Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirects Virus (followed official guide - tdsskiller won't


  • Please log in to reply

#1
roqwrp

roqwrp

    New Member

  • Member
  • Pip
  • 9 posts
The infected computer is running Windows XP Proffesional, version 2002, Service Pack 3. It's a workroom computer at the office I work at.

The virus occasionaly redirects links to adverts or suspicious looking pages. I don't know how it was aquired. So far I've ran MBAM multiple times, CCleaner, Advanced SystemCare 4 multiple times, and IObit Malware Fighter multiple times. I followed the "How to fix Google Redirects" guide up until the point of using TDSSkiller, which I am unable to run.

Before I was hired (just recently), someone else had been brought in to fix the computer, and they infected the administrator account too.

Thank you in advance for any and all help.

Here is my OTL log:

OTL logfile created on: 6/23/2011 4:23:37 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 148.44 Mb Available Physical Memory | 29.11% Memory free
1.22 Gb Paging File | 0.84 Gb Available in Paging File | 68.98% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.20 Gb Total Space | 14.59 Gb Free Space | 39.22% Space Free | Partition Type: NTFS

Computer Name: CBU-2006031222 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/23 16:22:58 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/06/18 00:04:21 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\xpsp4res32.exe
PRC - [2011/06/18 00:04:17 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\msaudite32.exe
PRC - [2011/06/18 00:04:17 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\mll_hp32.exe
PRC - [2011/06/01 14:10:00 | 000,821,080 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
PRC - [2011/06/01 14:09:58 | 004,385,112 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
PRC - [2011/05/28 14:46:56 | 000,803,728 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
PRC - [2011/05/28 14:46:56 | 000,412,560 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
PRC - [2011/05/28 14:46:56 | 000,353,168 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/16 21:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2007/10/16 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe


========== Modules (SafeList) ==========

MOD - [2011/06/23 16:22:58 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 19:12:05 | 000,005,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\security.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (AOL ACS)
SRV - [2011/06/18 00:04:21 | 000,764,416 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\xpsp4res32.exe -- (Schedule32)
SRV - [2011/06/18 00:04:17 | 000,764,416 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\mll_hp32.exe -- (EapHost32)
SRV - [2011/06/01 14:10:00 | 000,821,080 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe -- (IMFservice)
SRV - [2011/05/28 14:46:56 | 000,353,168 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe -- (AdvancedSystemCareService)
SRV - [2011/05/25 15:14:34 | 000,053,248 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2007/10/25 11:03:28 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/10/16 21:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2007/10/16 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)


========== Driver Services (SafeList) ==========

DRV - [2011/04/27 19:18:34 | 000,239,472 | ---- | M] () [File_System | On_Demand | Running] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys -- (FileMonitor)
DRV - [2011/03/23 01:00:08 | 000,016,080 | ---- | M] (IObit.com) [Kernel | On_Demand | Running] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys -- (UrlFilter)
DRV - [2011/03/23 01:00:06 | 000,030,368 | ---- | M] (IObit.com) [Kernel | On_Demand | Running] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys -- (RegFilter)
DRV - [2007/10/16 21:50:00 | 000,171,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2007/10/16 21:50:00 | 000,072,680 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2007/10/16 21:50:00 | 000,064,168 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2007/10/16 21:50:00 | 000,051,944 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2007/10/16 21:50:00 | 000,033,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2007/10/16 21:50:00 | 000,031,784 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2003/11/17 16:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 16:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 16:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E3 0C E1 17 B6 AD BF 4E B4 FA 1A 46 A3 E6 E6 21 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2011/06/22 11:27:21 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {492499B4-9FDD-4A26-9A12-578BC31A0F8d} - Reg Error: Value error. File not found
O2 - BHO: (d0109716) - {526BBD62-6438-D33B-22A2-C6A2A9726DA9} - C:\WINDOWS\system32\MP43DECD32.dll (CrypKey Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [IObit Malware Fighter] C:\Program Files\IObit\IObit Malware Fighter\IMF.exe (IObit)
O4 - HKCU..\Run: [Advanced SystemCare 4] C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe (IObit)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_26.dll (Sun Microsystems, Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 151.164.11.201 151.164.1.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cold20.coldwellbankerunited.com
O20 - AppInit_DLLs: (C:\WINDOWS\system32\MP43DECD32.dll) - C:\WINDOWS\system32\MP43DECD32.dll (CrypKey Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/02/21 15:57:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/23 16:22:43 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/06/23 16:09:55 | 000,349,696 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\atmpvcno32.dll
[2011/06/23 12:19:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Malware Fighter
[2011/06/23 12:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Advanced SystemCare 4
[2011/06/23 12:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\IObit
[2011/06/23 12:17:15 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2011/06/22 12:17:32 | 001,441,584 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\tds.exe
[2011/06/22 12:11:47 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/06/22 11:39:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\GooredFix Backups
[2011/06/22 11:26:41 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/06/22 11:17:47 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2011/06/22 11:16:19 | 000,522,752 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2011/06/22 10:56:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\erunt
[2011/06/22 10:45:43 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2011/06/22 10:37:33 | 000,092,672 | ---- | C] (Option^Explicit Software [email protected]) -- C:\Documents and Settings\Administrator\Desktop\KillBox.exe
[2011/06/22 10:37:18 | 000,000,000 | ---D | C] -- C:\!KillBox
[2011/06/22 10:27:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/06/22 10:27:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/21 17:16:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2011/06/21 17:09:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/21 17:06:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/06/21 17:02:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Google
[2011/06/21 16:54:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2011/06/21 16:53:41 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2011/06/21 16:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/06/21 16:49:28 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2011/06/18 00:04:26 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\msaudite32.exe
[2011/06/18 00:04:24 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\xpsp4res32.exe
[2011/06/18 00:04:24 | 000,169,472 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\MP43DECD32.dll
[2011/06/18 00:04:21 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\mll_hp32.exe
[2011/06/16 14:16:48 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/16 12:57:47 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/16 12:57:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/16 11:45:56 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/06/16 11:15:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/06/16 11:08:51 | 000,000,000 | ---D | C] -- C:\ComboFix
[1 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/23 16:22:58 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/06/23 16:18:06 | 000,000,060 | ---- | M] () -- C:\WINDOWS\System32\70e3c044
[2011/06/23 16:17:34 | 000,005,537 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\hijackthis2
[2011/06/23 16:13:14 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/23 16:10:45 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/23 16:10:45 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\ASC4_PerformanceMonitor.job
[2011/06/23 16:10:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/23 16:09:55 | 000,349,696 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\atmpvcno32.dll
[2011/06/23 15:59:27 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/23 12:19:55 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Malware Fighter.lnk
[2011/06/23 12:17:48 | 000,000,896 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Quick Care.lnk
[2011/06/23 12:17:47 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 4.lnk
[2011/06/22 12:17:37 | 001,441,584 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\tds.exe
[2011/06/22 11:27:21 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/06/22 11:18:41 | 001,309,375 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\tdsskiller.zip
[2011/06/22 11:17:47 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2011/06/22 11:16:35 | 000,522,752 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2011/06/22 10:55:01 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\erunt.zip
[2011/06/22 10:46:04 | 000,000,642 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to HijackThis.lnk
[2011/06/22 10:37:33 | 000,092,672 | ---- | M] (Option^Explicit Software [email protected]) -- C:\Documents and Settings\Administrator\Desktop\KillBox.exe
[2011/06/21 17:09:36 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/21 16:58:50 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/21 16:45:26 | 000,118,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/18 00:04:26 | 000,000,097 | ---- | M] () -- C:\WINDOWS\System32\1523437620
[2011/06/18 00:04:24 | 000,169,472 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\MP43DECD32.dll
[2011/06/18 00:04:21 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\xpsp4res32.exe
[2011/06/18 00:04:17 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\msaudite32.exe
[2011/06/18 00:04:17 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\mll_hp32.exe
[2011/06/16 12:38:26 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/06/16 12:08:33 | 000,444,322 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/16 12:08:33 | 000,072,198 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/16 11:03:25 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/16 10:57:58 | 000,000,168 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~16703268
[2011/06/16 10:57:58 | 000,000,144 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~16703268r
[2011/06/09 16:46:19 | 000,000,352 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\16703268
[2011/06/04 17:32:39 | 000,000,078 | ---- | M] () -- C:\WINDOWS\tkweb.ini
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[1 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/23 16:17:34 | 000,005,537 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\hijackthis2
[2011/06/23 12:19:55 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IObit Malware Fighter.lnk
[2011/06/23 12:18:26 | 000,000,286 | ---- | C] () -- C:\WINDOWS\tasks\ASC4_PerformanceMonitor.job
[2011/06/23 12:17:48 | 000,000,896 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Quick Care.lnk
[2011/06/23 12:17:47 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 4.lnk
[2011/06/22 11:18:36 | 001,309,375 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\tdsskiller.zip
[2011/06/22 10:54:49 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\erunt.zip
[2011/06/22 10:46:04 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to HijackThis.lnk
[2011/06/21 17:09:36 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/21 16:58:49 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/21 16:58:49 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/21 16:54:17 | 000,000,900 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/21 16:54:16 | 000,000,896 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/21 16:45:26 | 000,118,152 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/21 16:20:08 | 000,000,060 | ---- | C] () -- C:\WINDOWS\System32\70e3c044
[2011/06/18 00:04:21 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\1523437620
[2011/06/16 11:13:51 | 000,001,537 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Photo Story 3 for Windows.lnk
[2011/06/16 11:13:51 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2011/06/16 11:13:50 | 000,002,341 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Acrobat 6.0 Standard.lnk
[2011/06/16 11:13:50 | 000,002,339 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat Distiller 6.0.lnk
[2011/06/16 11:03:25 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/10 11:00:52 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~16703268r
[2011/06/10 11:00:51 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~16703268
[2011/06/09 16:46:19 | 000,000,352 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\16703268
[2011/05/14 09:49:19 | 000,000,078 | ---- | C] () -- C:\WINDOWS\tkweb.ini
[2011/03/30 09:36:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/30 09:36:05 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/30 09:36:04 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/30 09:36:04 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/30 09:36:04 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/28 09:50:03 | 000,013,432 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5nfu81broaes3q06d
[2010/12/27 12:00:37 | 000,037,027 | ---- | C] () -- C:\WINDOWS\atmoUn.exe
[2010/06/09 13:51:59 | 000,172,128 | R--- | C] () -- C:\WINDOWS\_isusr32.dll
[2010/06/09 13:51:53 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\_isusr2k.dll
[2010/06/09 13:51:35 | 000,000,231 | ---- | C] () -- C:\WINDOWS\System32\scnwpm.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/06/11 03:06:07 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/05/09 12:30:44 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\snmp_pp.dll
[2008/02/28 18:22:15 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/02/22 13:28:52 | 000,165,888 | ---- | C] () -- C:\WINDOWS\System32\hpgt53.dll
[2008/02/21 18:19:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/02/21 17:43:07 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/02/21 16:06:52 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/02/21 15:53:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/02/21 13:57:06 | 000,000,155 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2008/02/20 23:21:04 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/06/11 16:40:42 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\SN0ELMON.dat
[2004/08/04 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 07:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2004/08/04 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 07:00:00 | 000,444,322 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 07:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2004/08/04 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 07:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2004/08/04 07:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2004/08/04 07:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2004/08/04 07:00:00 | 000,072,198 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/06/23 12:19:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IObit
[2008/03/14 09:29:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2009/06/09 15:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2010/12/27 12:00:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2011/06/23 16:10:45 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\ASC4_PerformanceMonitor.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c


:OTL
O2 - BHO: (no name) - {492499B4-9FDD-4A26-9A12-578BC31A0F8d} - Reg Error: Value error. File not found
O2 - BHO: (d0109716) - {526BBD62-6438-D33B-22A2-C6A2A9726DA9} - C:\WINDOWS\system32\MP43DECD32.dll (CrypKey Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Reg Error: Key error.)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\MP43DECD32.dll) - C:\WINDOWS\system32\MP43DECD32.dll (CrypKey Inc.)
[2011/06/23 16:09:55 | 000,349,696 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\atmpvcno32.dll
[2011/06/18 00:04:26 | 000,000,097 | ---- | M] () -- C:\WINDOWS\System32\1523437620
[2011/06/18 00:04:24 | 000,169,472 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\MP43DECD32.dll
[2011/06/18 00:04:21 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\xpsp4res32.exe
[2011/06/18 00:04:17 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\msaudite32.exe
[2011/06/18 00:04:17 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\mll_hp32.exe
[2011/06/16 10:57:58 | 000,000,168 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~16703268
[2011/06/16 10:57:58 | 000,000,144 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~16703268r
[2011/06/09 16:46:19 | 000,000,352 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\16703268
[2011/03/28 09:50:03 | 000,013,432 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5nfu81broaes3q06d
[2011/06/21 16:20:08 | 000,000,060 | ---- | C] () -- C:\WINDOWS\System32\70e3c044
[2011/06/18 00:04:21 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\1523437620
[2011/06/23 16:10:45 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\ASC4_PerformanceMonitor.job
    
:Commands
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select the All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply
Posted Image


Ron
  • 0

#3
roqwrp

roqwrp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Results of the OTL Run Fix:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{492499B4-9FDD-4A26-9A12-578BC31A0F8d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{492499B4-9FDD-4A26-9A12-578BC31A0F8d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{526BBD62-6438-D33B-22A2-C6A2A9726DA9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{526BBD62-6438-D33B-22A2-C6A2A9726DA9}\ deleted successfully.
C:\WINDOWS\system32\MP43DECD32.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Starting removal of ActiveX control {166B1BCA-3F9C-11CF-8075-444553540000}
C:\WINDOWS\Downloaded Program Files\swdir.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{166B1BCA-3F9C-11CF-8075-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\MP43DECD32.dll deleted successfully.
File C:\WINDOWS\system32\MP43DECD32.dll not found.
C:\WINDOWS\system32\atmpvcno32.dll moved successfully.
C:\WINDOWS\system32\1523437620 moved successfully.
File C:\WINDOWS\System32\MP43DECD32.dll not found.
C:\WINDOWS\system32\xpsp4res32.exe moved successfully.
C:\WINDOWS\system32\msaudite32.exe moved successfully.
C:\WINDOWS\system32\mll_hp32.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\~16703268 moved successfully.
C:\Documents and Settings\All Users\Application Data\~16703268r moved successfully.
C:\Documents and Settings\All Users\Application Data\16703268 moved successfully.
C:\Documents and Settings\All Users\Application Data\5nfu81broaes3q06d moved successfully.
C:\WINDOWS\system32\70e3c044 moved successfully.
File C:\WINDOWS\System32\1523437620 not found.
C:\WINDOWS\Tasks\ASC4_PerformanceMonitor.job moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.24.1 log created on 06272011_100716


Results of the OTL Run Scan:

OTL logfile created on: 6/27/2011 10:13:37 AM - Run 2
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 229.16 Mb Available Physical Memory | 44.93% Memory free
1.22 Gb Paging File | 0.93 Gb Available in Paging File | 76.03% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.20 Gb Total Space | 14.47 Gb Free Space | 38.89% Space Free | Partition Type: NTFS

Computer Name: CBU-2006031222 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/23 16:22:58 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/06/01 14:10:00 | 000,821,080 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
PRC - [2011/06/01 14:09:58 | 004,385,112 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
PRC - [2011/05/28 14:46:56 | 000,412,560 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
PRC - [2011/05/28 14:46:56 | 000,353,168 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/16 21:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2007/10/16 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe


========== Modules (SafeList) ==========

MOD - [2011/06/23 16:22:58 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Schedule32)
SRV - File not found [Auto | Stopped] -- -- (EapHost32)
SRV - File not found [Auto | Stopped] -- -- (AOL ACS)
SRV - [2011/06/01 14:10:00 | 000,821,080 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe -- (IMFservice)
SRV - [2011/05/28 14:46:56 | 000,353,168 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe -- (AdvancedSystemCareService)
SRV - [2011/05/25 15:14:34 | 000,053,248 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2007/10/25 11:03:28 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/10/16 21:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2007/10/16 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)


========== Driver Services (SafeList) ==========

DRV - [2011/04/27 19:18:34 | 000,239,472 | ---- | M] () [File_System | On_Demand | Running] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys -- (FileMonitor)
DRV - [2011/03/23 01:00:08 | 000,016,080 | ---- | M] (IObit.com) [Kernel | On_Demand | Running] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys -- (UrlFilter)
DRV - [2011/03/23 01:00:06 | 000,030,368 | ---- | M] (IObit.com) [Kernel | On_Demand | Running] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys -- (RegFilter)
DRV - [2007/10/16 21:50:00 | 000,171,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2007/10/16 21:50:00 | 000,072,680 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2007/10/16 21:50:00 | 000,064,168 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2007/10/16 21:50:00 | 000,051,944 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2007/10/16 21:50:00 | 000,033,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2007/10/16 21:50:00 | 000,031,784 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2003/11/17 16:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 16:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 16:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E3 0C E1 17 B6 AD BF 4E B4 FA 1A 46 A3 E6 E6 21 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2011/06/27 10:07:27 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O4 - HKLM..\Run: [IObit Malware Fighter] C:\Program Files\IObit\IObit Malware Fighter\IMF.exe (IObit)
O4 - HKCU..\Run: [Advanced SystemCare 4] C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe (IObit)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_26.dll (Sun Microsystems, Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 151.164.11.201 151.164.1.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cold20.coldwellbankerunited.com
O20 - AppInit_DLLs: (C:\WINDOWS\system32\MP43DECD32.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/02/21 15:57:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/27 10:07:16 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/26 17:20:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Help
[2011/06/26 17:20:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Help
[2011/06/25 04:51:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp
[2011/06/23 16:22:43 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/06/23 12:19:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Malware Fighter
[2011/06/23 12:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Advanced SystemCare 4
[2011/06/23 12:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\IObit
[2011/06/23 12:17:15 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2011/06/22 12:17:32 | 001,441,584 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\tds.exe
[2011/06/22 12:11:47 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/06/22 11:39:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\GooredFix Backups
[2011/06/22 11:26:41 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/06/22 11:17:47 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2011/06/22 11:16:19 | 000,522,752 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2011/06/22 10:56:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\erunt
[2011/06/22 10:45:43 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2011/06/22 10:37:33 | 000,092,672 | ---- | C] (Option^Explicit Software [email protected]) -- C:\Documents and Settings\Administrator\Desktop\KillBox.exe
[2011/06/22 10:37:18 | 000,000,000 | ---D | C] -- C:\!KillBox
[2011/06/22 10:27:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/06/22 10:27:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/22 10:26:47 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/06/22 10:26:47 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/06/22 10:26:47 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/06/22 10:26:47 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/06/21 17:16:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2011/06/21 17:09:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/21 17:06:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/06/21 17:02:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Google
[2011/06/21 16:54:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2011/06/21 16:53:41 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2011/06/21 16:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/06/21 16:49:28 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2011/06/16 14:16:48 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/16 12:57:47 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/16 12:57:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/16 12:00:30 | 000,105,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mup.sys
[2011/06/16 11:45:56 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/06/16 11:38:32 | 000,209,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuweb.dll
[2011/06/16 11:15:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/06/16 11:08:51 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/06/09 16:43:22 | 000,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\beep.sys
[1 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/27 10:09:17 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/27 10:09:14 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/27 10:08:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/27 10:07:27 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/06/27 09:59:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/24 12:26:27 | 000,000,238 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HAR.com Houston Realtor information, Find a Realtor in Houston.url
[2011/06/23 16:22:58 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/06/23 16:17:34 | 000,005,537 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\hijackthis2
[2011/06/23 12:19:55 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Malware Fighter.lnk
[2011/06/23 12:17:48 | 000,000,896 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Quick Care.lnk
[2011/06/23 12:17:47 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 4.lnk
[2011/06/22 12:17:37 | 001,441,584 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\tds.exe
[2011/06/22 11:18:41 | 001,309,375 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\tdsskiller.zip
[2011/06/22 11:17:47 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2011/06/22 11:16:35 | 000,522,752 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2011/06/22 10:55:01 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\erunt.zip
[2011/06/22 10:46:04 | 000,000,642 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to HijackThis.lnk
[2011/06/22 10:37:33 | 000,092,672 | ---- | M] (Option^Explicit Software [email protected]) -- C:\Documents and Settings\Administrator\Desktop\KillBox.exe
[2011/06/21 17:09:36 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/21 16:58:50 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/21 16:45:26 | 000,118,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/16 12:38:26 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/06/16 12:08:33 | 000,444,322 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/16 12:08:33 | 000,072,198 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/16 11:03:25 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/04 17:32:39 | 000,000,078 | ---- | M] () -- C:\WINDOWS\tkweb.ini
[2011/05/30 17:19:48 | 005,964,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[1 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/24 12:26:26 | 000,000,238 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HAR.com Houston Realtor information, Find a Realtor in Houston.url
[2011/06/23 16:17:34 | 000,005,537 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\hijackthis2
[2011/06/23 12:19:55 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IObit Malware Fighter.lnk
[2011/06/23 12:17:48 | 000,000,896 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Quick Care.lnk
[2011/06/23 12:17:47 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 4.lnk
[2011/06/22 11:18:36 | 001,309,375 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\tdsskiller.zip
[2011/06/22 10:54:49 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\erunt.zip
[2011/06/22 10:46:04 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to HijackThis.lnk
[2011/06/21 17:09:36 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/21 16:58:49 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/21 16:58:49 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/21 16:54:17 | 000,000,900 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/21 16:54:16 | 000,000,896 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/21 16:45:26 | 000,118,152 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/16 11:13:51 | 000,001,537 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Photo Story 3 for Windows.lnk
[2011/06/16 11:13:51 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2011/06/16 11:13:50 | 000,002,341 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Acrobat 6.0 Standard.lnk
[2011/06/16 11:13:50 | 000,002,339 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat Distiller 6.0.lnk
[2011/06/16 11:03:25 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/14 09:49:19 | 000,000,078 | ---- | C] () -- C:\WINDOWS\tkweb.ini
[2011/03/30 09:36:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/30 09:36:05 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/30 09:36:04 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/30 09:36:04 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/30 09:36:04 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/12/27 12:00:37 | 000,037,027 | ---- | C] () -- C:\WINDOWS\atmoUn.exe
[2010/06/09 13:51:59 | 000,172,128 | R--- | C] () -- C:\WINDOWS\_isusr32.dll
[2010/06/09 13:51:53 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\_isusr2k.dll
[2010/06/09 13:51:35 | 000,000,231 | ---- | C] () -- C:\WINDOWS\System32\scnwpm.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/06/11 03:06:07 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/05/09 12:30:44 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\snmp_pp.dll
[2008/02/28 18:22:15 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/02/22 13:28:52 | 000,165,888 | ---- | C] () -- C:\WINDOWS\System32\hpgt53.dll
[2008/02/21 18:19:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/02/21 17:43:07 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/02/21 16:06:52 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/02/21 15:53:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/02/21 13:57:06 | 000,000,155 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2008/02/20 23:21:04 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/06/11 16:40:42 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\SN0ELMON.dat
[2004/08/04 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 07:00:00 | 000,444,322 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 07:00:00 | 000,072,198 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

< End of report >

Extras:

OTL Extras logfile created on: 6/27/2011 10:13:37 AM - Run 2
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 229.16 Mb Available Physical Memory | 44.93% Memory free
1.22 Gb Paging File | 0.93 Gb Available in Paging File | 76.03% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.20 Gb Total Space | 14.47 Gb Free Space | 38.89% Space Free | Partition Type: NTFS

Computer Name: CBU-2006031222 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
InternetShortcut [print] -- rundll32.exe %SystemRoot%\System32\Mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\xpsp4res32.exe" = C:\WINDOWS\system32\xpsp4res32.exe:*:Enabled:Windows Update Service
"C:\WINDOWS\system32\mll_hp32.exe" = C:\WINDOWS\system32\mll_hp32.exe:*:Enabled:Windows Update Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\WINDOWS\system32\xpsp4res32.exe" = C:\WINDOWS\system32\xpsp4res32.exe:*:Enabled:Windows Update Service
"C:\WINDOWS\system32\mll_hp32.exe" = C:\WINDOWS\system32\mll_hp32.exe:*:Enabled:Windows Update Service


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 26
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{58E6A969-8215-4ABC-BD73-FCB25EA6F544}" = FormViewer
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"Adobe AIR" = Adobe AIR
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced SystemCare 4_is1" = Advanced SystemCare 4
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{58E6A969-8215-4ABC-BD73-FCB25EA6F544}" = FormViewer
"IObit Malware Fighter_is1" = IObit Malware Fighter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel® PRO Network Connections Drivers
"SHARP PCL6 T1 Printer Driver" = SHARP PCL6 T1 Printer Driver
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >

Results of aswMBR Scan (The fix button was NOT enabled):

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-27 10:30:34
-----------------------------
10:30:34.734 OS Version: Windows 5.1.2600 Service Pack 3
10:30:34.734 Number of processors: 1 586 0x304
10:30:34.734 ComputerName: CBU-2006031222 UserName: Administrator
10:30:35.703 Initialize success
10:30:49.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:30:49.703 Disk 0 Vendor: WDC_WD400BB-75FJA1 14.03G14 Size: 38146MB BusType: 3
10:30:51.734 Disk 0 MBR read successfully
10:30:51.734 Disk 0 MBR scan
10:30:51.734 Disk 0 Windows XP default MBR code
10:30:53.734 Disk 0 scanning sectors +78108030
10:30:53.812 Disk 0 scanning C:\WINDOWS\system32\drivers
10:31:28.390 Service scanning
10:31:30.000 Disk 0 trace - called modules:
10:31:30.015 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82ef31ed]<<
10:31:30.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82fddab8]
10:31:30.015 3 CLASSPNP.SYS[f8678fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82fe3d98]
10:31:30.015 \Driver\atapi[0x82fd4630] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x82ef31ed
10:31:30.015 Scan finished successfully
10:31:49.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
10:31:49.765 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Please uninstall:
IObit Malware Fighter
Advanced SystemCare 4

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it from the broswer:!:

:!: Disable your Antivirus software when downloading or running Combofix. (This is particularly important with McAfee which will eat critical portions of Combofix) If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

What make and model is the PC?

Ron
  • 0

#5
roqwrp

roqwrp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Uninstalled:
IObit Malware Fighter & Advanced SystemCare 4

mbam log

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6967

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/28/2011 10:50:48 AM
mbam-log-2011-06-28 (10-50-47).txt

Scan type: Quick scan
Objects scanned: 178366
Time elapsed: 22 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\networkservice\application data\02000000420df63f1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\02000000420df63f1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\02000000420df63f1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\02000000420df63f1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000420df63f1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000420df63f1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000420df63f1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000420df63f1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.


ComboFix
In C:\Combofix\N_ there are three files;
3838 (125kb)
28956 (1kb)
SuppScan (9kb)

The only text file created that I can find is on the desktop, catchme.log, which reads:
File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully


The computer is a Dell Optiplex gx270
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
The log should be at:
C:\Combofix.txt

If not: Try deleting the old combofix and try downloading a new one. Make sure your anti-virus is off when you do anything with Combofix.

Can you get aswMBR to work?
  • 0

#7
roqwrp

roqwrp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Got rid of all traces of McAffee.

Re-dl'ed ComboFix, and this time it created a log; It also detected a rootkit!

ComboFix log:
ComboFix 11-06-30.03 - Administrator 06/30/2011 15:26:53.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.349 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-30 )))))))))))))))))))))))))))))))
.
.
2011-06-28 15:24 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-28 15:24 . 2011-06-28 15:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-27 15:07 . 2011-06-27 15:07 -------- d-----w- C:\_OTL
2011-06-26 22:20 . 2011-06-26 22:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2011-06-25 09:51 . 2011-06-25 09:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-06-23 17:17 . 2011-06-23 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2011-06-23 17:17 . 2011-06-23 17:19 -------- d-----w- c:\program files\IObit
2011-06-22 17:11 . 2011-06-22 17:11 -------- d--h--w- c:\windows\PIF
2011-06-22 16:26 . 2011-06-22 16:26 -------- d-----w- C:\_OTM
2011-06-22 15:37 . 2011-06-22 15:37 -------- d-----w- C:\!KillBox
2011-06-22 15:27 . 2011-06-22 15:27 -------- d-----w- c:\program files\Common Files\Java
2011-06-22 15:26 . 2011-05-04 09:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-21 22:06 . 2011-06-21 22:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-21 22:03 . 2011-06-21 22:03 0 ---ha-w- c:\documents and settings\Administrator\tesfexdwfm.tmp
2011-06-21 21:54 . 2011-06-29 19:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-06-21 21:53 . 2011-06-21 21:54 -------- d-----w- c:\program files\Google
2011-06-21 21:52 . 2011-06-21 21:52 -------- d-----w- c:\program files\NOS
2011-06-21 21:49 . 2011-06-21 21:49 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-06-21 21:23 . 2011-06-21 21:23 0 ---ha-w- c:\documents and settings\agent\tesfexdwfm.tmp
2011-06-16 17:00 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-16 16:38 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-06-16 16:38 . 2009-08-07 00:24 209632 -c--a-w- c:\windows\system32\dllcache\wuweb.dll
2011-06-16 16:38 . 2009-08-07 00:24 209632 ----a-w- c:\windows\system32\wuweb.dll
2011-06-09 21:43 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\beep.sys
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 07:25 . 2009-06-25 17:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2008-02-21 20:54 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2007-04-25 14:21 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2006-05-05 09:41 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2007-10-25 16:04 136512 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
S2 EapHost32;Extensible Authentication Protocol Service ;c:\windows\system32\mll_hp32.exe --> c:\windows\system32\mll_hp32.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/21/2011 4:54 PM 136176]
S2 Schedule32;Task Scheduler ;c:\windows\system32\xpsp4res32.exe --> c:\windows\system32\xpsp4res32.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/28/2011 10:24 AM 39984]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - NDISRD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-21 21:54]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-21 21:54]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 151.164.11.201 151.164.1.8
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-ShStatEXE - c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-30 15:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-861567501-789336058-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,a2,7e,7c,1c,42,1c,41,90,64,9a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,a2,7e,7c,1c,42,1c,41,90,64,9a,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,a2,7e,7c,1c,42,1c,41,90,64,9a,\
.
Completion time: 2011-06-30 15:39:49
ComboFix-quarantined-files.txt 2011-06-30 20:39
.
Pre-Run: 14,998,056,960 bytes free
Post-Run: 15,503,810,560 bytes free
.
- - End Of File - - 48FB2446D670BF939898230A9CA7C91F



Still cant get aswMBR to work.
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

File::
c:\windows\system32\mll_hp32.exe
c:\windows\system32\xpsp4res32.exe

Driver::
EapHost32
Schedule32


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.


Since you have removed McAfee (good riddance) let's install the free Avast. (Since this is a business you can't legally keep it but I don't think they will mind us trying it out.)

First download, save and run the McAfee removal tool:

http://download.mcaf...atches/MCPR.exe

Replace with the free Avast!
http://www.avast.com...ivirus-download

Download, Save, and Run

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows.
Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK

Now try aswMBR and TDSSKiller again.

Any luck?

Ron
  • 0

#9
roqwrp

roqwrp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Combo Fix Log

ComboFix 11-06-30.05 - Administrator 07/01/2011 10:19:29.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.225 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\mll_hp32.exe"
"c:\windows\system32\xpsp4res32.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_EAPHOST32
-------\Legacy_SCHEDULE32
-------\Service_EapHost32
-------\Service_Schedule32
.
.
((((((((((((((((((((((((( Files Created from 2011-06-01 to 2011-07-01 )))))))))))))))))))))))))))))))
.
.
2011-06-28 15:24 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-28 15:24 . 2011-06-28 15:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-27 15:07 . 2011-06-27 15:07 -------- d-----w- C:\_OTL
2011-06-26 22:20 . 2011-06-26 22:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2011-06-25 09:51 . 2011-06-25 09:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-06-23 17:17 . 2011-06-23 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2011-06-23 17:17 . 2011-06-23 17:19 -------- d-----w- c:\program files\IObit
2011-06-22 17:11 . 2011-06-22 17:11 -------- d--h--w- c:\windows\PIF
2011-06-22 16:26 . 2011-06-22 16:26 -------- d-----w- C:\_OTM
2011-06-22 15:37 . 2011-06-22 15:37 -------- d-----w- C:\!KillBox
2011-06-22 15:27 . 2011-06-22 15:27 -------- d-----w- c:\program files\Common Files\Java
2011-06-22 15:26 . 2011-05-04 09:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-21 22:06 . 2011-06-21 22:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-21 22:03 . 2011-06-21 22:03 0 ---ha-w- c:\documents and settings\Administrator\tesfexdwfm.tmp
2011-06-21 21:54 . 2011-06-29 19:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-06-21 21:53 . 2011-06-21 21:54 -------- d-----w- c:\program files\Google
2011-06-21 21:52 . 2011-06-21 21:52 -------- d-----w- c:\program files\NOS
2011-06-21 21:49 . 2011-06-21 21:49 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-06-21 21:23 . 2011-06-21 21:23 0 ---ha-w- c:\documents and settings\agent\tesfexdwfm.tmp
2011-06-16 17:00 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-16 16:38 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-06-16 16:38 . 2009-08-07 00:24 209632 -c--a-w- c:\windows\system32\dllcache\wuweb.dll
2011-06-16 16:38 . 2009-08-07 00:24 209632 ----a-w- c:\windows\system32\wuweb.dll
2011-06-09 21:43 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\beep.sys
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 07:25 . 2009-06-25 17:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2008-02-21 20:54 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2007-04-25 14:21 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2006-05-05 09:41 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2007-10-25 16:04 136512 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/21/2011 4:54 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/28/2011 10:24 AM 39984]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - NDISRD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-21 21:54]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-21 21:54]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 151.164.11.201 151.164.1.8
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-01 10:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-861567501-789336058-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,a2,7e,7c,1c,42,1c,41,90,64,9a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,a2,7e,7c,1c,42,1c,41,90,64,9a,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,a2,7e,7c,1c,42,1c,41,90,64,9a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2332)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2011-07-01 10:34:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-01 15:34
ComboFix2.txt 2011-06-30 20:39
.
Pre-Run: 15,409,422,336 bytes free
Post-Run: 15,397,433,344 bytes free
.
- - End Of File - - B1C9316954679D306A2933C8E6C320E9



Avast! found 8 items, all of which it said were successful in the move to chest action.

TDSSkiller opened, and found nothing during its scan.

aswMBR still isn't offering to fix anything.
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
So are you still getting redirects?


Ron
  • 0

#11
roqwrp

roqwrp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It's all gone, no more redirects. Are we all done?
  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

OTl has a cleanup tab that will remove it and its log and some of our other tools.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you can download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
It will tell you which files need to be updated and offer you a link to a download. (Click on the green arrow at the end of each line.)


If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP