Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Outgoing internet requests, pop ups, and multiple trojans [Solved]

Started by Levan , Jun 25 2010 02:35 AM

This topic is locked

#16
Levan

Posted 28 June 2010 - 03:33 AM

Member

Topic Starter
Member
35 posts

see attachment

Attached Files

OTL_3.Txt 84.39KB 111 downloads
Extras.Txt 38.13KB 130 downloads

Edited by Levan, 28 June 2010 - 03:39 AM.

#17
Levan

Posted 29 June 2010 - 01:38 AM

Member

Topic Starter
Member
35 posts

Hi ali,

I wanted to check on the "windows updates" that are still waiting on a reboot. Apparently, I'm being blocked from accessing the windows update site. I get "Internet Explorer cannot display the webpage", even though the main microsoft page (and just about every other page) loads just fine.

Firefox is working after creating a new profile, but I'm getting new windows pop up using it too.

I tried again to paste the OTL logs, but I'm unable to. Hopefully, the attachments will work out for you.

#18
ali.B

Posted 29 June 2010 - 06:04 AM

Trusted Helper

Malware Removal
3,086 posts

hi

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#19
Levan

Posted 29 June 2010 - 07:56 PM

Member

Topic Starter
Member
35 posts

Hi ali,

I ran combofix, but it didn't go smoothly...

It detected a rootkit and wanted to reboot. Before booting back into windows, my computer said a disk check had been scheduled for drive D (external drive). I hadn't scheduled this. Disk check ran for a few hours, but the power went out here before it was able to finish.

Once the power was back, my computer booted back up, combofix came up, but there was a windows message saying "pev.exe has experienced a problem and needs to close". Combofix produced a log, and I've posted it below.

Thinking that the screwed up reboot may have interfered with clean results from combofix, I ran it again, and will post the second log in my next reply. Sorry for the additional trouble...

First Combofix log from today - COMBOFIX LOG 1:

ComboFix 10-06-24.03 - default 06/29/2010 19:45:23.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.258 [GMT -4:00]
Running from: c:\documents and settings\default\Desktop\PC Tools\tools from geeks to go\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected
Restored copy from - Kitty had a snack

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2010-06-26 09:32 . 2010-06-26 09:32 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-26 09:32 . 2010-06-26 09:32 -------- d-----w- c:\program files\Java
2010-06-25 07:02 . 2010-06-25 07:02 -------- d-----w- c:\windows\system32\KB905474
2010-06-25 00:03 . 2010-06-25 00:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-24 21:51 . 2010-06-24 21:51 -------- d-----w- c:\program files\ERUNT
2010-06-24 21:40 . 2010-06-24 21:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-22 05:21 . 2010-06-22 05:21 -------- d-----w- c:\documents and settings\default\Application Data\ylanukmgh
2010-06-22 05:21 . 2010-06-22 05:21 -------- d-----w- c:\documents and settings\default\Application Data\ylanukmgh
2010-06-03 06:08 . 2010-06-03 06:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Matrox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 01:54 . 2009-09-06 13:49 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-24 05:25 . 2007-04-03 00:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-25 22:02 . 2010-05-25 22:02 503808 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d509401-n\msvcp71.dll
2010-05-25 22:02 . 2010-05-25 22:02 499712 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d509401-n\jmc.dll
2010-05-25 22:02 . 2010-05-25 22:02 348160 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d509401-n\msvcr71.dll
2010-05-25 22:02 . 2010-05-25 22:02 61440 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3275dc46-n\decora-sse.dll
2010-05-25 22:02 . 2010-05-25 22:02 12800 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3275dc46-n\decora-d3d.dll
2010-05-19 04:44 . 2010-05-19 04:44 1 ----a-w- c:\documents and settings\default\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-19 04:44 . 2010-05-19 04:44 -------- d-----w- c:\documents and settings\default\Application Data\OpenOffice.org
2010-05-19 04:40 . 2010-05-19 04:40 -------- d-----w- c:\program files\JRE
2010-05-19 04:40 . 2010-05-19 04:40 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-29 19:39 . 2009-07-02 07:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-07-02 07:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2003-11-07 04:11 . 2001-01-30 15:20 1439 ----a-w- c:\program files\GUIDE PLUS+™ System (2).lnk
2003-11-07 04:11 . 2001-01-21 04:30 1439 ----a-w- c:\program files\GUIDE PLUS+™ System.lnk
2003-11-07 04:11 . 1980-01-01 04:00 820 ----a-w- c:\program files\Dell Accessories.lnk
2001-01-28 21:58 . 2001-01-28 21:58 516 ----a-w- c:\program files\Acrobat Reader 4.0.lnk
2001-01-21 04:14 . 1980-01-01 04:00 23357 ---h--w- c:\program files\FOLDER.HTT
2001-01-08 19:46 . 2001-01-08 19:46 594 ----a-w- c:\program files\Launch DellNet by MSN.lnk
2001-01-08 19:43 . 2001-01-08 19:43 444 ----a-w- c:\program files\Send and Receive a Fax.lnk
2001-01-08 19:43 . 2001-01-08 19:43 388 ----a-w- c:\program files\PhoneTools.lnk
1998-12-09 06:53 . 1998-12-09 06:53 99840 ------w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 06:53 . 1998-12-09 06:53 70144 ------w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 48640 ------w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 31744 ------w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 186368 ------w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 06:53 . 1998-12-09 06:53 17920 ------w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( SnapShot@2010-06-25_11.01.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-29 23:44 . 2010-06-29 23:44 16384 c:\windows\temp\Perflib_Perfdata_1cc.dat
- 2009-07-12 08:57 . 2009-10-28 14:07 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2009-07-12 08:57 . 2010-04-21 13:28 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 c:\windows\SYSTEM32\dllcache\cabview.dll
+ 2003-11-07 03:25 . 2010-01-13 14:01 86016 c:\windows\SYSTEM32\cabview.dll
+ 2003-11-07 03:28 . 2009-12-24 06:59 177664 c:\windows\SYSTEM32\wintrust.dll
+ 2010-06-26 09:32 . 2010-06-26 09:32 153376 c:\windows\SYSTEM32\javaws.exe
- 2010-05-19 04:39 . 2010-05-19 04:39 153376 c:\windows\SYSTEM32\javaws.exe
+ 2010-06-26 09:32 . 2010-06-26 09:32 145184 c:\windows\SYSTEM32\javaw.exe
- 2010-05-19 04:39 . 2010-05-19 04:38 145184 c:\windows\SYSTEM32\javaw.exe
+ 2010-06-26 09:32 . 2010-06-26 09:32 145184 c:\windows\SYSTEM32\java.exe
- 2010-05-19 04:39 . 2010-05-19 04:38 145184 c:\windows\SYSTEM32\java.exe
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\SYSTEM32\dllcache\wintrust.dll
+ 2010-06-26 09:33 . 2010-06-26 09:33 180224 c:\windows\Installer\3585b1.msi
+ 2010-06-26 09:32 . 2010-06-26 09:32 576000 c:\windows\Installer\35859f.msi
+ 2009-07-12 22:19 . 2010-05-28 16:37 32472008 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-08-14 167936]
"Matrox Powerdesk"="c:\windows\System32\PDesk\PDesk.exe" [2001-09-21 622592]
"MpsOnn"="c:\windows\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2003-06-09 22528]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2009-02-06 4223232]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 169264]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-07-10 98304]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\D:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eDualHead Toolbar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eDualHead Toolbar.lnk
backup=c:\windows\pss\eDualHead Toolbar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^default^Start Menu^Programs^Startup^IMsecure.lnk]
path=c:\documents and settings\default\Start Menu\Programs\Startup\IMsecure.lnk
backup=c:\windows\pss\IMsecure.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^default^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\default\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2003-07-25 15:15 536576 ----a-w- c:\program files\Eraser\eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 23:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-03-19 12:53 29184 ----a-w- c:\progra~1\ScanSoft\PAPERP~1\Pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
2006-07-26 19:59 1684480 ----a-w- c:\program files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
2004-11-15 15:49 98304 ----a-w- c:\progra~1\PESTPA~1\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
2003-04-19 11:53 148480 ----a-w- c:\progra~1\PESTPA~1\PPMemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-07-10 02:57 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2007-01-28 07:55 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 13:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
2002-06-18 04:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-07-10 03:57 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 21:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=c:\program files\AIM95\aim.exe -cnetwait.odl
"ATI Scheduler"=c:\program files\ATI MULTIMEDIA\MAIN\ATISched.EXE
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"MSMSGS"="c:\program files\MESSENGER\MSMSGS.EXE" /background
"ATI Launchpad"="c:\program files\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
"Mozilla Quick Launch"="c:\program files\Netscape\Netscp.exe" -aim

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adaptec DirectCD"=c:\progra~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
"CreateCD"=c:\progra~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
"hpppta"=c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"HPID Scheduler"=c:\program files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe
"LoadQM"=loadqm.exe
"LTWinModem1"=ltmsg.exe 9
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"PestPatrol Control Center"=c:\program files\PestPatrol\PPControl.exe
"WinampAgent"="c:\program files\WINAMP\WINAMPa.exe"
"PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
"RxMon"=c:\program files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"madexe"=c:\program files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
"Share-to-Web Namespace Daemon"=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"MMTray"=c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"MotiveMonitor"=c:\program files\Motive\motmon.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"LoadQM"=loadqm.exe
"PPMemCheck"=c:\progra~1\PESTPA~1\PPMemCheck.exe
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" /r
"dla"=c:\windows\system\dla\tfswctrl.exe
"hpppta"=c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
"Logitech Utility"=LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"ATIPOLAB"=
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"LoadBlackD"=c:\program files\Network ICE\BlackICE\blackd.exe
"SchedulingAgent"=mstask.exe
"ATIPOLL"=ati2evxx.exe
"Machine Debug Manager"=c:\windows\SYSTEM32\MDM.EXE
"RNBOStart"=c:\windows\SYSTEM\RNBOSENT\SENTSTRT.EXE
"ATISmart"=c:\windows\SYSTEM\ati2s9ag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\WINDOWS\\System32\\ZoneLabs\\VSMON.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [9/12/2008 9:18 PM 28544]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [11/16/2009 9:03 AM 108792]
R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\SYSTEM32\DRIVERS\AliEhci.sys [11/8/2003 8:41 PM 104088]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]
R2 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2/6/2009 2:09 PM 1263872]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2/6/2009 2:08 PM 344832]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\SYSTEM32\DRIVERS\AliRtHub.sys [11/8/2003 8:41 PM 5337]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [11/10/2003 2:17 PM 36224]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\SYSTEM32\DRIVERS\WlanUIG.sys [5/30/2005 10:21 PM 347648]
S3 G550DH;G550DH;c:\windows\SYSTEM32\DRIVERS\g550dhm.sys [9/28/2001 1:13 PM 324747]
S3 UtilNT;UtilNT;c:\windows\SYSTEM32\DRIVERS\UtilNt.sys [11/14/2003 10:43 PM 5533]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-06-25 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\ayez2gq0.new profile\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\default\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-RNA - rundll rnasetup.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 19:55
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\TP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"07243.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4000)
c:\windows\system32\WININET.dll
c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk.Hooks.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-06-29 20:00:57
ComboFix-quarantined-files.txt 2010-06-30 00:00
ComboFix2.txt 2010-06-25 11:09
ComboFix3.txt 2009-07-02 09:20

Pre-Run: 6,037,143,552 bytes free
Post-Run: 6,539,575,296 bytes free

- - End Of File - - 7FE13F54D2239A52CC9ECDA1709E1386

Edited by Levan, 29 June 2010 - 08:02 PM.

#20
Levan

Posted 29 June 2010 - 07:59 PM

Member

Topic Starter
Member
35 posts

.

Second Combofix log from today - COMBOFIX LOG 2:

ComboFix 10-06-24.03 - default 06/29/2010 20:24:12.4.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.220 [GMT -4:00]
Running from: c:\documents and settings\default\Desktop\PC Tools\tools from geeks to go\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.

2010-06-26 09:32 . 2010-06-26 09:32 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-26 09:32 . 2010-06-26 09:32 -------- d-----w- c:\program files\Java
2010-06-25 07:02 . 2010-06-25 07:02 -------- d-----w- c:\windows\system32\KB905474
2010-06-25 00:03 . 2010-06-25 00:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-24 21:51 . 2010-06-24 21:51 -------- d-----w- c:\program files\ERUNT
2010-06-24 21:40 . 2010-06-24 21:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-22 05:21 . 2010-06-22 05:21 -------- d-----w- c:\documents and settings\default\Application Data\ylanukmgh
2010-06-22 05:21 . 2010-06-22 05:21 -------- d-----w- c:\documents and settings\default\Application Data\ylanukmgh
2010-06-03 06:08 . 2010-06-03 06:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Matrox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 01:54 . 2009-09-06 13:49 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-24 05:25 . 2007-04-03 00:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-25 22:02 . 2010-05-25 22:02 503808 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d509401-n\msvcp71.dll
2010-05-25 22:02 . 2010-05-25 22:02 499712 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d509401-n\jmc.dll
2010-05-25 22:02 . 2010-05-25 22:02 348160 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d509401-n\msvcr71.dll
2010-05-25 22:02 . 2010-05-25 22:02 61440 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3275dc46-n\decora-sse.dll
2010-05-25 22:02 . 2010-05-25 22:02 12800 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3275dc46-n\decora-d3d.dll
2010-05-19 04:44 . 2010-05-19 04:44 1 ----a-w- c:\documents and settings\default\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-19 04:44 . 2010-05-19 04:44 -------- d-----w- c:\documents and settings\default\Application Data\OpenOffice.org
2010-05-19 04:40 . 2010-05-19 04:40 -------- d-----w- c:\program files\JRE
2010-05-19 04:40 . 2010-05-19 04:40 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-29 19:39 . 2009-07-02 07:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-07-02 07:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2003-11-07 04:11 . 2001-01-30 15:20 1439 ----a-w- c:\program files\GUIDE PLUS+™ System (2).lnk
2003-11-07 04:11 . 2001-01-21 04:30 1439 ----a-w- c:\program files\GUIDE PLUS+™ System.lnk
2003-11-07 04:11 . 1980-01-01 04:00 820 ----a-w- c:\program files\Dell Accessories.lnk
2001-01-28 21:58 . 2001-01-28 21:58 516 ----a-w- c:\program files\Acrobat Reader 4.0.lnk
2001-01-21 04:14 . 1980-01-01 04:00 23357 ---h--w- c:\program files\FOLDER.HTT
2001-01-08 19:46 . 2001-01-08 19:46 594 ----a-w- c:\program files\Launch DellNet by MSN.lnk
2001-01-08 19:43 . 2001-01-08 19:43 444 ----a-w- c:\program files\Send and Receive a Fax.lnk
2001-01-08 19:43 . 2001-01-08 19:43 388 ----a-w- c:\program files\PhoneTools.lnk
1998-12-09 06:53 . 1998-12-09 06:53 99840 ------w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 06:53 . 1998-12-09 06:53 70144 ------w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 48640 ------w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 31744 ------w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 186368 ------w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 06:53 . 1998-12-09 06:53 17920 ------w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( SnapShot@2010-06-25_11.01.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-30 00:13 . 2010-06-30 00:13 16384 c:\windows\temp\Perflib_Perfdata_594.dat
- 2009-07-12 08:57 . 2009-10-28 14:07 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2009-07-12 08:57 . 2010-04-21 13:28 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 c:\windows\SYSTEM32\dllcache\cabview.dll
+ 2003-11-07 03:25 . 2010-01-13 14:01 86016 c:\windows\SYSTEM32\cabview.dll
+ 2003-11-07 03:28 . 2009-12-24 06:59 177664 c:\windows\SYSTEM32\wintrust.dll
+ 2010-06-26 09:32 . 2010-06-26 09:32 153376 c:\windows\SYSTEM32\javaws.exe
- 2010-05-19 04:39 . 2010-05-19 04:39 153376 c:\windows\SYSTEM32\javaws.exe
+ 2010-06-26 09:32 . 2010-06-26 09:32 145184 c:\windows\SYSTEM32\javaw.exe
- 2010-05-19 04:39 . 2010-05-19 04:38 145184 c:\windows\SYSTEM32\javaw.exe
+ 2010-06-26 09:32 . 2010-06-26 09:32 145184 c:\windows\SYSTEM32\java.exe
- 2010-05-19 04:39 . 2010-05-19 04:38 145184 c:\windows\SYSTEM32\java.exe
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\SYSTEM32\dllcache\wintrust.dll
+ 2010-06-26 09:33 . 2010-06-26 09:33 180224 c:\windows\Installer\3585b1.msi
+ 2010-06-26 09:32 . 2010-06-26 09:32 576000 c:\windows\Installer\35859f.msi
+ 2009-07-12 22:19 . 2010-05-28 16:37 32472008 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-08-14 167936]
"Matrox Powerdesk"="c:\windows\System32\PDesk\PDesk.exe" [2001-09-21 622592]
"MpsOnn"="c:\windows\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2003-06-09 22528]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2009-02-06 4223232]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 169264]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-07-10 98304]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\D:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eDualHead Toolbar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eDualHead Toolbar.lnk
backup=c:\windows\pss\eDualHead Toolbar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^default^Start Menu^Programs^Startup^IMsecure.lnk]
path=c:\documents and settings\default\Start Menu\Programs\Startup\IMsecure.lnk
backup=c:\windows\pss\IMsecure.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^default^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\default\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2003-07-25 15:15 536576 ----a-w- c:\program files\Eraser\eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 23:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-03-19 12:53 29184 ----a-w- c:\progra~1\ScanSoft\PAPERP~1\Pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
2006-07-26 19:59 1684480 ----a-w- c:\program files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
2004-11-15 15:49 98304 ----a-w- c:\progra~1\PESTPA~1\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
2003-04-19 11:53 148480 ----a-w- c:\progra~1\PESTPA~1\PPMemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-07-10 02:57 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2007-01-28 07:55 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 13:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
2002-06-18 04:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-07-10 03:57 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 21:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=c:\program files\AIM95\aim.exe -cnetwait.odl
"ATI Scheduler"=c:\program files\ATI MULTIMEDIA\MAIN\ATISched.EXE
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"MSMSGS"="c:\program files\MESSENGER\MSMSGS.EXE" /background
"ATI Launchpad"="c:\program files\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
"Mozilla Quick Launch"="c:\program files\Netscape\Netscp.exe" -aim

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adaptec DirectCD"=c:\progra~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
"CreateCD"=c:\progra~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
"hpppta"=c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"HPID Scheduler"=c:\program files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe
"LoadQM"=loadqm.exe
"LTWinModem1"=ltmsg.exe 9
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"PestPatrol Control Center"=c:\program files\PestPatrol\PPControl.exe
"WinampAgent"="c:\program files\WINAMP\WINAMPa.exe"
"PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
"RxMon"=c:\program files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"madexe"=c:\program files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
"Share-to-Web Namespace Daemon"=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"MMTray"=c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"MotiveMonitor"=c:\program files\Motive\motmon.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"LoadQM"=loadqm.exe
"PPMemCheck"=c:\progra~1\PESTPA~1\PPMemCheck.exe
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" /r
"dla"=c:\windows\system\dla\tfswctrl.exe
"hpppta"=c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
"Logitech Utility"=LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"ATIPOLAB"=
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"LoadBlackD"=c:\program files\Network ICE\BlackICE\blackd.exe
"SchedulingAgent"=mstask.exe
"ATIPOLL"=ati2evxx.exe
"Machine Debug Manager"=c:\windows\SYSTEM32\MDM.EXE
"RNBOStart"=c:\windows\SYSTEM\RNBOSENT\SENTSTRT.EXE
"ATISmart"=c:\windows\SYSTEM\ati2s9ag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\WINDOWS\\System32\\ZoneLabs\\VSMON.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [9/12/2008 9:18 PM 28544]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [11/16/2009 9:03 AM 108792]
R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\SYSTEM32\DRIVERS\AliEhci.sys [11/8/2003 8:41 PM 104088]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]
R2 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2/6/2009 2:09 PM 1263872]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2/6/2009 2:08 PM 344832]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\SYSTEM32\DRIVERS\AliRtHub.sys [11/8/2003 8:41 PM 5337]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [11/10/2003 2:17 PM 36224]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\SYSTEM32\DRIVERS\WlanUIG.sys [5/30/2005 10:21 PM 347648]
S3 G550DH;G550DH;c:\windows\SYSTEM32\DRIVERS\g550dhm.sys [9/28/2001 1:13 PM 324747]
S3 UtilNT;UtilNT;c:\windows\SYSTEM32\DRIVERS\UtilNt.sys [11/14/2003 10:43 PM 5533]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-06-25 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\ayez2gq0.new profile\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\default\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-RNA - rundll rnasetup.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 20:33
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\TP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"07243.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2832)
c:\windows\system32\WININET.dll
c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk.Hooks.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-06-29 20:37:31
ComboFix-quarantined-files.txt 2010-06-30 00:37
ComboFix2.txt 2010-06-30 00:01
ComboFix3.txt 2010-06-25 11:09
ComboFix4.txt 2009-07-02 09:20

Pre-Run: 6,553,010,176 bytes free
Post-Run: 6,537,936,896 bytes free

- - End Of File - - 23A71D47B6C21EF9264D2CB137751565

Edited by Levan, 29 June 2010 - 08:03 PM.

#21
ali.B

Posted 30 June 2010 - 12:55 AM

Trusted Helper

Malware Removal
3,086 posts

hi

are you still getting redirected?

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Files
c:\documents and settings\default\Application Data\ylanukmgh
c:\documents and settings\default\Application Data\ylanukmgh

:Commands
[purity]
[emptytemp]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

#22
Levan

Posted 30 June 2010 - 02:22 AM

Member

Topic Starter
Member
35 posts

Hi ali,

I haven't noticed any redirects since last running combofix!! Thanks for your effort so far!

OTM log below:

All processes killed
========== FILES ==========
c:\documents and settings\default\Application Data\ylanukmgh folder moved successfully.
File/Folder c:\documents and settings\default\Application Data\ylanukmgh not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: default
->Temporary Internet Files folder emptied: 5592351 bytes
->Java cache emptied: 130120 bytes
->FireFox cache emptied: 35354496 bytes
->Flash cache emptied: 1078 bytes

User: NetworkService
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 24694 bytes

User: LocalService
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
Session Manager Temp folder emptied: 0 bytes
Session Manager Tmp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 39.00 mb

OTM by OldTimer - Version 3.1.12.2 log created on 06302010_040312

Files moved on Reboot...
C:\Documents and Settings\default\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\7QP84KV6\iframe[1].htm moved successfully.
C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\7QP84KV6\index[2].htm moved successfully.
C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\30JB6L7T\like[1].htm moved successfully.

Registry entries deleted on Reboot...

#23
ali.B

Posted 30 June 2010 - 02:45 PM

Trusted Helper

Malware Removal
3,086 posts

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#24
Levan

Posted 30 June 2010 - 03:45 PM

Member

Topic Starter
Member
35 posts

Hi ali,

OTL log as requested:

OTL logfile created on: 6/30/2010 5:22:11 PM - Run 5
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\default\Desktop\PC Tools\tools from geeks to go
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 227.00 Mb Available Physical Memory | 44.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 5.92 Gb Free Space | 15.89% Space Free | Partition Type: FAT32
Drive D: | 232.88 Gb Total Space | 47.91 Gb Free Space | 20.57% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive V: | 111.75 Gb Total Space | 34.72 Gb Free Space | 31.07% Space Free | Partition Type: FAT32

Computer Name: C1384084-A
Current User Name: default
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/24 21:30:18 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\default\Desktop\PC Tools\tools from geeks to go\OTL.exe
PRC - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/11/16 09:03:32 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/02/06 14:09:16 | 001,263,872 | ---- | M] (Matrox Graphics Inc.) -- C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
PRC - [2009/02/06 14:08:32 | 004,223,232 | ---- | M] (Matrox Graphics Inc.) -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe
PRC - [2009/02/06 14:08:28 | 000,344,832 | ---- | M] (Matrox Graphics Inc) -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
PRC - [2009/02/06 14:08:26 | 000,210,688 | ---- | M] () -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.DesktopManagement.Host.exe
PRC - [2008/04/13 19:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/13 15:02:32 | 000,156,976 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2007/07/13 15:01:40 | 000,169,264 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
PRC - [2007/04/04 08:48:42 | 000,087,560 | ---- | M] (Matrox Graphics Inc.) -- C:\WINDOWS\SYSTEM32\mgabg.exe
PRC - [2002/08/14 19:48:28 | 000,167,936 | ---- | M] () -- C:\WINDOWS\SYSTEM32\pctspk.exe
PRC - [2002/07/17 02:03:00 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PRC - [2002/06/12 09:46:04 | 000,025,088 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\SYSTEM32\devldr32.exe
PRC - [2002/01/29 13:33:14 | 000,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [1998/08/26 15:16:14 | 000,063,488 | ---- | M] () -- C:\SUPERFAX\PROGRAM\PICPMON.EXE

========== Modules (SafeList) ==========

MOD - [2010/06/24 21:30:18 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\default\Desktop\PC Tools\tools from geeks to go\OTL.exe
MOD - [2009/02/06 14:01:18 | 001,486,336 | ---- | M] (Matrox Graphics Inc.) -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk.Hooks.dll
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (ATI Smart)
SRV - [2009/11/16 09:12:54 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2009/02/06 14:09:16 | 001,263,872 | ---- | M] (Matrox Graphics Inc.) [Auto | Running] -- C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe -- (Matrox Centering Service)
SRV - [2009/02/06 14:08:28 | 000,344,832 | ---- | M] (Matrox Graphics Inc) [Auto | Running] -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe -- (Matrox.Pdesk.ServicesHost)
SRV - [2009/01/14 17:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) [Disabled | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2007/07/13 15:02:32 | 000,156,976 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2007/04/04 08:48:42 | 000,087,560 | ---- | M] (Matrox Graphics Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\mgabg.exe -- (MGABGEXE)
SRV - [2005/04/19 18:05:26 | 001,210,112 | ---- | M] (Zone Labs, LLC) [On_Demand | Stopped] -- C:\WINDOWS\System32\ZONELABS\vsmon.exe -- (vsmon)
SRV - [2002/08/14 19:48:28 | 000,167,936 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\pctspk.exe -- (Pctspk)
SRV - [2002/07/17 02:03:00 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2)
SRV - [2002/01/29 13:33:14 | 000,077,824 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
SRV - [1998/08/26 15:16:14 | 000,063,488 | ---- | M] () [Auto | Running] -- C:\SUPERFAX\PROGRAM\PICPMON.EXE -- (Pacific Image Comm. Fax Server)

========== Driver Services (SafeList) ==========

DRV - [2009/11/16 09:06:48 | 000,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfwtdi.sys -- (epfwtdi)
DRV - [2009/11/16 09:06:44 | 000,135,048 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfw.sys -- (epfw)
DRV - [2009/11/16 09:03:36 | 000,108,792 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ehdrv.sys -- (ehdrv)
DRV - [2009/11/16 08:56:12 | 000,116,520 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\eamon.sys -- (eamon)
DRV - [2009/06/19 08:10:40 | 000,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfwndis.sys -- (Epfwndis)
DRV - [2009/02/06 13:19:52 | 000,350,592 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\g400dhm.sys -- (G400DH)
DRV - [2008/06/19 17:24:30 | 000,028,544 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/04/13 13:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 13:53:10 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nmnt.sys -- (nm)
DRV - [2008/04/13 13:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2007/05/03 13:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mxopswd.sys -- (MXOPSWD)
DRV - [2006/08/24 13:44:14 | 000,477,696 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ZD1211BU.sys -- (ZD1211BU(ZyDAS)) ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS)
DRV - [2005/04/19 18:05:14 | 000,279,880 | ---- | M] (Zone Labs, LLC) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\vsdatant.sys -- (vsdatant)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/04 01:29:26 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004/05/16 20:46:16 | 000,347,648 | R--- | M] ( ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WlanUIG.sys -- (WlanUIG)
DRV - [2004/04/13 19:20:08 | 000,015,781 | R--- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2003/10/28 15:17:52 | 000,005,273 | ---- | M] (Arrowkey) [Kernel | Auto | Running] -- C:\Program Files\321Studios\Shared\CDRPDACC.SYS -- (CDRPDACC)
DRV - [2003/08/01 14:57:54 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys -- (pfc)
DRV - [2003/06/24 11:55:40 | 000,005,337 | ---- | M] (ALi Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AliRtHub.sys -- (aliroothub)
DRV - [2003/06/24 11:47:06 | 000,104,088 | ---- | M] (ALi Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AliEhci.sys -- (ALIEHCD)
DRV - [2003/03/31 12:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/03/31 12:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2003/02/03 11:09:16 | 000,013,312 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinpdxx.sys -- (PCDCODEC)
DRV - [2003/02/03 11:09:02 | 000,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinmdxx.sys -- (MVDCODEC)
DRV - [2003/02/03 11:08:48 | 000,102,400 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinrvxx.sys -- (atinrvxx)
DRV - [2003/02/03 11:07:56 | 000,061,440 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinxsxx.sys -- (ATIXSAudio)
DRV - [2003/02/03 11:07:14 | 000,050,176 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinraxx.sys -- (ativraxx)
DRV - [2003/02/03 11:05:08 | 000,037,888 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atintuxx.sys -- (ATITUNEP)
DRV - [2002/08/28 22:59:12 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\an983.sys -- (AN983)
DRV - [2002/08/15 11:16:52 | 000,139,073 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ptserial.sys -- (Ptserial)
DRV - [2002/08/15 11:16:20 | 000,065,343 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vvoice.sys -- (Vvoice)
DRV - [2002/08/15 11:15:42 | 000,696,462 | ---- | M] (PCTEL, INC.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vmodem.sys -- (Vmodem)
DRV - [2002/08/15 11:14:46 | 000,551,819 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vpctcom.sys -- (Vpctcom)
DRV - [2002/06/12 09:46:06 | 000,284,288 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2002/06/12 09:46:06 | 000,036,992 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2002/06/12 09:46:04 | 000,007,424 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2002/01/07 16:28:48 | 000,010,761 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\x10uif.sys -- (X10UIF)
DRV - [2001/10/24 18:16:10 | 000,036,224 | R--- | M] (LinkSys Group Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lne100v5.sys -- (LNE100) Linksys LNE100TX(v5)
DRV - [2001/09/28 13:13:30 | 000,324,747 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\g550dhm.sys -- (G550DH)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:28:14 | 000,112,574 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ptserlp.sys -- (Ptserlp)
DRV - [2001/08/17 12:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctljystk.sys -- (ctljystk)
DRV - [2001/03/08 13:22:16 | 000,005,500 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mgabg.sys -- (mgabg)
DRV - [2000/04/17 18:32:38 | 000,005,533 | R--- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\UtilNt.sys -- (UtilNT)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/07/08 02:15:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/07/08 02:15:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.0\Extensions\\Components: c:\Program Files\Netscape\Components [2002/11/29 19:57:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.0\Extensions\\Plugins: c:\Program Files\Netscape\Plugins [2002/11/29 19:57:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2009/11/27 19:28:08 | 000,000,000 | ---D | M]

[2009/07/08 02:17:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Mozilla\Extensions
[2009/07/08 02:15:16 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/26 05:32:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2009/11/18 06:30:14 | 000,164,120 | ---- | M] (Tracker Software Products Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
[2010/06/26 05:32:14 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/25 07:00:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe (Matrox Graphics Inc.)
O4 - HKLM..\Run: [Matrox PowerDesk SE] C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe (Matrox Graphics Inc.)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)
O4 - HKLM..\Run: [MpsOnn] C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\MPSONN.EXE (CANON INC.)
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)
O4 - HKLM..\Run: [PCTVOICE] C:\WINDOWS\System32\pctspk.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\SYSTEM32\nwprovau.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akama...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1259480903199 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...7931.8402083333 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\SYSTEM\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: Win32 Classes Reg Error: Key error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Waves.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Waves.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/11/06 22:39:28 | 000,000,500 | -HS- | M] () - C:\AUTOEXEC.BAK -- [ FAT32 ]
O32 - AutoRun File - [2003/11/06 22:39:28 | 000,000,483 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2000/06/19 14:16:22 | 000,000,079 | -HS- | M] () - C:\AUTOEXEC.DOS -- [ FAT32 ]
O32 - AutoRun File - [2001/01/27 14:19:38 | 000,000,231 | -H-- | M] () - C:\AUTOEXEC.001 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/06/30 04:03:29 | 000,000,000 | -HSD | C] -- C:\Recycled
[2010/06/30 04:03:12 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/06/30 03:46:23 | 000,518,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\default\Desktop\OTM.exe
[2010/06/26 05:32:02 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/06/25 06:32:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/25 06:32:50 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/25 06:32:50 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/25 06:32:50 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/25 06:30:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/25 03:02:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2010/06/24 17:51:47 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/24 17:37:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/24 17:37:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/28 03:03:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\default\Desktop\S test
[2010/05/19 00:44:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\default\Application Data\OpenOffice.org
[2010/05/19 00:40:51 | 000,000,000 | ---D | C] -- C:\Program Files\JRE
[2010/05/19 00:40:17 | 000,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3
[2010/05/19 00:39:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/19 00:33:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\default\Desktop\OpenOffice.org 3.2 (en-US) Installation Files
[2010/05/18 22:31:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\default\Desktop\resume templates
[2010/05/18 18:17:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2005/05/30 22:21:12 | 000,347,648 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\WlanUIG.sys
[2002/06/05 05:44:11 | 000,059,392 | ---- | C] ( ) -- C:\WINDOWS\System32\A3D.DLL
[22 C:\Documents and Settings\default\My Documents\*.tmp files -> C:\Documents and Settings\default\My Documents\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/06/30 05:23:38 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/30 04:34:10 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/06/30 04:33:44 | 000,013,728 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/30 04:33:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/30 04:33:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/30 04:33:18 | 536,203,264 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/30 04:31:58 | 014,417,920 | ---- | M] () -- C:\Documents and Settings\default\ntuser.dat
[2010/06/30 04:31:58 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\default\ntuser.ini
[2010/06/30 03:46:22 | 000,518,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\default\Desktop\OTM.exe
[2010/06/29 20:33:26 | 000,000,378 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/29 20:22:10 | 000,000,627 | ---- | M] () -- C:\Documents and Settings\default\Desktop\Shortcut to ComboFix.lnk
[2010/06/28 23:42:50 | 000,143,544 | ---- | M] () -- C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
[2010/06/27 03:20:08 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/25 03:33:38 | 003,707,936 | -H-- | M] () -- C:\Documents and Settings\default\Application Data\IconCache.db
[2010/06/24 21:54:22 | 000,001,316 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/06/24 19:31:34 | 000,169,984 | ---- | M] () -- C:\Documents and Settings\default\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/24 19:22:14 | 000,002,985 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/24 19:22:14 | 000,000,288 | RHS- | M] () -- C:\boot.ini
[2010/06/20 04:11:28 | 000,488,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/16 20:39:52 | 000,000,340 | ---- | M] () -- C:\WINDOWS\QTW.INI
[2010/06/16 17:12:12 | 000,000,282 | ---- | M] () -- C:\WINDOWS\HPQCOPY.INI
[2010/06/13 19:02:44 | 000,002,572 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Word.lnk
[2010/05/25 00:09:44 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\default\Desktop\Shortcut to Master-Key-System[1].lnk
[2010/05/19 00:42:24 | 000,000,905 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.2.lnk
[2010/04/30 21:35:28 | 000,588,800 | ---- | M] () -- C:\Documents and Settings\default\My Documents\Care pages.doc
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:14 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[22 C:\Documents and Settings\default\My Documents\*.tmp files -> C:\Documents and Settings\default\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/29 20:22:08 | 000,000,627 | ---- | C] () -- C:\Documents and Settings\default\Desktop\Shortcut to ComboFix.lnk
[2010/06/25 06:32:50 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/25 06:32:50 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/25 06:32:50 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/25 06:32:50 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/25 06:32:50 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/25 03:02:29 | 000,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/05/25 00:09:43 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\default\Desktop\Shortcut to Master-Key-System[1].lnk
[2010/05/19 00:42:23 | 000,000,905 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.2.lnk
[2010/04/30 21:41:58 | 000,588,800 | ---- | C] () -- C:\Documents and Settings\default\My Documents\Care pages.doc
[2009/12/21 21:39:26 | 000,000,088 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2009/04/30 17:38:52 | 000,000,208 | ---- | C] () -- C:\WINDOWS\MPASS.INI
[2004/10/10 20:48:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/10/10 20:42:39 | 000,005,120 | R--- | C] () -- C:\WINDOWS\System32\HWDll.dll
[2004/05/04 19:15:50 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2004/05/04 19:15:36 | 000,026,282 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2004/05/04 19:15:29 | 000,269,312 | ---- | C] () -- C:\WINDOWS\System32\FPXIG.DLL
[2004/05/04 19:15:29 | 000,068,096 | ---- | C] () -- C:\WINDOWS\System32\IGFPX32P.DLL
[2004/05/04 19:15:29 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\JPEGACC.DLL
[2004/05/04 19:15:17 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\WELSOF32.DLL
[2004/04/05 08:11:37 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2004/02/23 00:45:25 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\IMregexp.dll
[2004/02/23 00:44:28 | 000,684,032 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6g.dll
[2003/11/15 22:14:17 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2003/11/08 21:29:37 | 000,165,888 | ---- | C] () -- C:\WINDOWS\System32\hpgt53.dll
[2003/11/08 21:18:37 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EEBAPI.dll
[2003/11/08 21:18:37 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\EEBDSCVR.dll
[2003/11/08 21:18:37 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\EBAPI.dll
[2003/11/07 00:11:21 | 000,000,351 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/11/07 00:00:10 | 000,003,878 | ---- | C] () -- C:\WINDOWS\VTruck1.ini
[2003/11/07 00:00:10 | 000,003,369 | ---- | C] () -- C:\WINDOWS\VTruck2.ini
[2003/11/07 00:00:10 | 000,001,794 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/11/07 00:00:10 | 000,001,162 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2003/11/07 00:00:10 | 000,000,482 | ---- | C] () -- C:\WINDOWS\vidwiz.ini
[2003/11/07 00:00:10 | 000,000,391 | ---- | C] () -- C:\WINDOWS\VSTUDIO.INI
[2003/11/07 00:00:10 | 000,000,350 | ---- | C] () -- C:\WINDOWS\CDMaster.ini
[2003/11/07 00:00:10 | 000,000,310 | ---- | C] () -- C:\WINDOWS\net2fone.ini
[2003/11/07 00:00:10 | 000,000,282 | ---- | C] () -- C:\WINDOWS\HPQCOPY.INI
[2003/11/07 00:00:10 | 000,000,225 | ---- | C] () -- C:\WINDOWS\DelKey.ini
[2003/11/07 00:00:10 | 000,000,199 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2003/11/07 00:00:10 | 000,000,191 | ---- | C] () -- C:\WINDOWS\ctsyn.ini
[2003/11/07 00:00:10 | 000,000,127 | ---- | C] () -- C:\WINDOWS\LSXMPEG2.INI
[2003/11/07 00:00:10 | 000,000,121 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2003/11/07 00:00:10 | 000,000,104 | ---- | C] () -- C:\WINDOWS\jiaompg.ini
[2003/11/07 00:00:10 | 000,000,070 | ---- | C] () -- C:\WINDOWS\dswplug.ini
[2003/11/07 00:00:10 | 000,000,067 | ---- | C] () -- C:\WINDOWS\athenatm.ini
[2003/11/07 00:00:10 | 000,000,059 | ---- | C] () -- C:\WINDOWS\PestPatrol.ini
[2003/11/07 00:00:10 | 000,000,047 | ---- | C] () -- C:\WINDOWS\EPSP960.ini
[2003/11/07 00:00:10 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2003/11/07 00:00:10 | 000,000,028 | ---- | C] () -- C:\WINDOWS\Msdevctl.ini
[2003/11/07 00:00:10 | 000,000,024 | ---- | C] () -- C:\WINDOWS\SwDrvs.ini
[2003/11/07 00:00:10 | 000,000,012 | ---- | C] () -- C:\WINDOWS\LSXDEMO.INI
[2003/11/07 00:00:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\progman.ini
[2003/11/07 00:00:09 | 000,012,484 | ---- | C] () -- C:\WINDOWS\IOS.INI
[2003/11/07 00:00:09 | 000,007,885 | ---- | C] () -- C:\WINDOWS\NETDET.INI
[2003/11/07 00:00:09 | 000,005,068 | ---- | C] () -- C:\WINDOWS\DELETEFI.INI
[2003/11/07 00:00:09 | 000,003,598 | ---- | C] () -- C:\WINDOWS\HTMLHELP.INI
[2003/11/07 00:00:09 | 000,002,180 | ---- | C] () -- C:\WINDOWS\FONTSMRT.INI
[2003/11/07 00:00:09 | 000,001,100 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/11/07 00:00:09 | 000,000,934 | ---- | C] () -- C:\WINDOWS\MRUN32.INI
[2003/11/07 00:00:09 | 000,000,787 | ---- | C] () -- C:\WINDOWS\SCANREG.INI
[2003/11/07 00:00:09 | 000,000,562 | ---- | C] () -- C:\WINDOWS\TAPE.INI
[2003/11/07 00:00:09 | 000,000,340 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2003/11/07 00:00:09 | 000,000,226 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2003/11/07 00:00:09 | 000,000,225 | ---- | C] () -- C:\WINDOWS\TELEPHON.INI
[2003/11/07 00:00:09 | 000,000,167 | ---- | C] () -- C:\WINDOWS\CTREC.INI
[2003/11/07 00:00:09 | 000,000,126 | ---- | C] () -- C:\WINDOWS\CTSYNWDM.INI
[2003/11/07 00:00:09 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2003/11/07 00:00:09 | 000,000,060 | ---- | C] () -- C:\WINDOWS\POWERPNT.INI
[2003/11/07 00:00:09 | 000,000,054 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2003/11/07 00:00:09 | 000,000,049 | ---- | C] () -- C:\WINDOWS\SMInfom.ini
[2003/11/07 00:00:09 | 000,000,044 | ---- | C] () -- C:\WINDOWS\BD40.INI
[2003/11/07 00:00:09 | 000,000,026 | ---- | C] () -- C:\WINDOWS\MSOFFICE.INI
[2003/11/07 00:00:09 | 000,000,015 | ---- | C] () -- C:\WINDOWS\wgedit.ini
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\UMP.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PCFRIEND.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPID.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DDM.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CTDiskID.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI
[2003/11/06 23:25:26 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/11/03 03:32:21 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2003/03/23 20:35:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/05/24 01:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2002/05/24 01:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2002/04/11 11:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll
[2002/02/27 17:50:00 | 000,197,120 | ---- | C] () -- C:\WINDOWS\System32\patchw32.dll
[2001/09/06 15:10:43 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2001/08/14 11:47:08 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\vxpsapi.dll
[2001/07/23 18:58:06 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\icmfilter.dll
[2001/03/30 22:14:57 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\ntvideo.dll
[2001/03/30 22:14:57 | 000,211,456 | ---- | C] () -- C:\WINDOWS\System32\ntsound.dll
[2001/03/30 22:14:57 | 000,155,136 | ---- | C] () -- C:\WINDOWS\System32\jiaocd.dll
[2001/03/30 22:14:57 | 000,122,368 | ---- | C] () -- C:\WINDOWS\System32\jiaompeg.dll
[2001/03/30 22:14:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\System32\cddriver.dll
[2001/02/25 22:07:35 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\cdtool.dll
[2001/02/13 23:06:42 | 000,007,808 | ---- | C] () -- C:\WINDOWS\System32\dc240u.sys
[2001/02/13 23:06:40 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\SoyWeb.dll
[2001/02/13 23:06:40 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\ImgLibLead.dll
[2001/01/28 20:59:37 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\lffpx90n.dll
[2001/01/28 20:52:28 | 000,006,724 | ---- | C] () -- C:\WINDOWS\ATM.INI
[2001/01/28 20:51:39 | 000,100,864 | ---- | C] () -- C:\WINDOWS\System32\Dc50ip32.dll
[2001/01/28 20:51:39 | 000,065,864 | ---- | C] () -- C:\WINDOWS\System32\Digita.sys
[2001/01/08 15:43:24 | 000,057,344 | ---- | C] () -- C:\WINDOWS\uninstBVRP.dll
[2001/01/08 15:42:21 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\AltApi.dll
[2001/01/08 15:42:20 | 000,167,456 | ---- | C] () -- C:\WINDOWS\System32\bocof.dll
[1999/01/22 18:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/08/16 06:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[1998/01/12 08:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[1995/07/31 21:15:18 | 000,000,057 | ---- | C] () -- C:\WINDOWS\FAX.INI
[1980/01/01 00:00:00 | 000,001,646 | ---- | C] () -- C:\WINDOWS\MSDOS.SYS

========== LOP Check ==========

[2003/11/06 23:56:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2003/11/06 23:56:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OLYMPUS
[2004/10/18 06:44:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/07/16 21:52:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/07/12 23:36:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Matrox Graphics Inc
[2009/07/12 23:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Matrox
[2009/10/19 14:40:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2009/11/27 19:28:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2003/11/06 23:59:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Digidesign
[2003/11/06 23:59:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Xequte
[2003/11/06 23:59:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\VERITAS
[2003/12/01 17:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\InterVideo
[2004/09/22 22:31:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\ApplicationHistory
[2004/10/18 06:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Aim
[2006/07/16 21:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Yahoo
[2007/03/23 20:35:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\ImgBurn
[2007/03/24 17:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\RipIt4Me
[2007/04/02 19:54:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Matrox
[2007/11/01 22:25:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Netscape
[2007/12/16 23:16:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Leadertech
[2009/11/27 19:30:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\ESET
[2009/11/30 22:32:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\AMPSoft
[2010/05/19 00:44:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\OpenOffice.org
[2010/06/30 04:34:10 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========

< End of report >

#25
ali.B

Posted 30 June 2010 - 11:18 PM

Trusted Helper

Malware Removal
3,086 posts

hi

Congratulations your logs appear clean

Reset and Re-enable your System Restore

The following will implement some cleanup procedures as well as reset System Restore points:

Click START then RUN
Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

NEXT

Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
Click on the CleanUp button.
Click Yes to begin the cleanup process and remove tools, including this application
You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

Recommendations

See Here for a list of recommendations for free Antivirus\AntiSpyware applications.

Keep Your windows up to date by regularly checking their website at:
http://windowsupdate.microsoft.com/
SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
- McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
Click Here to learn how to keep a backup of your important files
FileHippo Update Checkker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

Thank you

#26
Levan

Posted 01 July 2010 - 12:24 AM

Member

Topic Starter
Member
35 posts

Hi ali,

Thank you so much for all your work!!

I cleaned up as advised, and will proceed with your recommendations for further security in the future.

I'm able to access Windows update now, but I'm still getting intermittent error messages saying "Internet Explorer cannot display the webpage". Sometimes it's after opening my browser for the first time, other times it occurs randomly while surfing. This has been an issue since I moved about six months ago, and my new ISP found no problems. However, since I was recently blocked from specific websites with the same error message until now, and I've never had a problem with my laptop, is there any way to tell if the web traffic on this machine is being intercepted or blocked on occasion?

Also, Firefox was working after I created a new profile a few days ago, but that profile is gone now, and I'm getting the same error message: "Firefox is already running, but not responding. To open a new window, you must first close the existing firefox process, or restart your system". Task manager doesn't show firefox running, so how can I get it back?

#27
ali.B

Posted 01 July 2010 - 02:49 PM

Trusted Helper

Malware Removal
3,086 posts

hi

Look Here for a list of possible solution to your firefox problem.

#28
Levan

Posted 01 July 2010 - 04:53 PM

Member

Topic Starter
Member
35 posts

Hi ali,

Thanks for the suggestion for firefox.

As for my general connectivity issues... this has been happening in both browsers for a while, but I'm assuming you don't believe it's malware related, so I'll try some of the fixes suggested in the forums if it keeps happening.

Can you give me some idea of what all those infections were? Were they just trying to redirect me and infect my machine further? Or was any of it likely to steal data or log keystrokes on my machine?

If I backup my files, should I never access those files from another computer?