Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google redirect


  • This topic is locked This topic is locked

#1
jc3333

jc3333

    New Member

  • Member
  • Pip
  • 7 posts
For the last week (7/31 a.m.) I have been trying to battle many malware attacks with Malwarebytes and Avast free antivirus. Presently the problems that persist are google redirect to findfastanswers.com and other random sites, malicious urls (roonyx.net, rhyndu.net, and weirden.com), C:\hiberfil.sys Win32:Agent-AIXG [Trj] (On Avast boot scan can't repair or quarantine-please advise on deleting), and I believe Windows Xp firewall is down (Windows security center is unavailable). Any help or advice is greatly appreciated.

I attached avast mbam logs and mal url information.

Background
While browsing on 7/31, Internet Explorer became unresponsive, after closing I noticed Zentom system guard had installed.

OTL logfile created on: 8/5/2011 11:28:31 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Joe C\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 272.68 Mb Available Physical Memory | 53.31% Memory free
1.22 Gb Paging File | 1.02 Gb Available in Paging File | 84.10% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.94 Gb Total Space | 1.26 Gb Free Space | 8.43% Space Free | Partition Type: NTFS
Drive D: | 59.57 Gb Total Space | 50.26 Gb Free Space | 84.37% Space Free | Partition Type: NTFS

Computer Name: VALUED-7B9600FA | User Name: Joe C | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/05 19:01:04 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe C\Desktop\OTL.com
PRC - [2011/07/04 07:43:54 | 003,493,720 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2010/01/07 15:38:08 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/04/24 02:57:42 | 001,025,320 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/29 20:43:48 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe


========== Modules (SafeList) ==========

MOD - [2011/08/05 19:01:04 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe C\Desktop\OTL.com
MOD - [2007/03/08 11:36:28 | 000,345,600 | ---- | M] () -- C:\WINDOWS\oqiluqoti.dll
MOD - [2006/10/16 12:15:00 | 000,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\oledlg.dll
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - File not found [Auto | Stopped] -- -- (6to4)
SRV - [2011/07/31 16:40:34 | 000,218,624 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\termvw32.dll -- (TermServices)
SRV - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/01/07 15:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/01/07 15:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2001/09/28 02:26:40 | 000,065,536 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)


========== Driver Services (SafeList) ==========

DRV - [2011/07/04 07:36:43 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/07/04 07:36:32 | 000,309,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/07/04 07:35:23 | 000,043,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/07/04 07:35:12 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/07/04 07:32:32 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/07/04 07:32:13 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/07/04 07:32:12 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2007/02/02 05:00:00 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/02/02 05:00:00 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/08/04 01:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/05/29 07:15:12 | 000,009,728 | ---- | M] (iolo technologies, LLC (based on original work by Bo Brantén)) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\filedisk.sys -- (FileDisk)
DRV - [2003/05/22 01:20:36 | 000,259,072 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2003/05/22 01:20:36 | 000,213,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/05/22 01:20:36 | 000,146,560 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp)
DRV - [2003/05/22 01:20:36 | 000,118,409 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2003/05/22 01:20:36 | 000,022,713 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/05/22 01:20:36 | 000,021,737 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/10/01 10:22:32 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/12/06 13:49:44 | 000,012,032 | ---- | M] (Sony Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SonyFKC.sys -- (SonyFKC)
DRV - [2001/11/13 02:26:32 | 000,029,702 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyWBMS.sys -- (SONYWBMS) Sony Memory Stick controller(WB)
DRV - [2001/09/21 20:16:46 | 000,593,000 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Smbe.sys -- (SMBE) Sony MPEG2 Encoder Board (WDM)
DRV - [2001/08/17 17:28:00 | 000,871,388 | ---- | M] (BCM) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMDM.sys -- (BCMModem)
DRV - [2001/08/17 16:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
DRV - [2001/08/17 16:11:26 | 000,054,271 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm42xx5.sys -- (BCM42XX) Broadcom iLine10™
DRV - [2001/05/08 21:57:20 | 000,467,985 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2000/12/05 20:18:02 | 000,003,952 | R--- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [2000/03/09 12:24:42 | 000,007,196 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\V7.SYS -- (V7)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsof...obby/search.asp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://home.microsof...ss/allinone.asp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.xfinity.c...activ_tech_main
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2629: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Joe C\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Joe C\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0}: C:\Documents and Settings\Joe C\Local Settings\Application Data\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0} [2011/08/01 07:58:22 | 000,000,000 | ---D | M]


Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PCTools Site Guard) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program Files\Spyware Doctor\tools\iesdsg.dll ()
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (PCTools Browser Monitor) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll (GuideWorks Pty. Ltd.)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Openwares LiveUpdate] C:\Program Files\LIVEUPDATE\LiveUpdate.exe (Openwares)
O4 - HKLM..\Run: [Qbogaruyum] C:\WINDOWS\oqiluqoti.dll ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Desktop Software] C:\Program Files\Common Files\SupportSoft\bin\bcont.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [msnmsgr] File not found
O4 - HKCU..\Run: [Pvuyahexofip] C:\WINDOWS\wmltael.dll (Agere Systems)
O4 - HKCU..\Run: [Spyware Doctor] C:\Program Files\Spyware Doctor\swdoctor.exe (PCTools)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll (GuideWorks Pty. Ltd.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupd...b?1106791878324 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} http://mvnet.xlontec...2ie06101001.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O20 - Winlogon\Notify\termssvces: DllName - temlvw32.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Joe C\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Joe C\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/02/13 20:38:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.CAM -- [ NTFS ]
O33 - MountPoints2\{5d24bc4e-5e3d-11dd-8b05-00e0185effd4}\Shell\AutoRun\command - "" = H:\WD_Windows_Tools\Setup.exe
O33 - MountPoints2\{654aaeeb-f2bd-11dc-89f7-00e0185effd4}\Shell\AutoRun\command - "" = H:\wd_windows_tools\setup.exe
O33 - MountPoints2\{fb63758f-9bda-11de-8e74-00e0185effd4}\Shell - "" = AutoRun
O33 - MountPoints2\{fb63758f-9bda-11de-8e74-00e0185effd4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fb63758f-9bda-11de-8e74-00e0185effd4}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (smrgdf C:\Program Files\iolo\System Mechanic 5 Professional\) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/05 19:00:55 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe C\Desktop\OTL.com
[2011/08/04 15:22:41 | 001,915,904 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Joe C\Desktop\aswMBR.exe
[2011/08/03 15:55:44 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/08/03 15:55:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/08/03 15:55:42 | 000,309,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/08/03 15:55:27 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/08/03 15:55:26 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/08/03 15:55:26 | 000,043,608 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/08/03 15:55:24 | 000,102,616 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/08/03 15:55:24 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/08/03 15:55:23 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/08/03 15:53:52 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/08/03 15:53:50 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/08/03 15:53:11 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/08/03 15:53:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/08/03 15:50:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\My Documents\Downloads
[2011/08/03 09:25:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/08/03 08:13:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/08/02 15:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\Start Menu\Programs\Google Chrome
[2011/08/02 15:20:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\Local Settings\Application Data\Deployment
[2011/08/02 09:04:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/08/02 09:04:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/08/01 07:58:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\Local Settings\Application Data\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0}
[2011/07/31 13:06:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/07/31 11:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/07/31 11:15:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/07/31 08:59:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\Application Data\A4F8766DC83185428F312DE994F0586F
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/05 23:32:09 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004UA.job
[2011/08/05 22:57:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/05 22:56:06 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\shbskrkp.job
[2011/08/05 22:55:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/05 20:04:52 | 536,449,024 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/05 19:01:04 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe C\Desktop\OTL.com
[2011/08/05 15:32:12 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004Core.job
[2011/08/05 12:38:58 | 000,920,384 | ---- | M] () -- C:\Documents and Settings\Joe C\Desktop\Norton_Removal_Tool.exe
[2011/08/05 09:16:36 | 000,002,404 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/08/05 00:04:40 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ltuhilofejinur.dat
[2011/08/05 00:03:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wkagus.bin
[2011/08/04 15:22:48 | 001,915,904 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Joe C\Desktop\aswMBR.exe
[2011/08/04 11:14:27 | 000,000,028 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2011/08/03 15:55:45 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/08/03 15:55:24 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/08/02 15:32:35 | 000,002,286 | ---- | M] () -- C:\Documents and Settings\Joe C\Desktop\Google Chrome.lnk
[2011/08/02 15:32:35 | 000,002,264 | ---- | M] () -- C:\Documents and Settings\Joe C\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/01 17:30:16 | 000,065,536 | RHS- | M] () -- C:\WINDOWS\System32\PINTLPAEP.dll
[2011/07/23 15:28:32 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/07/23 14:55:24 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/05 12:38:50 | 000,920,384 | ---- | C] () -- C:\Documents and Settings\Joe C\Desktop\Norton_Removal_Tool.exe
[2011/08/04 21:39:09 | 536,449,024 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/03 15:55:45 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/08/02 15:32:35 | 000,002,286 | ---- | C] () -- C:\Documents and Settings\Joe C\Desktop\Google Chrome.lnk
[2011/08/02 15:32:35 | 000,002,264 | ---- | C] () -- C:\Documents and Settings\Joe C\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/02 15:21:40 | 000,000,978 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004UA.job
[2011/08/02 15:21:39 | 000,000,926 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004Core.job
[2011/08/01 17:30:17 | 000,000,316 | -HS- | C] () -- C:\WINDOWS\tasks\shbskrkp.job
[2011/08/01 17:30:16 | 000,065,536 | RHS- | C] () -- C:\WINDOWS\System32\PINTLPAEP.dll
[2011/08/01 07:58:29 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ltuhilofejinur.dat
[2011/08/01 07:58:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wkagus.bin
[2008/11/10 01:01:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2008/11/10 01:01:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2007/10/01 19:53:36 | 000,102,364 | ---- | C] () -- C:\WINDOWS\hpqins13.dat
[2007/08/20 13:13:26 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2007/08/20 13:13:26 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2007/08/20 13:13:26 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2007/08/20 13:13:26 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2007/08/20 13:13:26 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2007/08/20 13:13:26 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2007/08/20 13:13:26 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2007/08/20 13:13:26 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/08/20 13:13:25 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2007/08/20 13:13:25 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2007/08/20 13:13:25 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2007/08/20 13:13:25 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2007/08/20 13:13:25 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2007/08/20 13:13:25 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2007/08/20 13:13:25 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2007/08/20 13:13:25 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2007/08/20 13:08:23 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2007/08/20 13:07:14 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPCX6000.ini
[2007/08/14 20:34:48 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/14 22:44:12 | 000,002,404 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2006/08/09 17:15:27 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Joe C\Application Data\PFP100JPR.{PB
[2006/08/09 17:15:27 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Joe C\Application Data\PFP100JCM.{PB
[2006/05/10 13:46:44 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2006/03/05 17:31:51 | 000,000,196 | ---- | C] () -- C:\WINDOWS\PicEdit.INI
[2005/11/09 14:49:33 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/04/07 17:00:35 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2005/03/08 15:14:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/02/19 12:56:20 | 000,000,264 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2005/02/15 13:31:42 | 000,025,264 | ---- | C] () -- C:\WINDOWS\System32\smrgdf.exe
[2005/02/15 13:31:41 | 000,030,942 | ---- | C] () -- C:\WINDOWS\System32\iolobtdfg.exe
[2005/02/15 12:55:12 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/01/31 19:29:47 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/01/26 21:59:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2005/01/26 21:59:03 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\macrovsn.dll
[2005/01/26 21:59:03 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\MMDVDROM.dll
[2005/01/26 21:59:03 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\getregn.exe
[2005/01/26 21:53:06 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\Joe C\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2001/12/14 21:17:55 | 000,001,632 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2001/12/14 19:03:24 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\pxhpinst.exe
[2001/12/14 19:02:55 | 000,262,416 | ---- | C] () -- C:\WINDOWS\System32\Asfv2.dll
[2001/12/14 18:46:01 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2001/12/14 18:44:06 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2001/12/14 18:44:05 | 000,007,406 | ---- | C] () -- C:\WINDOWS\ICOADB32.DAT
[2001/12/14 18:44:05 | 000,000,717 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2001/12/14 18:35:03 | 000,000,715 | ---- | C] () -- C:\WINDOWS\photoprn.ini
[2001/12/14 18:03:19 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2001/12/14 18:03:19 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2001/12/14 18:03:17 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2001/12/14 17:14:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2001/12/14 16:45:42 | 000,000,804 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2001/12/14 16:40:42 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2001/12/14 16:36:20 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2001/12/14 15:26:35 | 000,605,288 | ---- | C] () -- C:\WINDOWS\Q312368.EXE
[2001/12/14 15:26:34 | 000,458,344 | ---- | C] () -- C:\WINDOWS\Q308677.EXE
[2001/12/14 15:26:34 | 000,290,920 | ---- | C] () -- C:\WINDOWS\Q311889.EXE
[2001/12/14 15:26:34 | 000,159,336 | ---- | C] () -- C:\WINDOWS\Q307271.exe
[2001/12/14 15:26:24 | 000,000,672 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/12/14 15:26:03 | 000,345,600 | ---- | C] () -- C:\WINDOWS\oqiluqoti.dll
[2001/12/14 15:25:55 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/12/14 15:25:55 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/12/14 15:25:55 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/12/14 15:25:55 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/12/14 15:25:53 | 000,004,530 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/12/14 15:25:52 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/12/14 15:25:52 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/12/14 15:25:47 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/12/14 15:25:47 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/12/14 15:25:40 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/12/14 15:25:29 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/12/14 08:31:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2001/12/14 08:30:44 | 000,193,776 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2001/12/05 11:52:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll

========== LOP Check ==========

[2011/08/03 15:53:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2008/08/28 14:28:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Comcast
[2007/11/22 14:10:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/07/31 15:14:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\A4F8766DC83185428F312DE994F0586F
[2007/09/04 16:49:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\EPSON
[2001/12/14 18:00:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\InterTrust
[2005/02/15 12:48:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\Kazaa Lite
[2007/08/20 13:22:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\Leadertech
[2011/08/05 22:56:06 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\Tasks\shbskrkp.job

========== Purity Check ==========



< End of report >
OTL Extras logfile created on: 8/5/2011 11:28:31 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Joe C\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 272.68 Mb Available Physical Memory | 53.31% Memory free
1.22 Gb Paging File | 1.02 Gb Available in Paging File | 84.10% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.94 Gb Total Space | 1.26 Gb Free Space | 8.43% Space Free | Partition Type: NTFS
Drive D: | 59.57 Gb Total Space | 50.26 Gb Free Space | 84.37% Space Free | Partition Type: NTFS

Computer Name: VALUED-7B9600FA | User Name: Joe C | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\support.com\client\bin\tgcmd.exe" = C:\Program Files\support.com\client\bin\tgcmd.exe:*:Disabled:tgcmd Module -- (Support.com, Inc.)
"C:\Program Files\Kazaa Lite K++\Kazaa.kpp" = C:\Program Files\Kazaa Lite K++\Kazaa.kpp:*:Disabled:Kazaa
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\Documents and Settings\Joe C\Local Settings\Temp\7zS13.tmp\SymNRT.exe" = C:\Documents and Settings\Joe C\Local Settings\Temp\7zS13.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00609F70-5043-4C20-895A-D6EF7ACE9304}" = PicoPlayerSplashScreen
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1
"{1CA2E5E4-F4FE-44B4-95E9-77523FB95838}" = EPSON Stylus CX6000 Scanner Driver Update
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21CF3E6E-1659-433E-B6CE-165D793560DA}" = VAIO Grid Wallpaper
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 26
"{26BDE7D8-93F0-4A07-AD47-1707DB417941}" = Camera Support Core Library
"{29F61465-428A-11D4-B646-00C04F790F76}" = DVgate
"{2FAF5A9F-7EDE-4F1A-B082-C95A9F420630}" = Media Bar 3.2.12
"{3248F0A8-6813-11D6-A77B-00B0D0150010}" = J2SE Runtime Environment 5.0 Update 1
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{370BCBBA-67D7-4535-ADCD-58CD1C8DEC99}" = Zune Language Pack (DE)
"{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}" = Music Visualizer Library 1.2
"{3C67D8C0-F0EC-11D3-99D3-00C04FCCB775}" = VAIO Action Setup
"{40EC6323-497B-44DA-8A88-74578622D9B3}" = Zune Language Pack (IT)
"{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}" = Easy CD & DVD Creator 6
"{48BE827A-2D06-4804-90C3-4F2F8460F9D4}" = Support Actions Win2K,WinXP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B6F4C00-E935-11D3-A98A-0080986030D9}" = Smart Capture
"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout
"{5C70C75F-A265-4C62-B90F-8F80AA69F262}" = PicoPlayer Demo
"{5FF58521-5E44-11D4-A433-00105A8547C6}" = PictureGear 5.1
"{6060E6A1-5342-4D2B-8F66-B6D6E20BBD03}" = VAIO Help & Support
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = RAW Image Task 1.1
"{6990A2BF-D1D2-11D3-81BC-00609789C908}" = Sony DV Shared Library
"{6DF804A8-2CC2-4D22-A958-4534F6EC3C76}" = VAIO Registration
"{72275927-4241-46A7-A9C4-B86C6B256EB6}" = ImageStation Demo
"{7F90516D-4F1F-4468-9FA1-46ECFB59E39F}" = Screenblast Sound Forge 1.0a
"{802EF464-4992-42B3-8434-45151AD3C933}" = VAIO Serenus Wallpaper
"{8139011A-4039-46C7-8614-A3F8948121AD}" = PicoPlayer
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A0B295C3-FD3C-11D4-A811-0090279106C3}" = WordPerfect Office 2002
"{A228A09C-4826-42E0-A3D8-95B2BAAB5049}" = OpenMG Secure Module 3.0.01
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.5
"{ACEC9C3E-0100-4EBE-B298-35A2145828A0}" = VAIO Brezza Wallpaper
"{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}" = ArcSoft Camera Suite 1.3
"{AD3B1DDF-52AD-405E-B931-7ACF76937E5F}" = ImageStation
"{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}" = Camera Window
"{B5B0ABC0-3177-11D3-AC45-0000F879D920}" = VisualFlow 2.1
"{B8C3B479-1716-11D5-968A-0050BA84F5F7}" = Baldur's Gate™ II - Throne of Bhaal ™
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{C7A5D4E9-7ED3-4FB5-8FC1-A6D99A727670}" = Screenblast ACID 2.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
"{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}" = RemoteCapture Task 1.0.3
"{D0448678-1203-4158-A58F-B3D0B616BF9E}" = Sony Certificate PCH
"{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}" = ArcSoft PhotoImpression 5
"{D4A49B00-02F8-11D5-B64D-00C04F790F76}" = MovieShaker 3.3
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{DE286975-ACF1-45B8-9EF7-34E162B2C817}" = MovieEdit Task
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E2069DE3-5924-4766-A385-CDA273885A31}" = DigitalPrint 1.1
"{E52F43B3-1638-4624-9ACF-B130130AA13E}" = Experience VAIO
"{E535DC62-56D6-11D5-8AE3-00105A7276CD}" = SonicStage 1.1.00
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}" = PhotoStitch
"{F3CB4DC0-4FC0-11D5-9254-0000F460E7A9}" = SonicStage CD-R Writing Module
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast" = avast! Free Antivirus
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"DVD Express A/V Pak" = DVDExpress
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{26BDE7D8-93F0-4A07-AD47-1707DB417941}" = Canon Camera Support Core Library
"InstallShield_{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{DE286975-ACF1-45B8-9EF7-34E162B2C817}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}" = Canon Utilities PhotoStitch 3.1
"iolo technologies' System Mechanic 5 Professional" = iolo technologies' System Mechanic 5 Professional
"IrfanView" = IrfanView (remove only)
"LiveUpdate1.7" = LiveUpdate 1.7 (Symantec Corporation)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Motion JPEG Software Decoder" = Motion JPEG Software Decoder
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PhotoPrinter 2000 Pro" = PhotoPrinter 2000 Pro
"PokerStars" = PokerStars
"RealPlayer 6.0" = RealPlayer
"RealProducer 8.5" = RealProducer Basic 8.5
"Silent Package Run-Time Sample" = EPSON CX6000 Series User's Guide
"Sony on Yahoo! Essentials" = Sony on Yahoo! Essentials
"Spyware Doctor_is1" = Spyware Doctor 3.1
"VAIO Support" = VAIO Support
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Zune" = Zune

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/3/2011 3:52:14 PM | Computer Name = VALUED-7B9600FA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/3/2011 3:52:14 PM | Computer Name = VALUED-7B9600FA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/3/2011 3:52:14 PM | Computer Name = VALUED-7B9600FA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 8/3/2011 3:52:15 PM | Computer Name = VALUED-7B9600FA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/3/2011 3:52:15 PM | Computer Name = VALUED-7B9600FA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 8/3/2011 7:31:46 PM | Computer Name = VALUED-7B9600FA | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module wmltael.dll, version 2.7.0.0, fault address 0x00005a1b.

Error - 8/4/2011 10:41:53 AM | Computer Name = VALUED-7B9600FA | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/4/2011 10:59:29 AM | Computer Name = VALUED-7B9600FA | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module wmltael.dll, version 2.7.0.0, fault address 0x00005a1b.

Error - 8/4/2011 11:00:07 AM | Computer Name = VALUED-7B9600FA | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 8/5/2011 12:51:00 PM | Computer Name = VALUED-7B9600FA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

[ System Events ]
Error - 8/5/2011 10:55:33 PM | Computer Name = VALUED-7B9600FA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/5/2011 10:55:33 PM | Computer Name = VALUED-7B9600FA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/5/2011 10:55:33 PM | Computer Name = VALUED-7B9600FA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/5/2011 10:55:33 PM | Computer Name = VALUED-7B9600FA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/5/2011 10:55:33 PM | Computer Name = VALUED-7B9600FA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/5/2011 10:55:33 PM | Computer Name = VALUED-7B9600FA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/5/2011 10:55:33 PM | Computer Name = VALUED-7B9600FA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/5/2011 10:55:33 PM | Computer Name = VALUED-7B9600FA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/5/2011 10:55:33 PM | Computer Name = VALUED-7B9600FA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 8/5/2011 10:56:52 PM | Computer Name = VALUED-7B9600FA | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%126


< End of report >

Attached Files


  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there I see you have run aswMBR could you post the log please, it should be on your desktop.
Also do you use windows hibernation function ? If not just switch it off to clear that detection

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O4 - HKLM..\Run: [Qbogaruyum] C:\WINDOWS\oqiluqoti.dll ()
    O4 - HKCU..\Run: [Pvuyahexofip] C:\WINDOWS\wmltael.dll (Agere Systems)[2011/08/05 22:56:06 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\shbskrkp.job
    [2011/08/05 00:04:40 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ltuhilofejinur.dat
    [2011/08/05 00:03:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wkagus.bin


    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#3
jc3333

jc3333

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks a lot for your reply. I did download aswMBR but it froze several times, usually at a certain point in program files. When I ran otl I stopped all programs and disconnected internet is this advisable. I don't use hibernate. I just disabled now should I try to delete or repair?

Edited by jc3333, 06 August 2011 - 12:54 PM.

  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
It will make no difference to the way OTL performs

Once the fix has run can you let me know whether you still get redirects
  • 0

#5
jc3333

jc3333

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Essexboy, the stress must be getting the best of me. The simplest instructions can become difficult. After running the custom scan fix and then quick scan I forgot to save the log so I redid the operation from the beginning. I hope I didn't compound my error.

I had malwarebytes on my computer and updated to latest version. Did you want me to uninstall and install a fresh version?

Redirects are still present. After startup I noticed url mal 200607db083.roonyx.net C:\WINDOWS\wmltael.dll.

OTL logfile created on: 8/6/2011 4:50:19 PM - Run 2
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Joe C\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 196.22 Mb Available Physical Memory | 38.36% Memory free
1.22 Gb Paging File | 0.95 Gb Available in Paging File | 78.04% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.94 Gb Total Space | 1.68 Gb Free Space | 11.23% Space Free | Partition Type: NTFS
Drive D: | 59.57 Gb Total Space | 50.26 Gb Free Space | 84.37% Space Free | Partition Type: NTFS

Computer Name: VALUED-7B9600FA | User Name: Joe C | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/05 19:01:04 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe C\Desktop\OTL.com
PRC - [2011/07/04 07:43:54 | 003,493,720 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2010/01/07 15:38:08 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/04/24 02:57:42 | 001,025,320 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 13:25:22 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/29 20:43:48 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2006/02/13 05:00:00 | 000,131,072 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIBIA.EXE
PRC - [2005/01/06 15:04:24 | 001,466,368 | ---- | M] (PCTools) -- C:\Program Files\Spyware Doctor\swdoctor.exe


========== Modules (SafeList) ==========

MOD - [2011/08/05 19:01:04 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe C\Desktop\OTL.com
MOD - [2011/07/04 07:43:51 | 000,199,792 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\snxhk.dll
MOD - [2007/04/19 15:21:40 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll
MOD - [2007/03/08 11:36:28 | 000,345,600 | ---- | M] () -- C:\WINDOWS\oqiluqoti.dll
MOD - [2007/03/08 11:36:28 | 000,110,592 | ---- | M] () -- C:\WINDOWS\wmltael.dll
MOD - [2006/10/16 12:15:00 | 000,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\oledlg.dll
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - File not found [Auto | Stopped] -- -- (6to4)
SRV - [2011/07/31 16:40:34 | 000,218,624 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\termvw32.dll -- (TermServices)
SRV - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/01/07 15:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/01/07 15:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2001/09/28 02:26:40 | 000,065,536 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)


========== Driver Services (SafeList) ==========

DRV - [2011/07/04 07:36:43 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/07/04 07:36:32 | 000,309,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/07/04 07:35:23 | 000,043,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/07/04 07:35:12 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/07/04 07:32:32 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/07/04 07:32:13 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/07/04 07:32:12 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2007/02/02 05:00:00 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/02/02 05:00:00 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/08/04 01:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/05/29 07:15:12 | 000,009,728 | ---- | M] (iolo technologies, LLC (based on original work by Bo Brantén)) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\filedisk.sys -- (FileDisk)
DRV - [2003/05/22 01:20:36 | 000,259,072 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2003/05/22 01:20:36 | 000,213,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/05/22 01:20:36 | 000,146,560 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp)
DRV - [2003/05/22 01:20:36 | 000,118,409 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2003/05/22 01:20:36 | 000,022,713 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/05/22 01:20:36 | 000,021,737 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/10/01 10:22:32 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/12/06 13:49:44 | 000,012,032 | ---- | M] (Sony Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SonyFKC.sys -- (SonyFKC)
DRV - [2001/11/13 02:26:32 | 000,029,702 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyWBMS.sys -- (SONYWBMS) Sony Memory Stick controller(WB)
DRV - [2001/09/21 20:16:46 | 000,593,000 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Smbe.sys -- (SMBE) Sony MPEG2 Encoder Board (WDM)
DRV - [2001/08/17 17:28:00 | 000,871,388 | ---- | M] (BCM) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMDM.sys -- (BCMModem)
DRV - [2001/08/17 16:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
DRV - [2001/08/17 16:11:26 | 000,054,271 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm42xx5.sys -- (BCM42XX) Broadcom iLine10™
DRV - [2001/05/08 21:57:20 | 000,467,985 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2000/12/05 20:18:02 | 000,003,952 | R--- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [2000/03/09 12:24:42 | 000,007,196 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\V7.SYS -- (V7)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsof...obby/search.asp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://home.microsof...ss/allinone.asp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.xfinity.c...activ_tech_main
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2629: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Joe C\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Joe C\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0}: C:\Documents and Settings\Joe C\Local Settings\Application Data\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0} [2011/08/01 07:58:22 | 000,000,000 | ---D | M]


Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PCTools Site Guard) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program Files\Spyware Doctor\tools\iesdsg.dll ()
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (PCTools Browser Monitor) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll (GuideWorks Pty. Ltd.)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Openwares LiveUpdate] C:\Program Files\LIVEUPDATE\LiveUpdate.exe (Openwares)
O4 - HKLM..\Run: [Qbogaruyum] C:\WINDOWS\oqiluqoti.dll ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Desktop Software] C:\Program Files\Common Files\SupportSoft\bin\bcont.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [msnmsgr] File not found
O4 - HKCU..\Run: [Pvuyahexofip] C:\WINDOWS\wmltael.dll ()
O4 - HKCU..\Run: [Spyware Doctor] C:\Program Files\Spyware Doctor\swdoctor.exe (PCTools)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll (GuideWorks Pty. Ltd.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupd...b?1106791878324 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} http://mvnet.xlontec...2ie06101001.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O20 - Winlogon\Notify\termssvces: DllName - temlvw32.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Joe C\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Joe C\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/02/13 20:38:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.CAM -- [ NTFS ]
O33 - MountPoints2\{5d24bc4e-5e3d-11dd-8b05-00e0185effd4}\Shell\AutoRun\command - "" = H:\WD_Windows_Tools\Setup.exe
O33 - MountPoints2\{654aaeeb-f2bd-11dc-89f7-00e0185effd4}\Shell\AutoRun\command - "" = H:\wd_windows_tools\setup.exe
O33 - MountPoints2\{fb63758f-9bda-11de-8e74-00e0185effd4}\Shell - "" = AutoRun
O33 - MountPoints2\{fb63758f-9bda-11de-8e74-00e0185effd4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fb63758f-9bda-11de-8e74-00e0185effd4}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (smrgdf C:\Program Files\iolo\System Mechanic 5 Professional\) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/05 19:00:55 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe C\Desktop\OTL.com
[2011/08/04 15:22:41 | 001,915,904 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Joe C\Desktop\aswMBR.exe
[2011/08/03 15:55:44 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/08/03 15:55:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/08/03 15:55:42 | 000,309,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/08/03 15:55:27 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/08/03 15:55:26 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/08/03 15:55:26 | 000,043,608 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/08/03 15:55:24 | 000,102,616 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/08/03 15:55:24 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/08/03 15:55:23 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/08/03 15:53:52 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/08/03 15:53:50 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/08/03 15:53:11 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/08/03 15:53:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/08/03 15:50:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\My Documents\Downloads
[2011/08/03 09:25:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/08/03 08:13:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/08/02 15:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\Start Menu\Programs\Google Chrome
[2011/08/02 15:20:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\Local Settings\Application Data\Deployment
[2011/08/02 09:04:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/08/02 09:04:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/08/01 07:58:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\Local Settings\Application Data\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0}
[2011/07/31 13:06:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/07/31 11:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/07/31 11:15:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/07/31 08:59:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe C\Application Data\A4F8766DC83185428F312DE994F0586F
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/06 16:45:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/06 16:44:26 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\shbskrkp.job
[2011/08/06 16:43:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/06 16:32:25 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004UA.job
[2011/08/06 15:32:06 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004Core.job
[2011/08/06 08:02:32 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wkagus.bin
[2011/08/05 19:01:04 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe C\Desktop\OTL.com
[2011/08/05 12:38:58 | 000,920,384 | ---- | M] () -- C:\Documents and Settings\Joe C\Desktop\Norton_Removal_Tool.exe
[2011/08/05 09:16:36 | 000,002,404 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/08/05 00:04:40 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ltuhilofejinur.dat
[2011/08/04 15:22:48 | 001,915,904 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Joe C\Desktop\aswMBR.exe
[2011/08/04 11:14:27 | 000,000,028 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2011/08/03 15:55:45 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/08/03 15:55:24 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/08/02 15:32:35 | 000,002,286 | ---- | M] () -- C:\Documents and Settings\Joe C\Desktop\Google Chrome.lnk
[2011/08/02 15:32:35 | 000,002,264 | ---- | M] () -- C:\Documents and Settings\Joe C\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/01 17:30:16 | 000,065,536 | RHS- | M] () -- C:\WINDOWS\System32\PINTLPAEP.dll
[2011/07/23 15:28:32 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/07/23 14:55:24 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/05 12:38:50 | 000,920,384 | ---- | C] () -- C:\Documents and Settings\Joe C\Desktop\Norton_Removal_Tool.exe
[2011/08/03 15:55:45 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/08/02 15:32:35 | 000,002,286 | ---- | C] () -- C:\Documents and Settings\Joe C\Desktop\Google Chrome.lnk
[2011/08/02 15:32:35 | 000,002,264 | ---- | C] () -- C:\Documents and Settings\Joe C\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/02 15:21:40 | 000,000,978 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004UA.job
[2011/08/02 15:21:39 | 000,000,926 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004Core.job
[2011/08/01 17:30:17 | 000,000,316 | -HS- | C] () -- C:\WINDOWS\tasks\shbskrkp.job
[2011/08/01 17:30:16 | 000,065,536 | RHS- | C] () -- C:\WINDOWS\System32\PINTLPAEP.dll
[2011/08/01 07:58:29 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ltuhilofejinur.dat
[2011/08/01 07:58:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wkagus.bin
[2008/11/10 01:01:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2008/11/10 01:01:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2007/10/01 19:53:36 | 000,102,364 | ---- | C] () -- C:\WINDOWS\hpqins13.dat
[2007/08/20 13:13:26 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2007/08/20 13:13:26 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2007/08/20 13:13:26 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2007/08/20 13:13:26 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2007/08/20 13:13:26 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2007/08/20 13:13:26 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2007/08/20 13:13:26 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2007/08/20 13:13:26 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/08/20 13:13:25 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2007/08/20 13:13:25 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2007/08/20 13:13:25 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2007/08/20 13:13:25 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2007/08/20 13:13:25 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2007/08/20 13:13:25 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2007/08/20 13:13:25 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2007/08/20 13:13:25 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2007/08/20 13:08:23 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2007/08/20 13:07:14 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPCX6000.ini
[2007/08/14 20:34:48 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/14 22:44:12 | 000,002,404 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2006/08/09 17:15:27 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Joe C\Application Data\PFP100JPR.{PB
[2006/08/09 17:15:27 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Joe C\Application Data\PFP100JCM.{PB
[2006/05/10 13:46:44 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2006/03/05 17:31:51 | 000,000,196 | ---- | C] () -- C:\WINDOWS\PicEdit.INI
[2005/11/09 14:49:33 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/04/07 17:00:35 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2005/03/08 15:14:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/02/19 12:56:20 | 000,000,264 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2005/02/15 13:31:42 | 000,025,264 | ---- | C] () -- C:\WINDOWS\System32\smrgdf.exe
[2005/02/15 13:31:41 | 000,030,942 | ---- | C] () -- C:\WINDOWS\System32\iolobtdfg.exe
[2005/02/15 12:55:12 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/01/31 19:29:47 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/01/26 21:59:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2005/01/26 21:59:03 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\macrovsn.dll
[2005/01/26 21:59:03 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\MMDVDROM.dll
[2005/01/26 21:59:03 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\getregn.exe
[2005/01/26 21:53:06 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\Joe C\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2001/12/14 21:17:55 | 000,001,632 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2001/12/14 19:03:24 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\pxhpinst.exe
[2001/12/14 19:02:55 | 000,262,416 | ---- | C] () -- C:\WINDOWS\System32\Asfv2.dll
[2001/12/14 18:46:01 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2001/12/14 18:44:06 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2001/12/14 18:44:05 | 000,007,406 | ---- | C] () -- C:\WINDOWS\ICOADB32.DAT
[2001/12/14 18:44:05 | 000,000,717 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2001/12/14 18:35:03 | 000,000,715 | ---- | C] () -- C:\WINDOWS\photoprn.ini
[2001/12/14 18:03:19 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2001/12/14 18:03:19 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2001/12/14 18:03:17 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2001/12/14 17:14:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2001/12/14 16:45:42 | 000,000,804 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2001/12/14 16:40:42 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2001/12/14 16:36:20 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2001/12/14 15:26:35 | 000,605,288 | ---- | C] () -- C:\WINDOWS\Q312368.EXE
[2001/12/14 15:26:34 | 000,458,344 | ---- | C] () -- C:\WINDOWS\Q308677.EXE
[2001/12/14 15:26:34 | 000,290,920 | ---- | C] () -- C:\WINDOWS\Q311889.EXE
[2001/12/14 15:26:34 | 000,159,336 | ---- | C] () -- C:\WINDOWS\Q307271.exe
[2001/12/14 15:26:24 | 000,000,672 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/12/14 15:26:03 | 000,345,600 | ---- | C] () -- C:\WINDOWS\oqiluqoti.dll
[2001/12/14 15:26:03 | 000,110,592 | ---- | C] () -- C:\WINDOWS\wmltael.dll
[2001/12/14 15:25:55 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/12/14 15:25:55 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/12/14 15:25:55 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/12/14 15:25:55 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/12/14 15:25:53 | 000,004,530 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/12/14 15:25:52 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/12/14 15:25:52 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/12/14 15:25:47 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/12/14 15:25:47 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/12/14 15:25:40 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/12/14 15:25:29 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/12/14 08:31:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2001/12/14 08:30:44 | 000,193,776 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2001/12/05 11:52:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll

========== LOP Check ==========

[2011/07/31 15:14:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\A4F8766DC83185428F312DE994F0586F
[2007/09/04 16:49:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\EPSON
[2001/12/14 18:00:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\InterTrust
[2005/02/15 12:48:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\Kazaa Lite
[2007/08/20 13:22:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe C\Application Data\Leadertech
[2011/08/03 15:53:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2008/08/28 14:28:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Comcast
[2007/11/22 14:10:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/08/06 16:44:26 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\Tasks\shbskrkp.job

========== Purity Check ==========



< End of report >

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7395

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

8/6/2011 5:50:27 PM
mbam-log-2011-08-06 (17-50-27).txt

Scan type: Quick scan
Objects scanned: 204921
Time elapsed: 39 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by jc3333, 06 August 2011 - 04:33 PM.

  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets up the ante

Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingc...to-use-combofix*
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.
  • 0

#7
jc3333

jc3333

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here's the log.

ComboFix 11-08-06.02 - Joe C 08/07/2011 10:15:56.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512.281 [GMT -4:00]
Running from: c:\documents and settings\Joe C\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Joe C\Application Data\Adobe\plugs
c:\documents and settings\Joe C\Application Data\Adobe\shed
c:\documents and settings\Joe C\Local Settings\Application Data\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0}
c:\documents and settings\Joe C\Local Settings\Application Data\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0}\chrome.manifest
c:\documents and settings\Joe C\Local Settings\Application Data\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0}\chrome\content\_cfg.js
c:\documents and settings\Joe C\Local Settings\Application Data\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0}\chrome\content\overlay.xul
c:\documents and settings\Joe C\Local Settings\Application Data\{9D0B73C9-9771-41B1-A730-85C9CB8EDAB0}\install.rdf
c:\documents and settings\Joe C\WINDOWS
c:\documents and settings\Owner\WINDOWS
c:\program files\INSTAFINK
c:\program files\INSTAFINK\Cache\instafinktb0302.cfg
c:\program files\INSTAFINK\Uninstall.exe
c:\program files\messenger\msmsgsin.exe
c:\windows\oqiluqoti.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\wmltael.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-08-03 19:55 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-03 19:55 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-03 19:55 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-03 19:55 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-03 19:55 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-03 19:55 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-03 19:55 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-03 19:55 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-03 19:53 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-03 19:53 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-03 19:53 . 2011-08-03 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-03 19:53 . 2011-08-03 19:53 -------- d-----w- c:\program files\AVAST Software
2011-08-03 12:13 . 2011-08-03 12:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-02 19:20 . 2011-08-02 19:21 -------- d-----w- c:\documents and settings\Joe C\Local Settings\Application Data\Deployment
2011-08-01 22:08 . 2011-08-01 22:08 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-08-01 21:30 . 2011-08-01 21:30 65536 --sha-r- c:\windows\system32\PINTLPAEP.dll
2011-08-01 11:58 . 2011-08-07 09:13 0 ----a-w- c:\windows\Wkagus.bin
2011-07-31 20:40 . 2011-07-31 20:40 218624 ----a-w- c:\windows\system32\termvw32.dll
2011-07-31 13:13 . 2011-07-31 18:00 -------- d-----w- c:\documents and settings\Administrator
2011-07-31 12:59 . 2011-07-31 19:14 -------- d-----w- c:\documents and settings\Joe C\Application Data\A4F8766DC83185428F312DE994F0586F
2011-07-29 12:12 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{BD179825-C7A2-4844-8D3D-C9776868B556}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2007-03-27 21:17 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-07-06 23:52 . 2009-04-08 14:48 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2009-04-08 14:48 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-24 23:14 . 2009-10-03 13:03 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-17 12:02 . 2011-05-17 12:02 1409 ----a-w- c:\windows\QTFont.for
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-30 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5 Professional\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/3/2011 3:55 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/3/2011 3:55 PM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/3/2011 3:55 PM 19544]
R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 4:53 PM 12032]
R2 TermServices;Remote Desktop Service;c:\windows\System32\svchost.exe -k termvvc [12/14/2001 3:26 PM 14336]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [1/26/2005 9:59 PM 7196]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 8:55 PM 54271]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 3:26 PM 593000]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
termvvc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004Core.job
- c:\documents and settings\Joe C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 19:21]
.
2011-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004UA.job
- c:\documents and settings\Joe C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xfinity.com/?cid=xfactiv_tech_main
mWindow Title = Windows Internet Explorer provided by Comcast
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Yontoo Layers Runtime\YontooIEClient_2.dll
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKCU-Run-Pvuyahexofip - c:\windows\wmltael.dll
HKLM-Run-Qbogaruyum - c:\windows\oqiluqoti.dll
HKU-Default-Run-Symantec NetDriver Warning - c:\progra~1\SYMNET~1\SNDWarn.exe
Notify-termssvces - temlvw32.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-LiveUpdate1.7 - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-07 11:03
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-602162358-308236825-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\NavLogon.dll
.
- - - - - - - > 'explorer.exe'(1860)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\ZuneBusEnum.exe
.
**************************************************************************
.
Completion time: 2011-08-07 11:18:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 15:18
.
Pre-Run: 1,646,669,824 bytes free
Post-Run: 2,395,181,056 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - A5CCB00C85A4F3E2627BE5A4C753E472
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm I wonder if the MBR is OK

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Wkagus.bin
c:\windows\system32\termvw32.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

#9
jc3333

jc3333

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
When I ran ComboFix it said there was a new update. I assumed yes was the correct answer.

When I downloaded aswMBR download speed was very slow.

ComboFix 11-08-07.01 - Joe C 08/07/2011 12:14:10.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512.232 [GMT -4:00]
Running from: c:\documents and settings\Joe C\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe C\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\termvw32.dll"
"c:\windows\Wkagus.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\termvw32.dll
c:\windows\Wkagus.bin
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TermServices
-------\Service_TermServices
.
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-08-03 19:55 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-03 19:55 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-03 19:55 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-03 19:55 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-03 19:55 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-03 19:55 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-03 19:55 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-03 19:55 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-03 19:53 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-03 19:53 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-03 19:53 . 2011-08-03 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-03 19:53 . 2011-08-03 19:53 -------- d-----w- c:\program files\AVAST Software
2011-08-03 12:13 . 2011-08-03 12:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-02 19:20 . 2011-08-02 19:21 -------- d-----w- c:\documents and settings\Joe C\Local Settings\Application Data\Deployment
2011-08-01 22:08 . 2011-08-01 22:08 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-08-01 21:30 . 2011-08-01 21:30 65536 --sha-r- c:\windows\system32\PINTLPAEP.dll
2011-07-31 13:13 . 2011-07-31 18:00 -------- d-----w- c:\documents and settings\Administrator
2011-07-31 12:59 . 2011-07-31 19:14 -------- d-----w- c:\documents and settings\Joe C\Application Data\A4F8766DC83185428F312DE994F0586F
2011-07-29 12:12 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{BD179825-C7A2-4844-8D3D-C9776868B556}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2007-03-27 21:17 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-07-06 23:52 . 2009-04-08 14:48 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2009-04-08 14:48 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-24 23:14 . 2009-10-03 13:03 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-17 12:02 . 2011-05-17 12:02 1409 ----a-w- c:\windows\QTFont.for
.
.
((((((((((((((((((((((((((((( [email protected]_15.03.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-07 16:42 . 2011-08-07 16:42 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-30 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termssvces]
temlvw32.dll [BU]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5 Professional\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/3/2011 3:55 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/3/2011 3:55 PM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/3/2011 3:55 PM 19544]
R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 4:53 PM 12032]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [1/26/2005 9:59 PM 7196]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 8:55 PM 54271]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 3:26 PM 593000]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
termvvc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004Core.job
- c:\documents and settings\Joe C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 19:21]
.
2011-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-308236825-1801674531-1004UA.job
- c:\documents and settings\Joe C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xfinity.com/?cid=xfactiv_tech_main
mWindow Title = Windows Internet Explorer provided by Comcast
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-07 12:44
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-602162358-308236825-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\NavLogon.dll
.
- - - - - - - > 'explorer.exe'(3060)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\ZuneBusEnum.exe
.
**************************************************************************
.
Completion time: 2011-08-07 12:55:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 16:55
ComboFix2.txt 2011-08-07 15:18
.
Pre-Run: 2,385,764,352 bytes free
Post-Run: 2,382,147,584 bytes free
.
- - End Of File - - E97C9D6C2056A1B8F84931593869F0EE

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-07 13:04:48
-----------------------------
13:04:48.593 OS Version: Windows 5.1.2600 Service Pack 2
13:04:48.593 Number of processors: 1 586 0x102
13:04:48.593 ComputerName: VALUED-7B9600FA UserName: Joe C
13:04:49.390 Initialize success
13:04:50.187 AVAST engine defs: 11080700
13:04:55.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:04:55.578 Disk 0 Vendor: ST380020A 3.34 Size: 76319MB BusType: 3
13:04:55.578 Disk 1 \Device\Harddisk1\DR3 -> \Device\00000065
13:04:55.593 Disk 1 Vendor: Sony 0000 Size: 76319MB BusType: 0
13:04:55.609 Disk 0 MBR read successfully
13:04:55.609 Disk 0 MBR scan
13:04:55.625 Disk 0 unknown MBR code
13:04:55.640 Disk 0 scanning sectors +156264255
13:04:55.875 Disk 0 scanning C:\WINDOWS\system32\drivers
13:05:19.156 Service scanning
13:05:22.093 Modules scanning
13:05:46.375 Disk 0 trace - called modules:
13:05:46.421 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys
13:05:46.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82373ab8]
13:05:46.921 3 CLASSPNP.SYS[f859605b] -> nt!IofCallDriver -> \Device\0000005e[0x8235bf18]
13:05:46.921 5 ACPI.sys[f84ec620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82383d98]
13:05:47.250 AVAST engine scan C:\WINDOWS
13:06:15.890 AVAST engine scan C:\WINDOWS\system32
13:10:51.250 AVAST engine scan C:\WINDOWS\system32\drivers
13:11:19.625 AVAST engine scan C:\Documents and Settings\Joe C
13:17:38.187 AVAST engine scan C:\Documents and Settings\All Users
13:18:23.625 Scan finished successfully
13:18:51.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joe C\Desktop\MBR.dat"
13:18:51.062 The log file has been saved successfully to "C:\Documents and Settings\Joe C\Desktop\aswMBR.txt"

Edited by jc3333, 07 August 2011 - 11:36 AM.

  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes was the correct answer :)

Are you still getting redirects ?

Also what is the make of your computer

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
  • 0

#11
jc3333

jc3333

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I just checked the same searches I did in previous checks without any redirects.

What do you mean by make? Sony Vaio?

I ran MBRcheck while in avast sandbox it didn't produce a log.

windows version windows xp home
windows info sp2 build 2600
logical drive mask 0x0000007d
\\.\C:--> \\.\PhysicalDrive0 at offset 0x00000000'00007e00 NTFS
\\.\D:--> \\.\PhysicalDrive0 at offset 0x00000003'bc04ba00 NTFS
ERROR Opening \\.\PhysicalDrive0 <5>

I do have an external hard drive that isn't connected. Could that be the error? Also earlier in the week after my first avast scan it detected \\.\PhysicalDrive0 MBR:TDL4 and advised a boot scan. Since the boot scan I haven't had that message.

Edited by jc3333, 07 August 2011 - 03:37 PM.

  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK what I would like to do is clear my tools now but I would ask you to monitor it for a day or so to ensure that no residue remains

Subject to no further problems :yes:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check
Posted Image

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: Posted Image Malwarebytes.

Update and run weekly to keep your system cleanDownload and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :unsure:
  • 0

#13
jc3333

jc3333

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you Essexboy for all your help. Everything seems to be running well. Good luck on continuing to defend the internet.
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP