Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

XP Antimalware 2011 Removal

Started by madkayak , Nov 19 2010 11:51 AM

  • Please log in to reply

#1
madkayak
Posted 19 November 2010 - 11:51 AM

madkayak

    New Member

  • Member
  • Pip
  • 3 posts
I am starting this thread to fix the bosses' PC, so we have to do a bang up job (I found him in the machine shop asking for a sludge hammer, but I convinced him to take the afternoon off)

We have "XP Antimalware 2011 - Unregistered Version" that is preventing accesst to Internet.

It starts with a Windows Security Center Window, followed by a XP Antimalware 2011 Scan, finished with a Danger Warning (install a copy today, that sort of thing)

I copied and ran OTL as instructed in the rookie guide. Here is the OTL Log (note: During the OTL quickscan, the XP Antimalware scan started and they were running together. Start OTL Log:

OTL logfile created on: 11/19/2010 12:07:07 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\sales\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 209.00 Mb Available Physical Memory | 42.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.45 Gb Total Space | 16.67 Gb Free Space | 49.83% Space Free | Partition Type: NTFS
Drive S: | 62.33 Gb Total Space | 45.97 Gb Free Space | 73.76% Space Free | Partition Type: NTFS

Computer Name: D5HKMQ71 | User Name: sales | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/19 12:01:51 | 000,136,192 | ---- | M] () -- C:\Documents and Settings\sales\Application Data\Microsoft\Windows\shell.exe
PRC - [2010/11/19 11:56:12 | 000,133,120 | ---- | M] () -- C:\Documents and Settings\tcjones\Local Settings\Temp\dwm.exe
PRC - [2010/11/19 11:55:58 | 000,138,240 | ---- | M] () -- C:\Documents and Settings\tcjones\Application Data\Microsoft\Windows\shell.exe
PRC - [2010/11/19 11:55:48 | 000,122,368 | ---- | M] () -- C:\Documents and Settings\tcjones\Application Data\Microsoft\svchost.exe
PRC - [2010/11/19 11:53:00 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sales\Desktop\OTL.exe
PRC - [2010/11/19 11:42:34 | 000,122,368 | ---- | M] () -- C:\Documents and Settings\sales\Application Data\Microsoft\svchost.exe
PRC - [2010/11/19 11:27:43 | 000,188,928 | -HS- | M] () -- C:\Documents and Settings\sales\Local Settings\Application Data\pw.exe
PRC - [2010/11/19 09:31:32 | 000,147,968 | ---- | M] () -- C:\Documents and Settings\sales\Local Settings\Temp\dwm.exe
PRC - [2010/05/06 15:59:42 | 002,815,192 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/05/06 15:59:38 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/05/15 09:27:19 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/09/11 04:40:32 | 000,218,032 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2003/05/15 01:19:50 | 000,217,193 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/11/19 11:53:00 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sales\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/05/06 15:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/05/06 15:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/05/06 15:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/29 07:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\senfilt.sys -- (senfilt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - [2010/05/06 15:39:23 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/05/06 15:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/05/06 15:34:27 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/05/06 15:33:59 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/05/06 15:33:47 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/05/06 15:33:29 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?referrer=ign
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370



O1 HOSTS File: ([2004/08/04 00:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [svchost] C:\Documents and Settings\sales\Application Data\Microsoft\svchost.exe ()
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
F3 - HKCU WinNT: Load - (C:\DOCUME~1\sales\LOCALS~1\Temp\dwm.exe) - C:\Documents and Settings\sales\Local Settings\Temp\dwm.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1241639286890 (MUWebControl Class)
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} http://picture.vzw.c...loadControl.cab (Verizon Wireless Media Upload)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_19)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: vzTCPConfig http://www2.verizon....vzTCPConfig.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.252
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\sales\Application Data\Microsoft\Windows\shell.exe) - C:\Documents and Settings\sales\Application Data\Microsoft\Windows\shell.exe ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/05 11:21:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = pezfile] -- "C:\Documents and Settings\sales\Local Settings\Application Data\pw.exe" /START "%1" %* ()

========== Files/Folders - Created Within 30 Days ==========

[2010/11/19 12:02:57 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\sales\Desktop\OTL.exe
[2010/11/19 11:59:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Data Files
[2010/11/17 12:24:14 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2010/11/17 12:20:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2010/11/09 10:19:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Adobe PDF 6.0
[2010/11/05 09:08:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/19 12:06:50 | 000,015,058 | -HS- | M] () -- C:\Documents and Settings\sales\Local Settings\Application Data\opRSK
[2010/11/19 12:01:42 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/19 11:55:08 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/19 11:54:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/19 11:53:00 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sales\Desktop\OTL.exe
[2010/11/19 11:44:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/19 11:38:56 | 000,000,000 | ---- | M] () -- C:\install.rdf
[2010/11/19 11:36:23 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/11/19 11:27:43 | 000,188,928 | -HS- | M] () -- C:\Documents and Settings\sales\Local Settings\Application Data\pw.exe
[2010/11/19 10:50:01 | 000,000,549 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2010/11/19 08:07:30 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{42CAAEC9-B836-43B6-B9D9-3F217AC4EB60}.job
[2010/11/17 12:29:42 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/11/17 12:29:42 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/11/17 12:26:52 | 000,335,552 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/17 12:26:51 | 000,047,890 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/17 12:24:28 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\sales\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/11/17 12:20:39 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010/11/11 08:39:02 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/11/10 03:20:12 | 000,313,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/11/09 10:20:25 | 000,001,824 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
[2010/11/09 10:20:25 | 000,001,758 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 6.0 Standard.lnk
[2010/11/07 14:45:16 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/11/01 13:15:07 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\sales\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/10/27 08:26:53 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/26 08:02:12 | 000,038,423 | ---- | M] () -- C:\Documents and Settings\sales\Application Data\Comma Separated Values (Windows).ADR
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/19 11:38:56 | 000,000,000 | ---- | C] () -- C:\install.rdf
[2010/11/19 11:27:44 | 000,015,058 | -HS- | C] () -- C:\Documents and Settings\sales\Local Settings\Application Data\opRSK
[2010/11/19 11:27:43 | 000,188,928 | -HS- | C] () -- C:\Documents and Settings\sales\Local Settings\Application Data\pw.exe
[2010/11/17 12:20:39 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010/11/11 08:39:02 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/11/09 10:20:25 | 000,001,824 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
[2010/11/09 10:20:25 | 000,001,758 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 6.0 Standard.lnk
[2010/11/01 13:15:07 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/11/01 13:15:07 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\sales\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/10/27 07:51:37 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/27 11:45:31 | 000,038,466 | ---- | C] () -- C:\Documents and Settings\sales\Application Data\Comma Separated Values (DOS).ADR
[2010/02/22 16:02:12 | 000,000,200 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/08/27 13:55:43 | 000,038,423 | ---- | C] () -- C:\Documents and Settings\sales\Application Data\Comma Separated Values (Windows).ADR
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/24 12:45:00 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\sales\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/05 13:37:25 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/11/07 10:48:16 | 000,000,549 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2008/11/05 15:27:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/05 15:04:40 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2008/11/05 06:08:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== LOP Check ==========

[2010/06/23 05:58:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/01/13 10:31:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/02/04 10:53:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/11/22 09:28:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sales\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/03/03 15:36:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sales\Application Data\OverDrive
[2010/01/08 14:17:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sales\Application Data\Research In Motion
[2009/08/19 09:06:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sales\Application Data\webex
[2009/01/23 08:03:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sales\Application Data\Windows Desktop Search
[2009/05/26 09:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sales\Application Data\Windows Search
[2010/11/19 08:07:30 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{42CAAEC9-B836-43B6-B9D9-3F217AC4EB60}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\sales\My Documents\Subcontractor Package 11-17-09.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\sales\My Documents\SE MA Lead Recovery RFQ (3).doc:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\sales\My Documents\RFQ-Hazardous Material Storage Building, P-448, Newport, RI.PDF:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\sales\My Documents\Our Request for Documents.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\sales\My Documents\2009.8.28 - Soil Analytical Data.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\sales\My Documents\2009.8.18 - Soil Analytical Data.pdf:Roxio EMC Stream

< End of report >

Attached Files

  • Attached File  OTL.Txt   39.78KB   74 downloads

  • 0

Advertisements

#2
Rorschach112
Posted 19 November 2010 - 12:00 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
madkayak
Posted 19 November 2010 - 01:18 PM

madkayak

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Rorschach112

Thanks for your help, I have always had great success with the folks here.

Ran Combofix, installed recovery console, and disabled avast antivirus as instructed.

I attached log file and cut and pasted the text below (which is better?)

Log Starts here:
ComboFix 10-11-18.05 - sales 11/19/2010 13:55:20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.259 [GMT -5:00]
Running from: c:\documents and settings\sales\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sales\Application Data\Microsoft\stor.cfg
c:\documents and settings\sales\Application Data\Microsoft\svchost.exe
c:\documents and settings\sales\Application Data\Microsoft\Windows\shell.exe
c:\documents and settings\sales\Local Settings\Application Data\opRSK
c:\documents and settings\sales\Local Settings\Application Data\pw.exe
c:\documents and settings\sales\Local Settings\Temporary Internet Files\AaBbaA7.jpg
c:\documents and settings\sales\Local Settings\Temporary Internet Files\pYn66bka.jpg
c:\documents and settings\sales\Local Settings\Temporary Internet Files\webex.ini
c:\documents and settings\sales\Local Settings\Temporary Internet Files\xLLM2bAm.jpg
c:\documents and settings\sales\Local Settings\Temporary Internet Files\XMjMBAJ.jpg
c:\documents and settings\tcjones\Application Data\Microsoft\stor.cfg
c:\documents and settings\tcjones\Application Data\Microsoft\svchost.exe
c:\documents and settings\tcjones\Application Data\Microsoft\Windows\shell.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 16:54 . 2010-11-19 18:27 -------- d-----w- c:\documents and settings\tcjones
2010-11-17 17:24 . 2010-11-17 17:24 -------- d-----w- c:\program files\Windows Media Connect 2
2010-11-17 17:20 . 2010-11-17 17:22 -------- d-----w- c:\windows\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-03-03 22:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-05-06 19:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-07-13 136600]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-03-06 21:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/6/2009 1:18 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/6/2009 1:18 PM 19024]
S2 gupdate1c9d569540b0ce4;Google Update Service (gupdate1c9d569540b0ce4);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2009 9:27 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 14:27]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 14:27]

2010-11-19 c:\windows\Tasks\User_Feed_Synchronization-{42CAAEC9-B836-43B6-B9D9-3F217AC4EB60}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?referrer=ign
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/business/vzTCPConfig.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 14:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-11-19 14:08:23
ComboFix-quarantined-files.txt 2010-11-19 19:08

Pre-Run: 17,999,310,848 bytes free
Post-Run: 20,141,342,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 71694EAD636F4DBC1817691957EEF6FA

Attached Files


  • 0

#4
Rorschach112
Posted 20 November 2010 - 06:02 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
update avast run a full scan post that log here
  • 0

#5
madkayak
Posted 20 November 2010 - 07:23 AM

madkayak

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
The combofix got us up and running in the afternoon on Friday, thx, I will update avast, scan and report back when I get to office Monday.
  • 0

#6
Rorschach112
Posted 20 November 2010 - 11:45 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
ok
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP