Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't run malware removal programs


  • This topic is locked This topic is locked

#1
Phil Brown

Phil Brown

    New Member

  • Member
  • Pip
  • 9 posts
I seem to have a virus that has attacked my browser. When I search for topics, and then click on the desired topic, I am often redirected to other sites or searches. I tried using a variety of removal programs, but nothing seems to work. I can't start my computer in safe mode either. Now I can't even run the malware removal/detection programs, and I can't turn my "System's restore" off. I have run the OTL quick scan, but I don't know what to do with the report.
Any help would be welcomed!

Phil
  • 0

Advertisements


#2
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
:)

Please open OTL.txt in notepad Copy the log and paste it in your reply.

Do the same with Extras.txt (It located in same place as you run OTL from)


Please also do this scan.

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Disable your onboard Anti Virus and any other Active protection programs you have installed. If you are unsure how to do this, see this link.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please note:

If (and only if) there are problems using gmer as indicated above, run the scan with ONLY the Sections and C drive boxes ticked.

Posted Image
Click the image to enlarge it

  • Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click the gmer.exe file.
  • The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No, then select ONLY the Sections and C drive boxes. Click on Scan and wait for it to finish.
  • Click on the Save button, and save the log file somewhere you can easily find it, such as your desktop, and attach it in reply

  • 0

#3
Phil Brown

Phil Brown

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here are the scan results you requested..............

Attached File  ark.txt   9.31KB   127 downloads
Attached File  Extras.Txt   39.26KB   178 downloads
Attached File  OTL.Txt   83.86KB   89 downloads

OTL logfile created on: 5/16/2011 4:27:00 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Phill Brown\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 226.00 Mb Available Physical Memory | 22.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 103.31 Gb Free Space | 69.32% Space Free | Partition Type: NTFS

Computer Name: PHIL | User Name: Phill Brown | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/16 16:09:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phill Brown\Desktop\OTL.exe
PRC - [2011/04/16 21:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe
PRC - [2011/01/07 02:22:54 | 002,747,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/01/07 02:22:44 | 001,084,256 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2011/01/06 16:23:20 | 000,737,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/01/06 16:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/12/05 17:26:40 | 000,654,176 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2010/12/05 17:26:12 | 000,650,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2010/10/22 05:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/10/22 05:56:58 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/07/03 09:17:04 | 000,065,536 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
PRC - [2001/07/03 09:11:52 | 000,057,344 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe


========== Modules (SafeList) ==========

MOD - [2011/05/16 16:09:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phill Brown\Desktop\OTL.exe
MOD - [2011/04/28 21:29:01 | 000,413,112 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\18.6.0.29\asoehook.dll
MOD - [2011/01/11 10:59:44 | 000,653,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcr90.dll
MOD - [2011/01/11 10:59:44 | 000,569,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcp90.dll
MOD - [2010/08/23 13:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/05/13 14:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (Lavasoft Ad-Aware Service)
SRV - [2011/04/16 21:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe -- (NIS)
SRV - [2011/03/18 08:11:02 | 000,947,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2011/01/06 16:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/10/22 05:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)


========== Driver Services (SafeList) ==========

DRV - [2011/05/11 16:39:23 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/05/11 16:38:44 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110515.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/05/11 16:38:44 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/05/11 16:38:44 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110515.002\NAVENG.SYS -- (NAVENG)
DRV - [2011/05/11 16:38:43 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/04/30 01:44:12 | 000,802,936 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110430.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/04/25 21:00:20 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2011/03/31 00:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/31 00:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/21 21:39:49 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/03/14 23:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/03/14 15:58:34 | 000,341,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110513.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/01/27 03:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS -- (SymDS)
DRV - [2011/01/27 02:07:05 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS -- (SymIRON)
DRV - [2010/12/08 05:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/12 14:19:38 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/13 16:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 21:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/08/19 21:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 21:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/05/10 15:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 15:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/11/25 13:37:50 | 004,952,576 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/08/07 16:14:00 | 000,111,360 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2004/08/13 23:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2003/12/08 20:55:58 | 000,025,072 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\incdrm.sys -- (incdrm)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?rd=1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B6 30 37 80 93 11 CC 01 [binary data]
IE - HKCU\..\URLSearchHook: {0fc85f5d-6207-4515-a490-45a549d285c0} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/03/30 08:54:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn\ [2011/05/11 16:45:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn\ [2011/05/11 16:39:00 | 000,000,000 | ---D | M]

[2009/09/22 12:35:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Phill Brown\Application Data\Mozilla\Extensions
[2009/09/22 12:35:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Phill Brown\Application Data\Mozilla\Extensions\[email protected]

O1 HOSTS File: ([2011/05/04 16:29:41 | 000,323,963 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11091 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {0fc85f5d-6207-4515-a490-45a549d285c0} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {0fc85f5d-6207-4515-a490-45a549d285c0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0FC85F5D-6207-4515-A490-45A549D285C0} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} http://zone.msn.com/...tz.cab99160.cab (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...k.cab102118.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email.secures...et/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\TPSvc: DllName - TPSvc.dll - File not found
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/25 02:48:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/05/16 16:09:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Phill Brown\Desktop\OTL.exe
[2011/05/16 15:51:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phill Brown\Start Menu\Programs\HiJackThis
[2011/05/16 15:28:44 | 000,000,000 | ---D | C] -- C:\c9317dce10ddb21d73a1
[2011/05/16 15:26:09 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2011/05/16 15:26:02 | 000,000,000 | ---D | C] -- C:\rsit
[2011/05/16 15:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/05/16 15:03:46 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/05/16 14:59:10 | 000,000,000 | ---D | C] -- C:\c7b9e9b63c988801516d289925e4572a
[2011/05/16 12:03:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Phill Brown\Recent
[2011/05/13 13:59:18 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/05/13 11:24:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/05/12 13:20:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phill Brown\Application Data\Tific
[2011/05/11 16:39:20 | 000,369,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symtdi.sys
[2011/05/11 16:39:20 | 000,331,384 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symtdiv.sys
[2011/05/11 16:39:19 | 000,744,568 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symefa.sys
[2011/05/11 16:39:19 | 000,516,216 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\srtsp.sys
[2011/05/11 16:39:19 | 000,340,088 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symds.sys
[2011/05/11 16:39:19 | 000,296,568 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symnets.sys
[2011/05/11 16:39:19 | 000,050,168 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\srtspx.sys
[2011/05/11 16:39:18 | 000,136,312 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\ironx86.sys
[2011/05/11 16:39:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS\1206000.01D
[2011/05/11 16:19:59 | 000,126,584 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/05/11 16:19:59 | 000,060,872 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/05/11 16:19:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/05/11 16:19:59 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/05/11 16:18:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS
[2011/05/11 16:18:00 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[2011/05/11 16:18:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Internet Security
[2011/05/11 16:12:40 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2011/05/11 13:02:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2011/05/09 15:40:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Share-to-Web Upload Folder
[2011/05/09 15:25:45 | 000,064,512 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2011/05/09 15:25:42 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/05/09 15:15:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phill Brown\Local Settings\Application Data\Sunbelt Software
[2011/05/09 15:13:59 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2011/05/09 15:13:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2011/05/05 11:37:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phill Brown\Application Data\Malwarebytes
[2011/05/05 11:37:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/05 11:37:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/04 16:25:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/05/04 09:17:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phill Brown\My Documents\Symantec
[2011/05/04 09:16:15 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2011/05/04 09:16:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2011/05/04 09:14:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2011/04/28 14:31:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phill Brown\My Documents\NATURALIZER
[2011/04/27 07:36:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phill Brown\My Documents\Davids Tea Mic Mac
[2011/04/25 10:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phill Brown\My Documents\7 Roseway
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/16 16:09:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phill Brown\Desktop\OTL.exe
[2011/05/16 15:51:47 | 000,001,996 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Desktop\HiJackThis.lnk
[2011/05/16 15:15:25 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\SDMsgUpdate (SD).job
[2011/05/16 15:15:21 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/16 15:14:26 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/16 15:14:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/16 15:03:49 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/16 14:22:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/16 09:22:03 | 000,030,432 | ---- | M] () -- C:\{FDBE2579-8D60-41BC-8BB4-6D024F85CE16}
[2011/05/16 09:20:31 | 000,030,408 | ---- | M] () -- C:\{A8DB1ABB-0ADC-40D2-9773-D81EC4689C2C}
[2011/05/16 09:18:18 | 000,030,408 | ---- | M] () -- C:\{8D2255B3-93D4-4CE5-960C-1896C3F86B2B}
[2011/05/16 08:57:31 | 000,030,408 | ---- | M] () -- C:\{04F0B648-25C4-475A-9398-D0CEF3BB9003}
[2011/05/16 08:53:19 | 000,030,408 | ---- | M] () -- C:\{E72EFC10-2438-4C22-BDDB-F2991F51EDEC}
[2011/05/16 08:50:14 | 000,030,408 | ---- | M] () -- C:\{B60E1A6C-A243-4A0E-B2FD-1AAA8A4DC1DD}
[2011/05/16 08:46:56 | 000,030,408 | ---- | M] () -- C:\{EAD321DE-E730-4130-8B85-C8AFB819F7E7}
[2011/05/16 08:31:27 | 000,030,408 | ---- | M] () -- C:\{DE20E91F-FF5F-4590-9F41-C59534EC7A25}
[2011/05/16 07:32:27 | 115,162,303 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/05/16 07:31:35 | 000,221,934 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2011/05/13 16:56:36 | 000,000,340 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Desktop\scotia.url
[2011/05/13 16:35:31 | 001,871,879 | ---- | M] () -- C:\Documents and Settings\Phill Brown\My Documents\Registration Forrm 2011.pdf
[2011/05/13 14:27:37 | 000,030,408 | ---- | M] () -- C:\{DE3E897B-1DA0-4C3F-97F2-539A1B5AA6A5}
[2011/05/13 14:11:03 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Desktop\Spybot - Search & Destroy.lnk
[2011/05/13 14:01:47 | 000,002,122 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/05/13 13:38:39 | 000,746,845 | ---- | M] () -- C:\Documents and Settings\Phill Brown\My Documents\2011 Golf Poster PAINTING with sponsors.pdf
[2011/05/13 11:59:47 | 000,030,408 | ---- | M] () -- C:\{E2F9C898-D840-41E7-B1FC-78A9FDFC8634}
[2011/05/13 11:24:55 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/05/13 10:14:51 | 000,030,408 | ---- | M] () -- C:\{021D6B30-DE0A-4D77-BF1B-FBEF5836485D}
[2011/05/13 08:44:52 | 000,030,408 | ---- | M] () -- C:\{CD22460B-AF0E-419C-A749-BCB17B7D6960}
[2011/05/12 12:59:53 | 000,000,403 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Desktop\RBC Financial Group - Online Banking.url
[2011/05/12 12:58:49 | 000,000,335 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Desktop\Yahoo! Mail - [email protected]
[2011/05/12 10:14:02 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/05/12 09:50:29 | 000,435,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/12 09:50:29 | 000,068,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/12 09:43:07 | 002,141,580 | ---- | M] () -- C:\Documents and Settings\Phill Brown\My Documents\100_1432.jpg
[2011/05/12 09:34:12 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/05/12 09:10:46 | 024,736,034 | ---- | M] () -- C:\Program Files\Lavasoft.zip
[2011/05/11 16:44:05 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2011/05/11 16:42:41 | 000,666,110 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\Cat.DB
[2011/05/11 16:39:23 | 000,126,584 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/05/11 16:39:23 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/05/11 16:39:23 | 000,007,468 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/05/11 16:39:23 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/05/11 13:33:38 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/05/11 12:37:48 | 000,000,211 | -H-- | M] () -- C:\boot.ini
[2011/05/10 14:40:29 | 000,075,776 | ---- | M] () -- C:\Documents and Settings\Phill Brown\My Documents\fax cover.dot
[2011/05/10 14:39:53 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Desktop\email cover.dot
[2011/05/10 14:09:54 | 000,000,170 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Desktop\MAPS.url
[2011/05/10 07:49:35 | 000,000,172 | ---- | M] () -- C:\Documents and Settings\Phill Brown\Desktop\New Internet Shortcut (2).url
[2011/05/10 07:26:11 | 000,741,376 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2011/05/10 07:26:11 | 000,450,560 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2011/05/09 15:26:04 | 000,000,412 | ---- | M] () -- C:\Documents and Settings\Phill Brown\My Documents\spider.sav
[2011/05/09 15:26:00 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/09 15:26:00 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/05/09 15:25:41 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/05/04 16:32:43 | 000,000,240 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011/05/04 14:49:05 | 000,000,448 | ---- | M] () -- C:\WINDOWS\tasks\EasyShare Registration Task.job
[2011/04/29 00:29:05 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\isolate.ini
[2011/04/26 13:35:51 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/04/25 21:00:20 | 000,064,512 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2011/04/25 21:00:19 | 000,016,432 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/16 15:51:47 | 000,001,996 | ---- | C] () -- C:\Documents and Settings\Phill Brown\Desktop\HiJackThis.lnk
[2011/05/16 15:03:49 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/16 09:22:02 | 000,030,432 | ---- | C] () -- C:\{FDBE2579-8D60-41BC-8BB4-6D024F85CE16}
[2011/05/16 09:20:31 | 000,030,408 | ---- | C] () -- C:\{A8DB1ABB-0ADC-40D2-9773-D81EC4689C2C}
[2011/05/16 09:18:17 | 000,030,408 | ---- | C] () -- C:\{8D2255B3-93D4-4CE5-960C-1896C3F86B2B}
[2011/05/16 08:57:31 | 000,030,408 | ---- | C] () -- C:\{04F0B648-25C4-475A-9398-D0CEF3BB9003}
[2011/05/16 08:53:19 | 000,030,408 | ---- | C] () -- C:\{E72EFC10-2438-4C22-BDDB-F2991F51EDEC}
[2011/05/16 08:50:13 | 000,030,408 | ---- | C] () -- C:\{B60E1A6C-A243-4A0E-B2FD-1AAA8A4DC1DD}
[2011/05/16 08:46:56 | 000,030,408 | ---- | C] () -- C:\{EAD321DE-E730-4130-8B85-C8AFB819F7E7}
[2011/05/16 08:31:27 | 000,030,408 | ---- | C] () -- C:\{DE20E91F-FF5F-4590-9F41-C59534EC7A25}
[2011/05/13 16:35:31 | 001,871,879 | ---- | C] () -- C:\Documents and Settings\Phill Brown\My Documents\Registration Forrm 2011.pdf
[2011/05/13 14:27:37 | 000,030,408 | ---- | C] () -- C:\{DE3E897B-1DA0-4C3F-97F2-539A1B5AA6A5}
[2011/05/13 14:01:47 | 000,002,122 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/05/13 13:38:39 | 000,746,845 | ---- | C] () -- C:\Documents and Settings\Phill Brown\My Documents\2011 Golf Poster PAINTING with sponsors.pdf
[2011/05/13 11:59:47 | 000,030,408 | ---- | C] () -- C:\{E2F9C898-D840-41E7-B1FC-78A9FDFC8634}
[2011/05/13 11:24:54 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Phill Brown\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/05/13 11:24:54 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Phill Brown\Desktop\Spybot - Search & Destroy.lnk
[2011/05/13 10:14:51 | 000,030,408 | ---- | C] () -- C:\{021D6B30-DE0A-4D77-BF1B-FBEF5836485D}
[2011/05/13 08:44:51 | 000,030,408 | ---- | C] () -- C:\{CD22460B-AF0E-419C-A749-BCB17B7D6960}
[2011/05/12 09:51:36 | 002,141,580 | ---- | C] () -- C:\Documents and Settings\Phill Brown\My Documents\100_1432.jpg
[2011/05/12 09:10:35 | 024,736,034 | ---- | C] () -- C:\Program Files\Lavasoft.zip
[2011/05/11 16:42:22 | 000,666,110 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\Cat.DB
[2011/05/11 16:39:20 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symnetv.inf
[2011/05/11 16:39:19 | 000,007,877 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symnetv.cat
[2011/05/11 16:39:19 | 000,007,458 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symnet.cat
[2011/05/11 16:39:19 | 000,007,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symefa.cat
[2011/05/11 16:39:19 | 000,007,454 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\srtspx.cat
[2011/05/11 16:39:19 | 000,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symefa.inf
[2011/05/11 16:39:19 | 000,002,792 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symds.inf
[2011/05/11 16:39:19 | 000,001,446 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symnet.inf
[2011/05/11 16:39:19 | 000,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\srtspx.inf
[2011/05/11 16:39:19 | 000,001,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\srtsp.inf
[2011/05/11 16:39:18 | 000,007,528 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\iron.cat
[2011/05/11 16:39:18 | 000,007,450 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\srtsp.cat
[2011/05/11 16:39:18 | 000,000,742 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\iron.inf
[2011/05/11 16:39:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\symds.cat
[2011/05/11 16:39:00 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1206000.01D\isolate.ini
[2011/05/11 16:19:59 | 000,007,468 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/05/11 16:19:59 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/05/11 16:19:48 | 000,001,973 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2011/05/11 11:09:09 | 000,000,930 | ---- | C] () -- C:\Documents and Settings\Phill Brown\Start Menu\Programs\Startup\WkCalRem.LNK
[2011/05/11 10:32:30 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Phill Brown\My Documents\Spybot - Search & Destroy.lnk
[2011/05/09 17:29:53 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/05/09 15:26:00 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/09 15:26:00 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/05/09 15:25:58 | 000,000,486 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/05/04 16:32:43 | 000,000,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011/03/01 11:43:50 | 000,000,007 | ---- | C] () -- C:\WINDOWS\System32\xxconsole.ini
[2010/08/26 17:00:01 | 000,965,624 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/05 15:08:57 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/10/08 11:36:56 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/22 16:08:42 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Phill Brown\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/26 23:20:58 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/26 08:11:22 | 000,230,377 | ---- | C] () -- C:\WINDOWS\System32\XXCOPY16.EXE
[2009/08/25 03:00:13 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4935.dll
[2009/08/25 02:55:32 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/08/25 02:55:23 | 000,024,467 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/08/25 02:55:23 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/08/25 02:50:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/08/25 02:46:10 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/08/24 23:37:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/24 23:36:25 | 000,220,840 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 09:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 09:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 09:00:00 | 000,435,590 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 09:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 09:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 09:00:00 | 000,068,360 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 09:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 09:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 09:00:00 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 09:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 09:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 09:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/07 18:59:54 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HPNVRRes.dll
[2001/01/24 01:31:18 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\prntfix.exe
[2000/04/14 16:50:02 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[1998/06/11 14:08:06 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll

========== LOP Check ==========

[2011/05/13 11:45:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/03/11 15:11:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/10/19 16:01:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/10/19 16:09:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2009/08/27 21:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2011/05/09 09:17:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/01/05 15:06:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2011/05/04 16:01:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpeedBit
[2011/05/04 16:49:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/03/01 11:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/10/19 16:13:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\AVG10
[2010/01/11 10:05:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\Blackberry Desktop
[2009/08/28 05:22:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\GetRightToGo
[2011/03/01 11:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\MSNInstaller
[2010/09/08 12:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\PriceGong
[2010/08/26 09:07:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\Research In Motion
[2010/03/24 15:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\Skinux
[2011/05/09 13:39:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\SmartDraw
[2009/08/28 00:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\Template
[2011/05/12 13:20:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\Tific
[2009/08/27 21:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phill Brown\Application Data\Uniblue
[2011/05/12 09:34:12 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2011/05/04 14:49:05 | 000,000,448 | ---- | M] () -- C:\WINDOWS\Tasks\EasyShare Registration Task.job
[2011/05/16 15:15:25 | 000,000,492 | ---- | M] () -- C:\WINDOWS\Tasks\SDMsgUpdate (SD).job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >





4OTL Extras logfile created on: 5/16/2011 4:27:00 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Phill Brown\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 226.00 Mb Available Physical Memory | 22.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 103.31 Gb Free Space | 69.32% Space Free | Partition Type: NTFS

Computer Name: PHIL | User Name: Phill Brown | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"4481:TCP" = 4481:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync data transfer
"4481:UDP" = 4481:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync discovery
"4482:TCP" = 4482:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync data transfer
"4482:UDP" = 4482:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync discovery

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe" = C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe:*:Enabled:MSN -- (Microsoft Corporation)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe" = C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe:*:Enabled:BlackBerry Desktop Software -- (Research In Motion)
"C:\Program Files\AVG\AVG10\avgdiagex.exe" = C:\Program Files\AVG\AVG10\avgdiagex.exe:*:Enabled:AVG Diagnostics 2011 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 23
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6B36DEBF-27D0-4B1E-858D-D397091C6C7D}" = HP Precisionscan Pro 3.1
"{748F4870-8350-11D3-B0BF-080009FB4A19}" = HP Share-to-Web
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84A78614-0E4B-4A4E-BA8C-2B0A05A08E4E}" = BlackBerry Desktop Software 6.0.1
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B3AEF776-7FFF-4C50-A402-9119E3849EE0}" = AVG 2011
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}" = Free DWG Viewer 6.3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}" = Microsoft IntelliType Pro 6.1
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D4E53304-1F6C-4111-9872-1BCD2CF5B642}" = AVG 2011
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AVG" = AVG 2011
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.4
"AVS4YOU Video Converter 7_is1" = AVS Video Converter 7
"BlackBerry_Desktop" = BlackBerry Desktop Software 6.0.1
"CCleaner" = CCleaner
"HDMI" = Intel® Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MRW!UninstallKey" = InCD EasyWrite Reader
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NIS" = Norton Internet Security
"NMPUninstallKey" = Nero Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XXConsole" = XXConsole: Super Console Generator ver 0.96
"Yahoo! Companion" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/13/2011 1:56:50 PM | Computer Name = PHIL | Source = ESENT | ID = 623
Description = wuaueng.dll (2676) SUS20ClientDataStore: The version store for this
instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
transaction is preventing cleanup of the version store and causing it to build
up in size. Updates will be rejected until the long-running transaction has been
completely committed or rolled back. Possible long-running transaction: SessionId:
0x02690320 Session-context: 0x00000000 Session-context ThreadId: 0x00000A90

Error - 5/13/2011 1:57:40 PM | Computer Name = PHIL | Source = ESENT | ID = 623
Description = wuaueng.dll (2676) SUS20ClientDataStore: The version store for this
instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
transaction is preventing cleanup of the version store and causing it to build
up in size. Updates will be rejected until the long-running transaction has been
completely committed or rolled back. Possible long-running transaction: SessionId:
0x02690320 Session-context: 0x00000000 Session-context ThreadId: 0x00000A90

Error - 5/13/2011 2:29:54 PM | Computer Name = PHIL | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x001a2733.

Error - 5/16/2011 6:29:37 AM | Computer Name = PHIL | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x001a2733.

Error - 5/16/2011 6:31:31 AM | Computer Name = PHIL | Source = ESENT | ID = 623
Description = wuaueng.dll (3548) SUS20ClientDataStore: The version store for this
instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
transaction is preventing cleanup of the version store and causing it to build
up in size. Updates will be rejected until the long-running transaction has been
completely committed or rolled back. Possible long-running transaction: SessionId:
0x02690320 Session-context: 0x00000000 Session-context ThreadId: 0x00000DE8

Error - 5/16/2011 6:31:56 AM | Computer Name = PHIL | Source = ESENT | ID = 623
Description = wuaueng.dll (3548) SUS20ClientDataStore: The version store for this
instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
transaction is preventing cleanup of the version store and causing it to build
up in size. Updates will be rejected until the long-running transaction has been
completely committed or rolled back. Possible long-running transaction: SessionId:
0x02690320 Session-context: 0x00000000 Session-context ThreadId: 0x00000DE8

Error - 5/16/2011 10:46:55 AM | Computer Name = PHIL | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x001a2733.

Error - 5/16/2011 1:21:20 PM | Computer Name = PHIL | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x001a2733.

Error - 5/16/2011 1:42:27 PM | Computer Name = PHIL | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x001a2733.

Error - 5/16/2011 1:54:14 PM | Computer Name = PHIL | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x001a2733.

[ System Events ]
Error - 5/16/2011 1:52:12 PM | Computer Name = PHIL | Source = Service Control Manager | ID = 7000
Description = The Lavasoft Ad-Aware Service service failed to start due to the following
error: %%2

Error - 5/16/2011 2:09:07 PM | Computer Name = PHIL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/16/2011 2:09:12 PM | Computer Name = PHIL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/16/2011 2:10:09 PM | Computer Name = PHIL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/16/2011 2:13:40 PM | Computer Name = PHIL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/16/2011 2:15:09 PM | Computer Name = PHIL | Source = Service Control Manager | ID = 7000
Description = The Lavasoft Ad-Aware Service service failed to start due to the following
error: %%2

Error - 5/16/2011 2:16:29 PM | Computer Name = PHIL | Source = DCOM | ID = 10010
Description = The server {BA126AD1-2166-11D1-B1D0-00805FC1270E} did not register
with DCOM within the required timeout.

Error - 5/16/2011 2:20:27 PM | Computer Name = PHIL | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 5/16/2011 2:30:40 PM | Computer Name = PHIL | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 5/16/2011 2:52:50 PM | Computer Name = PHIL | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056


< End of report >



GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-17 08:09:45
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD1600AAJS-00L7A0 rev.01.03E01
Running: gmer.exe; Driver: C:\DOCUME~1\PHILLB~1\LOCALS~1\Temp\pxtdapod.sys


---- System - GMER 1.0.15 ----

SSDT 860B50E8 ZwAlertResumeThread
SSDT 861E5938 ZwAlertThread
SSDT 86177C48 ZwAllocateVirtualMemory
SSDT 8611CC00 ZwAssignProcessToJobObject
SSDT 858AB3E0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA7646710]
SSDT 8637EA88 ZwCreateMutant
SSDT 860EEEF0 ZwCreateSymbolicLinkObject
SSDT 861FC8F0 ZwCreateThread
SSDT 860C3B80 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA7646990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA7646EF0]
SSDT 86107978 ZwDuplicateObject
SSDT 86125050 ZwFreeVirtualMemory
SSDT 86080BE8 ZwImpersonateAnonymousToken
SSDT 860C2B20 ZwImpersonateThread
SSDT 8589D538 ZwLoadDriver
SSDT 861DA530 ZwMapViewOfSection
SSDT 860A9CF0 ZwOpenEvent
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwOpenProcess [0xA0B8E6C0]
SSDT 860FCBC8 ZwOpenProcessToken
SSDT 860C51F8 ZwOpenSection
SSDT 860FA688 ZwOpenThread
SSDT 8507C248 ZwProtectVirtualMemory
SSDT 863170E0 ZwResumeThread
SSDT 860ED530 ZwSetContextThread
SSDT 86171218 ZwSetInformationProcess
SSDT 860EC0A8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA7647140]
SSDT 860A97E0 ZwSuspendProcess
SSDT 86143AF0 ZwSuspendThread
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateProcess [0xA0B8E770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateThread [0xA0B8E810]
SSDT 860C9EF8 ZwUnmapViewOfSection
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwWriteVirtualMemory [0xA0B8E8B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C14 805044B0 8 Bytes CALL B8D65005
.text ntkrnlpa.exe!ZwCallbackReturn + 2C90 8050452C 4 Bytes JMP 90E28637
.text ntkrnlpa.exe!ZwCallbackReturn + 3038 805048D4 4 Bytes CALL CB58E991
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? avgrkx86.sys The system cannot find the file specified. !
? AVGIDSEH.Sys The system cannot find the file specified. !
? system32\DRIVERS\avgtdix.sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSShim.Sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSFilter.Sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSDriver.Sys The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8652733B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8652733B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8652733B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-6 8652733B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T1L0-e 8652733B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8652733B

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [892] 0x10000000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1944] 0x10000000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1944] 0x009A0000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 [email protected] code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
  • 0

#4
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
As suspected you're computer caught a Rootkit.



Something I should point out, regarding CCleaner, Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts here at Geekstogo, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.




You have both AVG 2011 and Norton Interenet Security installed

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time.

There are basically two types of these programs:
On-Access and On-Demand

On-Access Scanners
As the name implies, are scanners that run in the background all the time the PC is turned on and running. The main function of an On-Access scanner is to monitor activity on your machine.

On-Demand Scanners
As the name implies, are scanners that only run when you ask them to.
Such as:
Online Scans and scanners that run on your machine but are not actively scanning your machine.



Step 1.
Uninstall AVG products:

You need to uninstall AVG products as they will intefrere with the tool we need to use in the next step.


Please go to Start > Control Panel > Add/Remove Programs and remove the following:

AVG 2011

Sometimes AVG products doesn't uninstall properly therefore use AVG Remover to completely uninstall them.
Should for some reason AVG Remover fail use AppRemover



Step 2.
ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.


Step 3.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1 pasted in

  • 0

#5
Phil Brown

Phil Brown

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I can't seem to run Combofix?? It keeps telling me I can't rename the file even though I am not trying to rename it? Also Combofix is telling me that AVG is runing, but I removed it with Appremove?
Please help,
Thanks,
Phil
  • 0

#6
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Let's do it like this then

Also Combofix is telling me that AVG is runing, but I removed it with Appremove?

Did you use AVG remover first? If not do so. Reboot your computer after it's removed.


Step 1.
TDSSKiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
ComboFix:

Delete your current copy of ComboFix.exe from your desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt .



Step 3.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller in step 1 pasted in.
  • The content of C:\ComboFix.txt from step 2 pasted in.

  • 0

#7
Phil Brown

Phil Brown

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
That all seemed to work OK.



2011/05/17 15:24:52.0984 2532 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/17 15:24:53.0984 2532 ================================================================================
2011/05/17 15:24:53.0984 2532 SystemInfo:
2011/05/17 15:24:53.0984 2532
2011/05/17 15:24:53.0984 2532 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/17 15:24:53.0984 2532 Product type: Workstation
2011/05/17 15:24:53.0984 2532 ComputerName: PHIL
2011/05/17 15:24:53.0984 2532 UserName: Phill Brown
2011/05/17 15:24:53.0984 2532 Windows directory: C:\WINDOWS
2011/05/17 15:24:53.0984 2532 System windows directory: C:\WINDOWS
2011/05/17 15:24:53.0984 2532 Processor architecture: Intel x86
2011/05/17 15:24:53.0984 2532 Number of processors: 2
2011/05/17 15:24:53.0984 2532 Page size: 0x1000
2011/05/17 15:24:53.0984 2532 Boot type: Normal boot
2011/05/17 15:24:53.0984 2532 ================================================================================
2011/05/17 15:24:54.0687 2532 Initialize success
2011/05/17 15:24:57.0015 4060 ================================================================================
2011/05/17 15:24:57.0015 4060 Scan started
2011/05/17 15:24:57.0015 4060 Mode: Manual;
2011/05/17 15:24:57.0015 4060 ================================================================================
2011/05/17 15:24:58.0359 4060 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/17 15:24:58.0406 4060 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/17 15:24:58.0453 4060 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/17 15:24:58.0515 4060 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/17 15:24:58.0671 4060 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/17 15:24:58.0718 4060 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/17 15:24:58.0781 4060 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/17 15:24:58.0828 4060 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/17 15:24:58.0890 4060 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/17 15:24:59.0015 4060 BHDrvx86 (925a191c8c06124426c63ceb2ea93085) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110430.001\BHDrvx86.sys
2011/05/17 15:24:59.0062 4060 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/17 15:24:59.0109 4060 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/17 15:24:59.0171 4060 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/17 15:24:59.0234 4060 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/17 15:24:59.0359 4060 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/17 15:24:59.0421 4060 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/17 15:24:59.0468 4060 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/17 15:24:59.0562 4060 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/17 15:24:59.0734 4060 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/17 15:24:59.0906 4060 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/17 15:25:00.0015 4060 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/05/17 15:25:00.0046 4060 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/05/17 15:25:00.0078 4060 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/17 15:25:00.0125 4060 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/17 15:25:00.0140 4060 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/17 15:25:00.0140 4060 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/17 15:25:00.0203 4060 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/17 15:25:00.0250 4060 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/17 15:25:00.0296 4060 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/17 15:25:00.0359 4060 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/17 15:25:00.0421 4060 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/17 15:25:00.0437 4060 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/17 15:25:00.0515 4060 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/17 15:25:00.0593 4060 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/17 15:25:00.0781 4060 ialm (cd32607f1cc8ac67224334ae123f7b98) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/05/17 15:25:01.0109 4060 IDSxpx86 (50fa4c70534cf3b5c17ec83debe07afd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110514.001\IDSxpx86.sys
2011/05/17 15:25:01.0156 4060 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/17 15:25:01.0187 4060 incdrm (242b1edc880d892a0a6c5940d38654fc) C:\WINDOWS\system32\drivers\incdrm.sys
2011/05/17 15:25:01.0406 4060 IntcAzAudAddService (fb4293b1eab313c28d4a1b8db61aca72) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/17 15:25:01.0625 4060 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/17 15:25:01.0671 4060 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/17 15:25:01.0703 4060 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/17 15:25:01.0718 4060 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/17 15:25:01.0750 4060 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/17 15:25:01.0765 4060 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/17 15:25:01.0812 4060 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/17 15:25:01.0859 4060 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/17 15:25:01.0875 4060 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/17 15:25:01.0890 4060 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/17 15:25:01.0953 4060 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/17 15:25:02.0015 4060 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/17 15:25:02.0171 4060 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/05/17 15:25:02.0203 4060 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/17 15:25:02.0250 4060 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/17 15:25:02.0296 4060 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/17 15:25:02.0359 4060 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/17 15:25:02.0421 4060 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/17 15:25:02.0437 4060 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/17 15:25:02.0500 4060 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/17 15:25:02.0562 4060 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/17 15:25:02.0593 4060 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/17 15:25:02.0609 4060 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/17 15:25:02.0640 4060 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/17 15:25:02.0687 4060 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/17 15:25:02.0734 4060 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/05/17 15:25:02.0750 4060 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/17 15:25:02.0953 4060 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110517.003\NAVENG.SYS
2011/05/17 15:25:03.0000 4060 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110517.003\NAVEX15.SYS
2011/05/17 15:25:03.0140 4060 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/17 15:25:03.0171 4060 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/17 15:25:03.0218 4060 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/17 15:25:03.0234 4060 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/17 15:25:03.0296 4060 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/17 15:25:03.0359 4060 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/17 15:25:03.0421 4060 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/17 15:25:03.0437 4060 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/17 15:25:03.0515 4060 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/17 15:25:03.0578 4060 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/05/17 15:25:03.0609 4060 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/17 15:25:03.0671 4060 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/17 15:25:03.0671 4060 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/17 15:25:03.0718 4060 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/05/17 15:25:03.0734 4060 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/17 15:25:03.0765 4060 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/17 15:25:03.0812 4060 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/17 15:25:03.0890 4060 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/17 15:25:03.0921 4060 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/17 15:25:04.0062 4060 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/05/17 15:25:04.0078 4060 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/17 15:25:04.0093 4060 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/17 15:25:04.0093 4060 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/17 15:25:04.0171 4060 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/17 15:25:04.0187 4060 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/17 15:25:04.0187 4060 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/17 15:25:04.0203 4060 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/17 15:25:04.0218 4060 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/17 15:25:04.0234 4060 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/17 15:25:04.0250 4060 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/17 15:25:04.0296 4060 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/17 15:25:04.0343 4060 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/17 15:25:04.0406 4060 RimUsb (92d33f76769a028ddc54a863eb7de4a2) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/05/17 15:25:04.0437 4060 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/05/17 15:25:04.0500 4060 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/05/17 15:25:04.0578 4060 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/05/17 15:25:04.0625 4060 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/17 15:25:04.0656 4060 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/17 15:25:04.0671 4060 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/17 15:25:04.0718 4060 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/17 15:25:04.0750 4060 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/17 15:25:04.0765 4060 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/17 15:25:04.0843 4060 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS
2011/05/17 15:25:04.0890 4060 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS
2011/05/17 15:25:04.0906 4060 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/17 15:25:04.0953 4060 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/17 15:25:04.0968 4060 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/17 15:25:05.0031 4060 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS
2011/05/17 15:25:05.0062 4060 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS
2011/05/17 15:25:05.0109 4060 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/05/17 15:25:05.0140 4060 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS
2011/05/17 15:25:05.0171 4060 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS
2011/05/17 15:25:05.0234 4060 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/17 15:25:05.0343 4060 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/17 15:25:05.0390 4060 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/17 15:25:05.0421 4060 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/17 15:25:05.0453 4060 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/17 15:25:05.0500 4060 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/17 15:25:05.0546 4060 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/17 15:25:05.0578 4060 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/17 15:25:05.0609 4060 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/17 15:25:05.0625 4060 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/17 15:25:05.0640 4060 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/17 15:25:05.0687 4060 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/17 15:25:05.0750 4060 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/17 15:25:05.0796 4060 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/17 15:25:05.0828 4060 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/17 15:25:05.0890 4060 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/17 15:25:05.0953 4060 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/17 15:25:05.0984 4060 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/17 15:25:06.0031 4060 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/17 15:25:06.0078 4060 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/17 15:25:06.0140 4060 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/17 15:25:06.0171 4060 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/17 15:25:06.0203 4060 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/17 15:25:06.0203 4060 ================================================================================
2011/05/17 15:25:06.0203 4060 Scan finished
2011/05/17 15:25:06.0203 4060 ================================================================================
2011/05/17 15:25:06.0203 1700 Detected object count: 1
2011/05/17 15:27:14.0343 1700 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/17 15:27:14.0343 1700 \HardDisk0 - ok
2011/05/17 15:27:14.0343 1700 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/17 15:27:43.0453 2684 Deinitialize success



ComboFix 11-05-16.04 - Phill Brown 05/17/2011 16:15:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.485 [GMT -3:00]
Running from: c:\documents and settings\Phill Brown\Desktop\philbrow.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Phill Brown\Application Data\PriceGong
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Phill Brown\Application Data\PriceGong\Data\z.xml
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-17 to 2011-05-17 )))))))))))))))))))))))))))))))
.
.
2011-05-16 18:28 . 2011-05-16 18:28 -------- d-----w- C:\c9317dce10ddb21d73a1
2011-05-16 18:26 . 2011-05-16 18:51 -------- d-----w- c:\program files\trend micro
2011-05-16 18:26 . 2011-05-16 18:31 -------- d-----w- C:\rsit
2011-05-16 17:59 . 2011-05-16 17:59 -------- d-----w- C:\c7b9e9b63c988801516d289925e4572a
2011-05-13 16:59 . 2011-05-13 16:59 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-12 16:20 . 2011-05-12 16:20 -------- d-----w- c:\documents and settings\Phill Brown\Application Data\Tific
2011-05-11 19:19 . 2011-05-11 19:39 -------- d-----w- c:\program files\Symantec
2011-05-11 19:19 . 2011-05-11 19:39 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-11 19:19 . 2011-05-11 19:39 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-11 19:19 . 2011-05-11 19:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-05-11 19:18 . 2011-05-11 19:44 -------- d-----w- c:\windows\system32\drivers\NIS
2011-05-11 19:18 . 2011-05-11 19:18 -------- d-----w- c:\program files\Norton Internet Security
2011-05-11 19:12 . 2011-05-11 19:42 -------- d-----w- c:\program files\NortonInstaller
2011-05-11 16:02 . 2011-05-11 17:17 -------- d-----w- c:\windows\system32\NtmsData
2011-05-11 09:47 . 2011-05-11 09:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-05-09 20:29 . 2011-04-26 00:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-05-09 18:40 . 2011-05-09 18:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\Share-to-Web Upload Folder
2011-05-09 18:25 . 2011-04-26 00:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-09 18:25 . 2011-05-09 18:25 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-09 18:15 . 2011-05-09 18:15 -------- d-----w- c:\documents and settings\Phill Brown\Local Settings\Application Data\Sunbelt Software
2011-05-09 18:13 . 2011-05-09 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-05-09 18:13 . 2011-05-09 18:13 -------- d-----w- c:\program files\Lavasoft
2011-05-05 14:37 . 2011-05-05 14:37 -------- d-----w- c:\documents and settings\Phill Brown\Application Data\Malwarebytes
2011-05-05 14:37 . 2011-05-05 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-05 14:37 . 2011-05-11 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-04 19:25 . 2011-05-04 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-05-04 12:16 . 2011-05-04 12:16 -------- d-----w- c:\program files\Windows Sidebar
2011-05-04 12:16 . 2011-05-11 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-12 12:00 . 2004-08-04 12:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-03-07 05:33 . 2009-08-25 05:46 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-08-25 09:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-22 137752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-22 166424]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\Phill Brown\Start Menu\Programs\Startup\
WkCalRem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-6-20 24651]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/9/2011 3:25 PM 64512]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/11/2011 4:39 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/11/2011 4:39 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110430.001\BHDrvx86.sys [4/30/2011 1:44 AM 802936]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/11/2011 4:39 PM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/11/2011 4:39 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2011 4:38 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110514.001\IDSXpx86.sys [5/17/2011 7:44 AM 341944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 2:52 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 2:52 PM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:52]
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:52]
.
2011-05-17 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\backup\Program Files\SmartDraw 7\Messages\SDNotify.exe [2009-08-26 13:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
mSearch Bar = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{0fc85f5d-6207-4515-a490-45a549d285c0} - (no file)
BHO-{0fc85f5d-6207-4515-a490-45a549d285c0} - (no file)
Toolbar-{0fc85f5d-6207-4515-a490-45a549d285c0} - (no file)
WebBrowser-{0FC85F5D-6207-4515-A490-45A549D285C0} - (no file)
Notify-TPSvc - TPSvc.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 16:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-17 16:22:18
ComboFix-quarantined-files.txt 2011-05-17 19:22
.
Pre-Run: 111,963,402,240 bytes free
Post-Run: 112,048,680,960 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4ED83F7EC0A1DE2100B58AE0DE59D323
  • 0

#8
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys 
Folder::
C:\c9317dce10ddb21d73a1
C:\c7b9e9b63c988801516d289925e4572a
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
Driver::
Lavasoft Kernexplorer
Lavasoft Ad-Aware Service
SecCenter::
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
DirLook::
c:\program files\Lavasoft

Save this as CFScript.txt, in the same location as philbrow.exe


Posted Image

Refering to the picture above, drag CFScript into philbrow.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#9
Phil Brown

Phil Brown

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Combofix is still telling me that AVG 2011 is running, but I don't see it on my computer?

Here is the report..........

ComboFix 11-05-16.04 - Phill Brown 05/18/2011 8:07.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.507 [GMT -3:00]
Running from: c:\documents and settings\Phill Brown\Desktop\philbrow.exe
Command switches used :: c:\documents and settings\Phill Brown\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\program files\Lavasoft\Ad-Aware\AAWService.exe"
"c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\c7b9e9b63c988801516d289925e4572a
C:\c9317dce10ddb21d73a1
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LAVASOFT_AD-AWARE_SERVICE
-------\Legacy_LAVASOFT_KERNEXPLORER
-------\Service_Lavasoft Ad-Aware Service
-------\Service_Lavasoft Kernexplorer
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-16 18:26 . 2011-05-16 18:51 -------- d-----w- c:\program files\trend micro
2011-05-16 18:26 . 2011-05-16 18:31 -------- d-----w- C:\rsit
2011-05-13 16:59 . 2011-05-13 16:59 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-12 16:20 . 2011-05-12 16:20 -------- d-----w- c:\documents and settings\Phill Brown\Application Data\Tific
2011-05-11 19:19 . 2011-05-11 19:39 -------- d-----w- c:\program files\Symantec
2011-05-11 19:19 . 2011-05-11 19:39 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-11 19:19 . 2011-05-11 19:39 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-11 19:19 . 2011-05-11 19:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-05-11 19:18 . 2011-05-11 19:44 -------- d-----w- c:\windows\system32\drivers\NIS
2011-05-11 19:18 . 2011-05-11 19:18 -------- d-----w- c:\program files\Norton Internet Security
2011-05-11 19:12 . 2011-05-11 19:42 -------- d-----w- c:\program files\NortonInstaller
2011-05-11 16:02 . 2011-05-11 17:17 -------- d-----w- c:\windows\system32\NtmsData
2011-05-11 09:47 . 2011-05-11 09:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-05-09 20:29 . 2011-04-26 00:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-05-09 18:40 . 2011-05-09 18:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\Share-to-Web Upload Folder
2011-05-09 18:25 . 2011-04-26 00:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-09 18:25 . 2011-05-09 18:25 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-09 18:15 . 2011-05-09 18:15 -------- d-----w- c:\documents and settings\Phill Brown\Local Settings\Application Data\Sunbelt Software
2011-05-09 18:13 . 2011-05-09 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-05-09 18:13 . 2011-05-09 18:13 -------- d-----w- c:\program files\Lavasoft
2011-05-05 14:37 . 2011-05-05 14:37 -------- d-----w- c:\documents and settings\Phill Brown\Application Data\Malwarebytes
2011-05-05 14:37 . 2011-05-05 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-05 14:37 . 2011-05-11 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-04 19:25 . 2011-05-04 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-05-04 12:16 . 2011-05-04 12:16 -------- d-----w- c:\program files\Windows Sidebar
2011-05-04 12:16 . 2011-05-11 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-12 12:00 . 2004-08-04 12:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-03-07 05:33 . 2009-08-25 05:46 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-08-25 09:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\Lavasoft ----
.
2011-04-26 00:00 . 2011-05-02 15:14 2146496 ------w- c:\program files\Lavasoft\Ad-Aware\AAWServic
.
.
((((((((((((((((((((((((((((( [email protected]_19.19.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-18 11:13 . 2011-05-18 11:13 16384 c:\windows\Temp\Perflib_Perfdata_798.dat
+ 2011-05-18 09:54 . 2011-05-18 09:54 16384 c:\windows\Temp\Perflib_Perfdata_5e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-22 137752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-22 166424]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\Phill Brown\Start Menu\Programs\Startup\
WkCalRem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-6-20 24651]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/9/2011 3:25 PM 64512]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/11/2011 4:39 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/11/2011 4:39 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110430.001\BHDrvx86.sys [4/30/2011 1:44 AM 802936]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/11/2011 4:39 PM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/11/2011 4:39 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2011 4:38 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110514.001\IDSXpx86.sys [5/17/2011 7:44 AM 341944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 2:52 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 2:52 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:52]
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:52]
.
2011-05-18 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\backup\Program Files\SmartDraw 7\Messages\SDNotify.exe [2009-08-26 13:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
mSearch Bar = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 08:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-18 08:15:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-18 11:15
ComboFix2.txt 2011-05-17 19:22
.
Pre-Run: 112,127,463,424 bytes free
Post-Run: 112,049,463,296 bytes free
.
- - End Of File - - 69D4B943BD84DA3212CA6840A4891B72
  • 0

#10
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

Combofix is still telling me that AVG 2011 is running, but I don't see it on my computer?

That was strange.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Folder::
c:\program files\Lavasoft
Registry::

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Did ComboFix detect AVG 2011 as running this time?
  • 0

Advertisements


#11
Phil Brown

Phil Brown

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Do you ever sleep??

Combofix did not detect AVG 2011 runing this time.

Here is the report...........

ComboFix 11-05-16.04 - Phill Brown 05/18/2011 8:52.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.489 [GMT -3:00]
Running from: c:\documents and settings\Phill Brown\Desktop\philbrow.exe
Command switches used :: c:\documents and settings\Phill Brown\Desktop\CFScript.txt.doc
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-16 18:26 . 2011-05-16 18:51 -------- d-----w- c:\program files\trend micro
2011-05-16 18:26 . 2011-05-16 18:31 -------- d-----w- C:\rsit
2011-05-13 16:59 . 2011-05-13 16:59 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-12 16:20 . 2011-05-12 16:20 -------- d-----w- c:\documents and settings\Phill Brown\Application Data\Tific
2011-05-11 19:19 . 2011-05-11 19:39 -------- d-----w- c:\program files\Symantec
2011-05-11 19:19 . 2011-05-11 19:39 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-11 19:19 . 2011-05-11 19:39 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-11 19:19 . 2011-05-11 19:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-05-11 19:18 . 2011-05-11 19:44 -------- d-----w- c:\windows\system32\drivers\NIS
2011-05-11 19:18 . 2011-05-11 19:18 -------- d-----w- c:\program files\Norton Internet Security
2011-05-11 19:12 . 2011-05-11 19:42 -------- d-----w- c:\program files\NortonInstaller
2011-05-11 16:02 . 2011-05-11 17:17 -------- d-----w- c:\windows\system32\NtmsData
2011-05-11 09:47 . 2011-05-11 09:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-05-09 20:29 . 2011-04-26 00:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-05-09 18:40 . 2011-05-09 18:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\Share-to-Web Upload Folder
2011-05-09 18:25 . 2011-04-26 00:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-09 18:25 . 2011-05-09 18:25 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-09 18:15 . 2011-05-09 18:15 -------- d-----w- c:\documents and settings\Phill Brown\Local Settings\Application Data\Sunbelt Software
2011-05-09 18:13 . 2011-05-09 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-05-09 18:13 . 2011-05-09 18:13 -------- d-----w- c:\program files\Lavasoft
2011-05-05 14:37 . 2011-05-05 14:37 -------- d-----w- c:\documents and settings\Phill Brown\Application Data\Malwarebytes
2011-05-05 14:37 . 2011-05-05 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-05 14:37 . 2011-05-11 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-04 19:25 . 2011-05-04 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-05-04 12:16 . 2011-05-04 12:16 -------- d-----w- c:\program files\Windows Sidebar
2011-05-04 12:16 . 2011-05-11 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-12 12:00 . 2004-08-04 12:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-03-07 05:33 . 2009-08-25 05:46 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-08-25 09:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
((((((((((((((((((((((((((((( [email protected]_19.19.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-18 11:16 . 2011-05-18 11:16 16384 c:\windows\Temp\Perflib_Perfdata_ac.dat
+ 2011-05-18 11:13 . 2011-05-18 11:13 16384 c:\windows\Temp\Perflib_Perfdata_798.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-22 137752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-22 166424]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\Phill Brown\Start Menu\Programs\Startup\
WkCalRem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-6-20 24651]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/9/2011 3:25 PM 64512]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/11/2011 4:39 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/11/2011 4:39 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110430.001\BHDrvx86.sys [4/30/2011 1:44 AM 802936]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/11/2011 4:39 PM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/11/2011 4:39 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2011 4:38 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110514.001\IDSXpx86.sys [5/17/2011 7:44 AM 341944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 2:52 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 2:52 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:52]
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:52]
.
2011-05-18 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\backup\Program Files\SmartDraw 7\Messages\SDNotify.exe [2009-08-26 13:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
mSearch Bar = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 08:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2940)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-18 08:57:27
ComboFix-quarantined-files.txt 2011-05-18 11:57
ComboFix2.txt 2011-05-18 11:15
ComboFix3.txt 2011-05-17 19:22
.
Pre-Run: 112,046,829,568 bytes free
Post-Run: 112,049,618,944 bytes free
.
- - End Of File - - B5FE298F7225B2E314BFAEA7587D2884
  • 0

#12
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

Do you ever sleep??

:unsure:
You're just lucky that I'm here when you are :)

Let's run a couple of scans for leftovers as well


Step 1.
Clean temp locations:

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2.
Scan with MBAM:

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with ESET Online Scanner:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Step 4.
Things I would like to see in your reply:

  • The content of the report from MBAM from Step 2.
  • The content of the report from ESET Online Scanner from Step 3.
  • Information on how your computer is running after those steps

  • 0

#13
Phil Brown

Phil Brown

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Malwarebytes indicated that there were no infections found. report...........


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6609

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/18/2011 9:21:28 AM
mbam-log-2011-05-18 (09-21-28).txt

Scan type: Quick scan
Objects scanned: 154928
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I will now run the ESET scan........
  • 0

#14
Phil Brown

Phil Brown

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
here is the result of the ESET scan..........


[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=6ab23e91c7c73149b3076c91b9abe4c1
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-18 01:45:14
# local_time=2011-05-18 10:45:14 (-0400, Atlantic Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777175 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=139974
# found=0
# cleaned=0
# scan_time=3889
  • 0

#15
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Hey there, Phil Brown !

OK! Well done, your log is clean again! :)

Time for some housekeeping.

Step 1.
Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image


Second:

Double-click OTL.exe to run it.
Click the Clean up button
Click Yes to the reboot.

Now delete any tools/logs that is left over after you ran OTL Clean up.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to download an update.

http://www.adobe.com.../readstep2.html

Remove the older versions and install the latest.

-------

Upgrading Java:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 25 .
  • Click the JDK 6 Update 25 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u25-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u25-windows-i586.exe and select "Run as an Administrator.")


Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.


Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Nearly done! If you like to use chat, MSN and Yahoo have vulnerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers
Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP