Please help me to complete the cleaning of my laptop (Dell Inspiron 6400) from virus/malware infection. Recently I have been alerted by Symantic Endpoint Protection about web attacks.
Here is the short extract from Symantec Log with most important recent events referencing to threats:
65 4/22/2011 11:23:20 AM Intrusion Prevention Critical Outgoing TCP 195.28.10.36 C:\Program Files\Mozilla Firefox\firefox.exe [SID: 24092] Web Attack: Blackhole Toolkit Website detected.
66 5/2/2011 2:11:43 AM Intrusion Prevention Critical Outgoing TCP 193.105.154.235 C:\Program Files\Mozilla Firefox\firefox.exe [SID: 24092] Web Attack: Blackhole Toolkit Website detected.
67 5/2/2011 1:37:21 PM Intrusion Prevention Critical Incoming TCP 93.186.170.59 C:\DOCUME~1\Lyudmila\LOCALS~1\Temp\swamrxocen.tmp [SID: 23837] Malicious Site: Malicious IP Address detected.
69 5/2/2011 1:40:21 PM Intrusion Prevention Critical Incoming TCP 188.95.52.161 C:\WINDOWS\system32\svchost.exe [SID: 23615] System Infected: Tidserv Activity 2 detected.
117 5/4/2011 9:17:00 AM Intrusion Prevention Critical Outgoing TCP 76.74.155.225 C:\WINDOWS\system32\svchost.exe [SID: 24079] WebAttack: Exploit Kit Variant Activity detected.
118 5/5/2011 10:57:52 PM Intrusion Prevention Critical Incoming TCP 64.111.211.155 C:\Program Files\Internet Explorer\iexplore.exe [SID: 24020] Fake App Attack: Fake AV Redirect 10 detected.
I have managed to remove TDSS rootkit (TDL4) using TDSSKiller (run MBRcheck first). However when I tried to get new Firefox 4 using IE browser (usually Mozilla is the browser of my choice), Symantec blocked malicious website (see latest event 118 above re Fake AV) as my Google search was redirected. I immediately disconnected and scanned my computer with MBAM and Symantec EP. Both scans were not able to catch and fix any threats. I also created a new System restore point and rerun TDSSKiller which did not detect infection this time (FYI - I prevented stpd from loading by renaming it). So obviously this case needs to be targeted and treated with other tools and your expertise.
I am now using different computer for Internet connection to prevent further attacks and possible spread of infection across my wireless network. Without Internet connection Dell laptop runs very smooth. But I noticed that there are again couple unusual files under Windows dir which I have deleted before (see No Company Name section of this OTL log).
I am looking forward to hearing from you soon.
Thks & rgds,
Alex0511geek
Per your request I run OTL scan and pasted the most recent log:
OTL logfile created on: 5/7/2011 1:01:41 PM - Run 5
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Lyudmila\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1,022.00 Mb Total Physical Memory | 333.00 Mb Available Physical Memory | 33.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.74 Gb Total Space | 15.85 Gb Free Space | 40.91% Space Free | Partition Type: NTFS
Drive D: | 11.84 Gb Total Space | 7.37 Gb Free Space | 62.22% Space Free | Partition Type: NTFS
Computer Name: DELL-C53WKB1 | User Name: Lyudmila | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Lyudmila\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe (WDC)
PRC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe (WDC)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks)
PRC - C:\Program Files\ProcessExplorerNt\procexp.exe (Sysinternals)
PRC - C:\Program Files\Winamp\winampa.exe ()
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe (Broadcom Corporation.)
PRC - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (Intel Corporation)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe (High Criteria inc.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Lyudmila\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\onuhaxiqexejiv.dll ()
========== Win32 Services (SafeList) ==========
SRV - (MSIServeraawservice) -- File not found
SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SRV - (SmcService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SRV - (SNAC) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (WDBtnMgrSvc.exe) -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe (WDC)
SRV - (Norton Ghost) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe (Symantec Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SRV - (dsNcService) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks)
SRV - (Symantec Core LC) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (Symantec Corporation)
SRV - (NICCONFIGSVC) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
SRV - (WLANKEEPER) Intel® -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)
SRV - (GEARSecurity) -- C:\WINDOWS\system32\gearsec.exe (GEAR Software)
SRV - (ccPwdSvc) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (Symantec Corporation)
SRV - (ICDSPTSV) -- C:\WINDOWS\system32\IcdSptSv.exe (Sony Corporation)
========== Driver Services (SafeList) ==========
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110504.002\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110504.002\NAVENG.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (WpsHelper) -- C:\WINDOWS\system32\drivers\WpsHelper.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SysPlant) -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys (Symantec Corporation)
DRV - (WPS) -- C:\WINDOWS\system32\drivers\WPSDRVnt.sys (Symantec Corporation)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (COH_Mon) -- C:\WINDOWS\system32\drivers\COH_Mon.sys (Symantec Corporation)
DRV - (Teefer2) -- C:\WINDOWS\system32\drivers\Teefer2.sys (Symantec Corporation)
DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (SymSnap) -- C:\WINDOWS\System32\drivers\SymSnap.sys (StorageCraft)
DRV - (V2IMount) -- C:\WINDOWS\System32\drivers\V2iMount.sys (Symantec Corporation)
DRV - (vaxscsi) -- C:\WINDOWS\System32\Drivers\vaxscsi.sys (Alcohol Soft Co., Ltd.)
DRV - (dsNcAdpt) -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys (Juniper Networks)
DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation)
DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)
DRV - (BTSERIAL) -- C:\WINDOWS\system32\drivers\btserial.sys (Broadcom Corporation.)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.)
DRV - (btwmodem) -- C:\WINDOWS\system32\drivers\btwmodem.sys (Broadcom Corporation.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys (Broadcom Corporation.)
DRV - (btwhid) -- C:\WINDOWS\system32\drivers\btwhid.sys (Broadcom Corporation.)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel® Corporation)
DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\ASPI32.SYS (Adaptec)
DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (USBModem) -- C:\WINDOWS\system32\drivers\lgusbmodem.sys (LG Electronics Inc.)
DRV - (UsbDiag) -- C:\WINDOWS\system32\drivers\lgusbdiag.sys (LG Electronics Inc.)
DRV - (usbbus) -- C:\WINDOWS\system32\drivers\lgusbbus.sys (LG Electronics Inc.)
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Inc)
DRV - (ICDUSB2) Sony IC Recorder (P) -- C:\WINDOWS\system32\drivers\IcdUsb2.sys (Sony Corporation)
DRV - (IcRecUsb) -- C:\WINDOWS\system32\drivers\IcRecUsb.sys (lecs Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2007/08/21 23:51:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{9BB041E9-11F5-405E-8EF4-CA84736DC4B2}: C:\Documents and Settings\Lyudmila\Local Settings\Application Data\{9BB041E9-11F5-405E-8EF4-CA84736DC4B2}
FF - HKLM\software\mozilla\Firefox\Extensions\\{9E3B9D88-91C7-4367-804F-F5016052DE1F}: C:\Documents and Settings\Lyudmila\Local Settings\Application Data\{9E3B9D88-91C7-4367-804F-F5016052DE1F}
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/21 03:55:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/22 22:44:37 | 000,000,000 | ---D | M]
[2010/02/21 03:54:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Extensions
[2011/05/03 12:39:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions
[2011/01/27 21:44:23 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2011/01/27 21:44:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/27 21:44:23 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2011/01/27 21:44:22 | 000,000,000 | ---D | M] (ImTranslator) -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
[2011/01/27 21:44:21 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2009/02/07 22:40:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2011/01/27 21:44:25 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/02/07 22:40:05 | 000,000,000 | ---D | M] ("Broadband Speed Test and Diagnostics") -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions\[email protected]
[2009/02/07 22:40:05 | 000,000,000 | ---D | M] ("VideoDownloader") -- C:\Documents and Settings\Lyudmila\Application Data\Mozilla\Firefox\Profiles\x79wm9gf.TestUser\extensions\[email protected]
[2011/05/03 12:39:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/04/23 19:09:34 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Program Files\Mozilla Firefox\extensions\{E0544E52-5D78-4056-98E5-49409F722B8A}
[2007/03/11 08:37:06 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Icacatofokey] C:\WINDOWS\onuhaxiqexejiv.dll ()
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [Norton Ghost 10.0] C:\Program Files\Norton Ghost\Agent\GhostTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe (High Criteria inc.)
O4 - HKLM..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe (WDC)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Ebocomigob] C:\WINDOWS\keraufg.dll (Greatis Software, LLC)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - HKCU..\RunOnce: [FFTI] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/b...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\schmap-help {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\Schmapdoclib.dll ()
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (xxfaze.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lyudmila\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digeste.dll) - File not found
O29 - HKLM SecurityProviders - (digiwet.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 11:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{63f8cd38-0b6f-11de-ad2e-0016cffbea67}\Shell\AutoRun\command - "" = F:\WDSetup.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/05/05 00:34:29 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Lyudmila\Desktop\TDSSKiller.exe
[2011/05/04 23:11:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lyudmila\Desktop\New Folder Lyuda
[2011/05/04 23:07:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lyudmila\Desktop\Attack logs
[2011/05/04 00:16:48 | 001,930,720 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Lyudmila\Desktop\FixTDSS.exe
[2007/03/13 19:44:42 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Lyudmila\Application Data\pcouffin.sys
========== Files - Modified Within 30 Days ==========
[2011/05/07 01:43:15 | 000,001,616 | ---- | M] () -- C:\Documents and Settings\Lyudmila\Desktop\System Restore.lnk
[2011/05/05 22:54:40 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Khahalog.dat
[2011/05/05 22:54:40 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Pwupozotuqol.bin
[2011/05/05 01:05:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/05 01:05:05 | 1072,103,424 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/05 00:14:07 | 000,065,536 | ---- | M] () -- C:\Documents and Settings\Lyudmila\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/04 18:40:14 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Lyudmila\Desktop\MBRCheck.exe
[2011/05/04 01:32:13 | 000,161,136 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/04 01:29:10 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/05/04 01:22:39 | 000,445,234 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/04 01:22:39 | 000,073,618 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/03 23:59:24 | 001,930,720 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Lyudmila\Desktop\FixTDSS.exe
[2011/05/02 08:01:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/01 14:21:00 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Lyudmila\Desktop\TDSSKiller.exe
[2011/04/28 21:21:41 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/04/27 01:26:10 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Lyudmila\Desktop\dds.scr
[2011/04/27 01:24:46 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Lyudmila\Desktop\Defogger.exe
[2011/04/27 01:17:40 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lyudmila\Desktop\OTL.exe
========== Files Created - No Company Name ==========
[2011/05/07 01:43:15 | 000,001,616 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Desktop\System Restore.lnk
[2011/05/05 22:54:40 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Khahalog.dat
[2011/05/05 22:54:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Pwupozotuqol.bin
[2011/05/05 01:05:05 | 1072,103,424 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/04 23:18:57 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Desktop\Defogger.exe
[2011/05/04 23:18:19 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Desktop\MBRCheck.exe
[2011/05/03 21:07:05 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Desktop\dds.scr
[2011/02/04 00:16:52 | 000,171,823 | ---- | C] () -- C:\WINDOWS\hpoins49.dat
[2011/02/04 00:16:52 | 000,001,241 | ---- | C] () -- C:\WINDOWS\hpomdl49.dat
[2010/01/26 01:50:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2010/01/25 23:12:08 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll
[2010/01/25 23:12:07 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\trc.dll
[2010/01/25 23:12:07 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\dsp_trc.dll
[2009/04/23 23:54:15 | 000,215,144 | R--- | C] () -- C:\WINDOWS\patchw32.dll
[2009/04/23 23:53:54 | 000,215,144 | R--- | C] () -- C:\WINDOWS\pw32a.dll
[2008/11/09 22:19:19 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2008/11/09 22:19:19 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2008/02/11 09:39:26 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLA.dll
[2008/02/11 09:39:18 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLW.dll
[2008/02/08 13:53:46 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerLang.dll
[2008/02/05 08:48:04 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerUninstaller.exe
[2008/01/09 04:18:12 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/12/11 12:43:44 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/07/27 14:49:02 | 000,225,355 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiW.dll
[2007/07/27 14:49:02 | 000,196,683 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiA.dll
[2007/03/13 19:45:11 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\systeminfo3.dll
[2007/03/13 19:44:42 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Application Data\ezpinst.exe
[2007/03/13 19:44:42 | 000,007,824 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Application Data\pcouffin.cat
[2007/03/13 19:44:42 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Application Data\pcouffin.inf
[2007/02/03 15:33:33 | 000,001,747 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/01/09 02:27:47 | 000,002,508 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc
[2006/10/31 21:18:03 | 000,065,536 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/14 00:20:49 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/10/14 00:20:49 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/09/30 09:26:23 | 000,002,508 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Application Data\$_hpcst$.hpc
[2006/09/26 00:35:42 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2006/08/16 19:38:59 | 000,000,305 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\addr_file.html
[2006/08/15 23:55:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/15 21:20:50 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/08/09 09:33:37 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Application Data\PFP120JPR.{PB
[2006/08/09 09:33:37 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Application Data\PFP120JCM.{PB
[2006/08/08 23:11:15 | 000,004,205 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/08/08 19:33:17 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Lyudmila\Local Settings\Application Data\fusioncache.dat
[2006/08/02 23:30:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/02 23:19:40 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2006/08/02 23:17:56 | 000,712,704 | ---- | C] () -- C:\WINDOWS\System32\DellSystemRestore.dll
[2006/08/02 23:14:02 | 000,000,311 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/02 23:10:42 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/08/02 23:04:29 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/08/02 22:38:57 | 000,112,425 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/08/02 22:38:47 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/08/02 22:38:41 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/08/02 22:37:32 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/05/24 16:16:22 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/12/05 19:25:22 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\lnod32umc.dll
[2005/12/05 12:37:10 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lnod32upd.dll
[2005/08/03 13:33:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 11:12:05 | 000,000,885 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 11:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 11:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 11:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 10:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 10:57:15 | 000,161,136 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 10:51:27 | 000,388,096 | ---- | C] () -- C:\WINDOWS\onuhaxiqexejiv.dll
[2004/08/10 10:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 10:51:20 | 000,445,234 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 10:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 10:51:20 | 000,073,618 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 10:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 10:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 10:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 10:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 10:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 10:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 10:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 10:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/11/14 11:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
========== LOP Check ==========
[2007/03/13 19:44:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVDXStudio
[2006/08/02 23:12:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/04/26 21:14:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lyudmila\Application Data\Juniper Networks
[2006/08/11 08:20:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lyudmila\Application Data\Leadertech
[2008/11/20 21:16:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lyudmila\Application Data\Schmap
[2007/01/09 00:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lyudmila\Application Data\Smith Micro
[2009/08/15 18:27:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lyudmila\Application Data\TeamViewer
[2011/01/17 18:56:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lyudmila\Application Data\Vso
========== Purity Check ==========
========== Files - Unicode (All) ==========
[2009/05/20 01:47:32 | 000,113,152 | ---- | C] ()(C:\Documents and Settings\All Users\Documents\??????? ??????.doc) -- C:\Documents and Settings\All Users\Documents\Соломон Мудрый.doc
[2009/05/20 01:47:21 | 000,113,152 | ---- | M] ()(C:\Documents and Settings\All Users\Documents\??????? ??????.doc) -- C:\Documents and Settings\All Users\Documents\Соломон Мудрый.doc
[2009/01/04 16:01:40 | 000,024,576 | ---- | M] ()(C:\Documents and Settings\Lyudmila\My Documents\????????.doc) -- C:\Documents and Settings\Lyudmila\My Documents\РАСПИСКА.doc
[2009/01/04 16:00:29 | 000,024,576 | ---- | C] ()(C:\Documents and Settings\Lyudmila\My Documents\????????.doc) -- C:\Documents and Settings\Lyudmila\My Documents\РАСПИСКА.doc
[2007/10/08 10:56:30 | 000,032,256 | ---- | C] ()(C:\Documents and Settings\Lyudmila\My Documents\???????? ???????? '???????_ ??????_...'.shs) -- C:\Documents and Settings\Lyudmila\My Documents\Фрагмент Документ 'Людочка_ родная_...'.shs
[2007/10/08 10:56:15 | 000,032,256 | ---- | M] ()(C:\Documents and Settings\Lyudmila\My Documents\???????? ???????? '???????_ ??????_...'.shs) -- C:\Documents and Settings\Lyudmila\My Documents\Фрагмент Документ 'Людочка_ родная_...'.shs
< End of report >