:46:21 | 000,061,464 | ---- | M] () -- C:\Documents and Settings\Alyson\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/14 16:34:05 | 000,016,692 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2010/04/14 12:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 12:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 12:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/14 11:22:30 | 000,016,748 | -HS- | M] () -- C:\Documents and Settings\Alyson\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 10:49:57 | 000,016,708 | -HS- | M] () -- C:\Documents and Settings\Alyson\Local Settings\Application Data\2509137411
[2010/04/14 10:49:57 | 000,016,708 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2509137411
[2010/04/14 10:45:43 | 000,016,704 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3469191438
[2010/04/14 10:45:20 | 000,016,696 | -HS- | M] () -- C:\Documents and Settings\Alyson\Local Settings\Application Data\3469191438
[2010/04/13 09:07:30 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/08 15:46:38 | 000,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/03/01 01:42:36 | 000,038,400 | ---- | M] () -- C:\Documents and Settings\Alyson\Desktop\Ethics Thought Paper Revised.doc
[2010/02/17 16:52:48 | 000,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/02/17 16:52:48 | 000,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2010/02/17 16:52:48 | 000,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/02/17 16:52:10 | 000,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys

========== Files Created - No Company Name ==========

[2010/04/28 02:57:27 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Alyson\Desktop\gmer.exe
[2010/04/27 03:40:56 | 000,038,400 | ---- | C] () -- C:\Documents and Settings\Alyson\Desktop\Ethics Thought Paper Revised.doc
[2010/04/27 00:05:05 | 000,033,280 | ---- | C] () -- C:\Documents and Settings\Alyson\Desktop\Final Draft.doc
[2010/04/22 23:41:43 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/17 15:05:24 | 1061,105,664 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/17 09:16:59 | 000,001,784 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/04/17 09:02:12 | 000,016,384 | -H-- | C] () -- C:\SZKGFS.dat
[2010/04/14 13:12:03 | 000,016,744 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 10:45:20 | 000,016,696 | -HS- | C] () -- C:\Documents and Settings\Alyson\Local Settings\Application Data\3469191438
[2010/04/14 10:43:28 | 000,016,708 | -HS- | C] () -- C:\Documents and Settings\Alyson\Local Settings\Application Data\2509137411
[2010/04/14 10:43:28 | 000,016,704 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3469191438
[2010/04/14 10:41:26 | 000,016,748 | -HS- | C] () -- C:\Documents and Settings\Alyson\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 10:41:26 | 000,016,708 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2509137411
[2010/04/14 10:38:17 | 000,016,692 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 10:38:17 | 000,016,692 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2010/04/13 09:07:30 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/13 09:07:30 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/01/23 13:08:17 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/08/15 16:37:42 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/07/30 22:37:26 | 000,006,782 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/05/16 04:12:30 | 000,000,036 | ---- | C] () -- C:\WINDOWS\PidList.ini
[2008/04/14 23:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\asc3350p.sys
[2008/04/14 23:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/02/15 01:21:56 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2007/10/01 02:59:46 | 001,769,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2007/05/09 03:16:40 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys
[2005/03/28 18:45:26 | 000,000,153 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
[2002/11/22 05:57:26 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2002/11/22 05:57:26 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2002/11/22 05:57:26 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2002/11/22 05:57:26 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2002/11/22 05:57:26 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2002/11/22 05:57:24 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

========== LOP Check ==========

[2010/04/26 01:23:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/09/03 12:49:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dragon's Eye Productions
[2010/04/17 08:59:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/04/17 13:39:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/04/14 13:29:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/03/29 06:56:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/10/19 05:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/22 14:40:33 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/04/16 21:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/04/27 21:16:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alyson\Application Data\.purple
[2010/04/17 15:52:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alyson\Application Data\882D26356CCFEBABBF2B4B62E3445296
[2010/04/23 20:22:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alyson\Application Data\Facebook
[2009/12/28 17:18:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alyson\Application Data\gtk-2.0
[2010/04/26 14:43:13 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/04/28 15:23:20 | 000,006,940 | ---- | M] () -- C:\aaw7boot.log
[2008/08/15 13:37:44 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/04/28 15:29:21 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/08/15 13:37:44 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/04/28 15:23:41 | 1061,105,664 | -HS- | M] () -- C:\hiberfil.sys
[2008/08/15 13:37:44 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/08/15 13:37:44 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 23:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 23:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/04/28 15:23:20 | 1585,446,912 | -HS- | M] () -- C:\pagefile.sys
[2008/08/15 16:42:52 | 000,000,080 | ---- | M] () -- C:\Preload.aaa
[2009/02/05 00:14:54 | 000,000,012 | -H-- | M] () -- C:\reachd.cz
[2008/08/15 13:57:08 | 000,000,542 | ---- | M] () -- C:\RHDSetup.log
[2010/04/17 09:02:12 | 000,016,384 | -H-- | M] () -- C:\SZKGFS.dat
[1999/11/11 03:17:54 | 000,000,049 | ---- | M] () -- C:\XPH.TAG

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/14 23:00:00 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/08/15 06:29:32 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/08/15 06:29:32 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/08/15 06:29:32 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aavmker4.sys
[2010/04/28 06:59:05 | 000,022,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\asc3350p.sys
[2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys
[2010/04/14 12:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswmon.sys
[2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswmon2.sys
[2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswRdr.sys
[2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswSP.sys
[2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswTdi.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/17 16:52:48 | 000,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys
[2010/02/17 16:52:48 | 000,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys
[2010/02/17 16:52:10 | 000,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys
[2010/02/17 16:52:48 | 000,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys
[2010/02/24 09:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

Thanks!

#2
Rorschach112

Posted 28 April 2010 - 03:26 PM

Ralphie

Retired Staff
47,710 posts

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#3
ThrillCosby

Posted 28 April 2010 - 04:01 PM

Member

Topic Starter
Member
16 posts

ComboFix 10-04-28.03 - Alyson 04/28/2010 17:48:53.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.311 [GMT -4:00]
Running from: c:\documents and settings\Alyson\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alyson\Application Data\882D26356CCFEBABBF2B4B62E3445296
c:\documents and settings\Alyson\Application Data\882D26356CCFEBABBF2B4B62E3445296\enemies-names.txt

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-26 05:27 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-26 05:27 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-26 05:27 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-26 05:27 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-26 05:27 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-26 05:27 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-26 05:27 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-26 05:25 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-26 05:25 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-26 05:23 . 2010-04-26 05:23 -------- d-----w- c:\program files\Alwil Software
2010-04-26 05:23 . 2010-04-26 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-24 00:22 . 2010-04-24 00:22 50354 ----a-w- c:\documents and settings\Alyson\Application Data\Facebook\uninstall.exe
2010-04-24 00:22 . 2010-04-24 00:22 -------- d-----w- c:\documents and settings\Alyson\Application Data\Facebook
2010-04-23 21:55 . 2010-04-23 21:55 503808 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-31bfd048-n\msvcp71.dll
2010-04-23 21:55 . 2010-04-23 21:55 61440 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7cce4602-n\decora-sse.dll
2010-04-23 21:55 . 2010-04-23 21:55 499712 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-31bfd048-n\jmc.dll
2010-04-23 21:55 . 2010-04-23 21:55 348160 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-31bfd048-n\msvcr71.dll
2010-04-23 21:55 . 2010-04-23 21:55 12800 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7cce4602-n\decora-d3d.dll
2010-04-22 17:33 . 2010-04-22 17:33 -------- d-----w- c:\program files\MSXML 4.0
2010-04-18 14:09 . 2010-04-26 19:54 -------- d-----w- c:\program files\McAfee Security Scan
2010-04-17 23:05 . 2010-02-17 20:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-17 23:05 . 2010-02-17 20:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-04-17 23:05 . 2010-02-17 20:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-17 22:57 . 2010-02-17 20:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-04-17 22:34 . 2010-04-17 22:34 -------- d-----w- c:\program files\MSN Toolbar
2010-04-17 22:31 . 2010-04-17 22:36 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-04-17 22:30 . 2010-04-17 22:30 -------- d-----w- c:\program files\Common Files\Java
2010-04-17 22:28 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 21:01 . 2010-04-17 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-17 13:02 . 2010-04-17 13:02 16384 ---ha-w- C:\SZKGFS.dat
2010-04-17 12:59 . 2010-04-17 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-04-17 12:57 . 2010-04-17 12:57 -------- d-----w- c:\program files\Common Files\iS3
2010-04-17 12:57 . 2010-04-17 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-04-14 20:32 . 2010-04-14 20:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-14 18:35 . 2010-04-14 18:35 -------- d-----w- c:\documents and settings\Alyson\Application Data\Malwarebytes
2010-04-14 18:33 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 18:33 . 2010-04-14 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-14 18:33 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 18:33 . 2010-04-17 19:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 13:07 . 2010-04-20 13:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-13 13:07 . 2010-04-13 13:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-13 08:10 . 2010-04-13 08:10 -------- d-----w- c:\documents and settings\Alyson\Local Settings\Application Data\Threat Expert
2010-04-13 07:18 . 2010-04-14 17:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 21:45 . 2009-01-07 02:53 -------- d-----w- c:\documents and settings\Alyson\Application Data\.purple
2010-04-28 10:59 . 2008-04-15 03:00 22400 ----a-w- c:\windows\system32\drivers\asc3350p.sys
2010-04-28 03:05 . 2008-08-15 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-28 03:05 . 2008-08-15 18:09 -------- d-----w- c:\program files\McAfee
2010-04-22 21:04 . 2009-01-06 12:52 61464 -c--a-w- c:\documents and settings\Alyson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-22 18:04 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-22 17:36 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works
2010-04-17 22:28 . 2009-01-09 05:40 -------- d-----w- c:\program files\Java
2010-04-17 19:54 . 2009-07-15 09:23 -------- d-----w- c:\program files\DivX
2010-04-17 19:44 . 2010-03-18 22:46 -------- d-----w- c:\program files\IrfanView
2010-04-17 13:17 . 2010-04-17 13:16 1784 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-11 13:40 . 2009-06-23 12:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-10 08:16 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-11 12:38 . 2007-08-14 01:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-15 03:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-15 03:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-05-09 10:53 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Alyson\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Alyson\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-24 13:11 . 2008-04-15 03:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-15 03:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-15 03:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-15 03:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-15 03:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-08 19:46 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-07-17 14:40 53248 -c----w- c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 -c----w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-12-09 01:29 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 23:51 3885408 -c--a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSK80Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/22/2009 2:43 PM 64160]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/26/2010 1:27 AM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/26/2010 1:27 AM 19024]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys --> c:\windows\system32\DRIVERS\jmcr.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0109&m=aoa150
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 127.0.0.1:8118
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Alyson\Application Data\Mozilla\Firefox\Profiles\iq27tsyi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\documents and settings\Alyson\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-McENUI - c:\progra~1\McAfee\MHN\McENUI.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 17:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-28 17:59:19
ComboFix-quarantined-files.txt 2010-04-28 21:59

Pre-Run: 139,175,264,256 bytes free
Post-Run: 139,246,784,512 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 40BA390CD87FEC02334E71529383A70F

#4
Rorschach112

Posted 28 April 2010 - 04:10 PM

Ralphie

Retired Staff
47,710 posts

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...em-t275495.html

Collect::

Suspect::
C:\WINDOWS\system32\drivers\asc3350p.sys
TDL::
C:\WINDOWS\system32\drivers\asc3350p.sys

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

#5
ThrillCosby

Posted 28 April 2010 - 04:32 PM

Member

Topic Starter
Member
16 posts

ComboFix 10-04-28.03 - Alyson 04/28/2010 18:18:49.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.388 [GMT -4:00]
Running from: c:\documents and settings\Alyson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alyson\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\drivers\asc3350p.sys
.

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-26 05:27 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-26 05:27 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-26 05:27 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-26 05:27 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-26 05:27 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-26 05:27 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-26 05:27 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-26 05:25 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-26 05:25 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-26 05:23 . 2010-04-26 05:23 -------- d-----w- c:\program files\Alwil Software
2010-04-26 05:23 . 2010-04-26 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-24 00:22 . 2010-04-24 00:22 50354 ----a-w- c:\documents and settings\Alyson\Application Data\Facebook\uninstall.exe
2010-04-24 00:22 . 2010-04-24 00:22 -------- d-----w- c:\documents and settings\Alyson\Application Data\Facebook
2010-04-23 21:55 . 2010-04-23 21:55 503808 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-31bfd048-n\msvcp71.dll
2010-04-23 21:55 . 2010-04-23 21:55 61440 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7cce4602-n\decora-sse.dll
2010-04-23 21:55 . 2010-04-23 21:55 499712 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-31bfd048-n\jmc.dll
2010-04-23 21:55 . 2010-04-23 21:55 348160 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-31bfd048-n\msvcr71.dll
2010-04-23 21:55 . 2010-04-23 21:55 12800 ----a-w- c:\documents and settings\Alyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7cce4602-n\decora-d3d.dll
2010-04-22 17:33 . 2010-04-22 17:33 -------- d-----w- c:\program files\MSXML 4.0
2010-04-18 14:09 . 2010-04-26 19:54 -------- d-----w- c:\program files\McAfee Security Scan
2010-04-17 23:05 . 2010-02-17 20:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-17 23:05 . 2010-02-17 20:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-04-17 23:05 . 2010-02-17 20:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-17 22:57 . 2010-02-17 20:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-04-17 22:34 . 2010-04-17 22:34 -------- d-----w- c:\program files\MSN Toolbar
2010-04-17 22:31 . 2010-04-17 22:36 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-04-17 22:30 . 2010-04-17 22:30 -------- d-----w- c:\program files\Common Files\Java
2010-04-17 22:28 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 21:01 . 2010-04-17 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-17 13:02 . 2010-04-17 13:02 16384 ---ha-w- C:\SZKGFS.dat
2010-04-17 12:59 . 2010-04-17 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-04-17 12:57 . 2010-04-17 12:57 -------- d-----w- c:\program files\Common Files\iS3
2010-04-17 12:57 . 2010-04-17 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-04-14 20:32 . 2010-04-14 20:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-14 18:35 . 2010-04-14 18:35 -------- d-----w- c:\documents and settings\Alyson\Application Data\Malwarebytes
2010-04-14 18:33 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 18:33 . 2010-04-14 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-14 18:33 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 18:33 . 2010-04-17 19:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 13:07 . 2010-04-20 13:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-13 13:07 . 2010-04-13 13:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-13 08:10 . 2010-04-13 08:10 -------- d-----w- c:\documents and settings\Alyson\Local Settings\Application Data\Threat Expert
2010-04-13 07:18 . 2010-04-14 17:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 21:45 . 2009-01-07 02:53 -------- d-----w- c:\documents and settings\Alyson\Application Data\.purple
2010-04-28 10:59 . 2008-04-15 03:00 22400 ----a-w- c:\windows\system32\drivers\asc3350p.sys
2010-04-28 03:05 . 2008-08-15 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-28 03:05 . 2008-08-15 18:09 -------- d-----w- c:\program files\McAfee
2010-04-22 21:04 . 2009-01-06 12:52 61464 -c--a-w- c:\documents and settings\Alyson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-22 18:04 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-22 17:36 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works
2010-04-17 22:28 . 2009-01-09 05:40 -------- d-----w- c:\program files\Java
2010-04-17 19:54 . 2009-07-15 09:23 -------- d-----w- c:\program files\DivX
2010-04-17 19:44 . 2010-03-18 22:46 -------- d-----w- c:\program files\IrfanView
2010-04-17 13:17 . 2010-04-17 13:16 1784 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-11 13:40 . 2009-06-23 12:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-10 08:16 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-11 12:38 . 2007-08-14 01:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-15 03:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-15 03:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-05-09 10:53 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Alyson\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Alyson\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-24 13:11 . 2008-04-15 03:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-15 03:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-15 03:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-15 03:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-15 03:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-08 19:46 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-07-17 14:40 53248 -c----w- c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 -c----w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-12-09 01:29 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 23:51 3885408 -c--a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSK80Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/22/2009 2:43 PM 64160]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/26/2010 1:27 AM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/26/2010 1:27 AM 19024]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys --> c:\windows\system32\DRIVERS\jmcr.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0109&m=aoa150
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 127.0.0.1:8118
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Alyson\Application Data\Mozilla\Firefox\Profiles\iq27tsyi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\documents and settings\Alyson\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-28 18:28:16
ComboFix-quarantined-files.txt 2010-04-28 22:28
ComboFix2.txt 2010-04-28 21:59

Pre-Run: 139,257,307,136 bytes free
Post-Run: 139,243,089,920 bytes free

- - End Of File - - 8D8CB434B842BB84046B12D439F81847
Upload was successful

#6
Rorschach112

Posted 28 April 2010 - 04:36 PM

Ralphie

Retired Staff
47,710 posts

hows it running

any redirects ?

#7
ThrillCosby

Posted 28 April 2010 - 04:59 PM

Member

Topic Starter
Member
16 posts

Just restarted and things seem to be alright.

I still received the notice of new hardware,
not sure if that is related at all.

But no warnings from Avast,
nothing wrong in Firefox or IE,
and I can connect to the windows update page now as well.

Tried a few webpages and nothing redirected.

#8
Rorschach112

Posted 28 April 2010 - 05:01 PM

Ralphie

Retired Staff
47,710 posts

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#9
ThrillCosby

Posted 29 April 2010 - 02:28 AM

Member

Topic Starter
Member
16 posts

MBAM:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4049

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/28/2010 8:06:51 PM
mbam-log-2010-04-28 (20-06-51).txt

Scan type: Quick scan
Objects scanned: 105160
Time elapsed: 15 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, April 29, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 28, 2010 21:50:23
Records in database: 3998946
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Objects scanned: 51312
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 06:43:30

File name / Threat / Threats count
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP416\A0051734.sys Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

Bingo.

#10
Rorschach112

Posted 29 April 2010 - 06:17 AM

Ralphie

Retired Staff
47,710 posts

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

Open OTL
Under the Custom Scans/Fixes box at the bottom, paste the following:
```
:Commands
[clearallrestorepoints]
```
Click the Run Fix button at the top
It might ask you to reboot, if so click YES

Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
Click on the CleanUp button.
Click Yes to begin the cleanup process and remove tools, including this application
You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

#11
ThrillCosby

Posted 29 April 2010 - 12:21 PM

Member

Topic Starter
Member
16 posts

Done.

So this:

File name / Threat / Threats count
C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP416\A0051734.sys Infected: Rootkit.Win32.TDSS.ap 1

From the last Kaspersky scan isn't a problem?

If not thanks for all your help!
Keep up the great work.

#12
Rorschach112

Posted 29 April 2010 - 03:55 PM

Ralphie

Retired Staff
47,710 posts

my last post gets rid of that

#13
ThrillCosby

Posted 30 April 2010 - 01:32 AM

Member

Topic Starter
Member
16 posts

Wonderful, keep up the awesome work and thanks for the help.

I'll donate soon!

#14
Rorschach112

Posted 30 April 2010 - 05:05 AM

Ralphie

Retired Staff
47,710 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.