Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

all programs from malware guide wont run

Started by sloppypa , Aug 27 2011 06:54 PM

Please log in to reply

#1
sloppypa

Posted 27 August 2011 - 06:54 PM

Member

Member
41 posts

I tried running, otl, exehelper.com, antimalware, Superantispyware all stop running after a few seconds. I then did it in safe mode and they all worked, so then i went back to regular mode to see if it was clean, I tried running my avast and it said it coulnt run, then i tried running antimalwarebytes again and that shut down after quick scan was pressed about 30 seconds. I am not sure what else to do
Here is the otl log from the time i ran this in Safe Mode.

TL logfile created on: 8/27/2011 7:16:25 PM - Run 1
OTL by OldTimer - Version 3.2.26.6 Folder = G:\virus removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.76 Gb Available Physical Memory | 92.12% Memory free
4.35 Gb Paging File | 4.29 Gb Available in Paging File | 98.80% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30.34 Gb Total Space | 14.97 Gb Free Space | 49.36% Space Free | Partition Type: NTFS
Drive F: | 435.42 Gb Total Space | 434.50 Gb Free Space | 99.79% Space Free | Partition Type: NTFS
Drive G: | 493.90 Mb Total Space | 86.52 Mb Free Space | 17.52% Space Free | Partition Type: FAT
Drive H: | 446.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive I: | 930.86 Gb Total Space | 890.49 Gb Free Space | 95.66% Space Free | Partition Type: NTFS

Computer Name: EXNERDESKTOP | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/27 16:57:14 | 000,580,096 | ---- | M] (OldTimer Tools) -- G:\virus removal\OTL.scr
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV - [2011/08/19 09:28:15 | 000,386,560 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\update.7.1\svchostdriver.exe -- (ddservice)
SRV - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)

========== Driver Services (SafeList) ==========

DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Documents and Settings\Family\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Documents and Settings\Family\Local Settings\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2011/07/04 07:36:43 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/07/04 07:36:32 | 000,309,848 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/07/04 07:35:23 | 000,043,608 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/07/04 07:35:12 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/07/04 07:32:32 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/07/04 07:32:13 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/07/04 07:32:12 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/02/16 09:22:48 | 000,138,496 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2010/11/09 14:56:12 | 000,098,392 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2010/02/17 20:17:38 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2009/10/05 11:08:42 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2008/05/06 17:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2006/02/09 21:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/11/16 16:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)

========== Standard Registry (SafeList) ==========

#2
RKinner

Posted 27 August 2011 - 09:03 PM

Malware Expert

Expert
24,623 posts

This file:
C:\WINDOWS\update.7.1\svchostdriver.exe

is malware. Unfortunately you did not get the whole OTL log but let's see what we can do with what we have.

Copy the text in the code box by highlighting and Ctrl + c


:processes
killallprocesses

:Services
ddservice

:OTL
SRV - [2011/08/19 09:28:15 | 000,386,560 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\update.7.1\svchostdriver.exe -- (ddservice)

:files
C:\WINDOWS\update.7.1
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
sc config ddservice start= disabled /c

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"
     
:Commands
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select the All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. Right click on the Avast Ball and select Avast! Shields Control and Disable Until Computer is Restarted

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Ron

#3
sloppypa

Posted 28 August 2011 - 06:50 AM

Member

Topic Starter
Member
41 posts

Here is the OTL after the 1st step (next two logs to follow)
========== PROCESSES ==========
All processes killed
========== SERVICES/DRIVERS ==========
Service ddservice stopped successfully!
Service ddservice deleted successfully!
========== OTL ==========
Error: No service named ddservice was found to stop!
Service\Driver key ddservice not found.
C:\WINDOWS\update.7.1\svchostdriver.exe moved successfully.
========== FILES ==========
C:\WINDOWS\update.7.1 folder moved successfully.
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
G:\virus removal\cmd.bat deleted successfully.
G:\virus removal\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
G:\virus removal\cmd.bat deleted successfully.
G:\virus removal\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
G:\virus removal\cmd.bat deleted successfully.
G:\virus removal\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
G:\virus removal\cmd.bat deleted successfully.
G:\virus removal\cmd.txt deleted successfully.
< sc config ddservice start= disabled /c >
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
G:\virus removal\cmd.bat deleted successfully.
G:\virus removal\cmd.txt deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.6 log created on 08282011_084720

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#4
sloppypa

Posted 28 August 2011 - 07:10 AM

Member

Topic Starter
Member
41 posts

I had to run this one in safe mode, it wouldnt run in reg mode

OTL logfile created on: 8/28/2011 9:02:40 AM - Run 2
OTL by OldTimer - Version 3.2.26.6 Folder = G:\virus removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.76 Gb Available Physical Memory | 91.97% Memory free
4.35 Gb Paging File | 4.29 Gb Available in Paging File | 98.71% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30.34 Gb Total Space | 14.89 Gb Free Space | 49.08% Space Free | Partition Type: NTFS
Drive F: | 435.42 Gb Total Space | 434.50 Gb Free Space | 99.79% Space Free | Partition Type: NTFS
Drive G: | 493.90 Mb Total Space | 85.73 Mb Free Space | 17.36% Space Free | Partition Type: FAT
Drive H: | 446.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive I: | 930.86 Gb Total Space | 890.49 Gb Free Space | 95.66% Space Free | Partition Type: NTFS

Computer Name: EXNERDESKTOP | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/27 16:57:14 | 000,580,096 | ---- | M] (OldTimer Tools) -- G:\virus removal\OTL.scr
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)

========== Driver Services (SafeList) ==========

DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Documents and Settings\Family\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Documents and Settings\Family\Local Settings\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2011/07/04 07:36:43 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/07/04 07:36:32 | 000,309,848 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/07/04 07:35:23 | 000,043,608 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/07/04 07:35:12 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/07/04 07:32:32 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/07/04 07:32:13 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/07/04 07:32:12 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/02/16 09:22:48 | 000,138,496 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2010/11/09 14:56:12 | 000,098,392 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2010/02/17 20:17:38 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2009/10/05 11:08:42 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2008/05/06 17:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2006/02/09 21:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/11/16 16:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\3.0.40818.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpWinExt,version=4.0: C:\Program Files\MSN Toolbar\Platform\4.0.0357.1\npwinext.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/07/21 09:07:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\MSN Toolbar\Platform\4.0.0357.1\Firefox [2011/07/21 09:08:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/07/21 09:09:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRA~1\AVASTS~1\Avast\WebRep\FF [2011/08/27 18:15:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/27 18:05:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/27 18:05:21 | 000,000,000 | ---D | M]

[2011/08/27 20:54:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/30 18:00:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2010/03/11 01:01:02 | 000,124,272 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CCMSDK.dll
[2010/03/11 01:02:52 | 000,070,512 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
[2010/03/11 01:01:48 | 000,091,504 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\confmgr.dll
[2010/03/11 01:01:24 | 000,022,384 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
[2009/11/06 11:37:19 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/07/30 18:00:38 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/03/11 01:40:56 | 000,423,248 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll
[2009/11/06 11:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2010/03/11 01:02:48 | 000,023,920 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
[2011/05/18 15:32:24 | 000,002,280 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\search.xml

O1 HOSTS File: ([2011/08/28 08:47:26 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Somoto Toolbar) - {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Somoto Toolbar) - {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - File not found
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [tray_ico] File not found
O4 - HKLM..\Run: [tray_ico1] File not found
O4 - HKLM..\Run: [tray_ico2] File not found
O4 - HKLM..\Run: [tray_ico3] File not found
O4 - HKLM..\Run: [tray_ico4] File not found
O4 - HKLM..\Run: [wxpdrv] File not found
O4 - HKCU..\Run: [ooVoo] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1294622479102 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - Explorer.exe ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\TPSvc: DllName - TPSvc.dll - File not found
O31 - SafeBoot: AlternateShell - services32.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/01/08 16:04:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/18 17:12:18 | 000,000,088 | R--- | M] () - H:\autorun.inf -- [ UDF ]
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\WD SmartWare.exe -- [2009/08/17 13:53:00 | 002,770,432 | R--- | M] (Western Digital)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/28 09:02:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2011/08/27 18:15:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/08/27 18:15:32 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/08/27 18:15:03 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/08/27 18:15:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011/08/27 18:05:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2011/08/27 17:47:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2011/08/27 17:36:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/08/27 17:35:05 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2011/08/27 17:34:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2011/08/27 17:34:37 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2011/08/27 17:34:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2011/08/27 17:34:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2011/08/27 17:34:37 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
[2011/08/27 17:34:37 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2011/08/27 17:34:37 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
[2011/08/27 17:34:37 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2011/08/27 17:34:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2011/08/27 17:34:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/08/27 17:34:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2011/08/27 17:34:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2011/08/27 17:34:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2011/08/27 17:34:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2011/08/27 17:34:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2011/08/27 17:34:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2011/08/27 17:30:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/08/27 17:27:39 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/08/27 17:27:39 | 000,027,984 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\sbbd.exe
[2011/08/27 17:27:23 | 000,000,000 | ---D | C] -- C:\VIPRERESCUE
[2011/08/20 09:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/08/17 23:37:30 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.3
[2011/08/12 13:03:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/08/12 13:03:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/08/12 12:45:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2011/08/12 12:45:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/08/12 12:19:55 | 000,139,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2011/08/12 12:19:36 | 000,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[2011/07/30 18:01:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/07/30 18:00:49 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/07/30 17:59:01 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/30 17:59:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/07/30 17:58:57 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/30 17:58:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/07/30 17:44:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/28 09:00:58 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/28 09:00:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/28 08:48:21 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/28 08:47:26 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/08/27 18:15:34 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/08/27 18:15:32 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/08/27 17:58:56 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/08/27 17:27:42 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\SBRC.dat
[2011/08/27 17:25:29 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/27 16:36:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/27 16:29:37 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hîsts
[2011/08/19 09:29:58 | 000,000,224 | ---- | M] () -- C:\WINDOWS\info1
[2011/08/18 21:21:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/08/12 12:25:40 | 052,390,856 | ---- | M] () -- C:\WINDOWS\System32\MRT.exe
[2011/07/30 18:00:37 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/07/30 18:00:37 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/07/30 18:00:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/07/30 18:00:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/07/30 18:00:37 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/27 18:15:34 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/08/27 17:34:37 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
[2011/08/27 17:34:37 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
[2011/08/27 17:27:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\SBRC.dat
[2011/07/30 17:59:01 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/24 14:29:50 | 000,246,272 | ---- | C] () -- C:\WINDOWS\unrar.exe
[2011/07/24 14:26:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\loader2.exe_ok
[2011/07/21 08:58:41 | 000,206,803 | ---- | C] () -- C:\WINDOWS\hpoins46.dat.temp
[2011/07/21 08:58:41 | 000,000,574 | ---- | C] () -- C:\WINDOWS\hpomdl46.dat.temp
[2011/07/21 08:55:10 | 000,207,001 | ---- | C] () -- C:\WINDOWS\hpoins46.dat
[2011/07/21 08:55:10 | 000,000,574 | ---- | C] () -- C:\WINDOWS\hpomdl46.dat
[2011/05/24 23:44:26 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\OVDecode.dll
[2011/01/22 19:09:15 | 000,056,708 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/01/16 13:29:39 | 000,103,535 | ---- | C] () -- C:\WINDOWS\hpoins04.dat
[2011/01/16 13:29:39 | 000,017,176 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat
[2011/01/10 00:14:54 | 000,199,304 | ---- | C] () -- C:\WINDOWS\System32\aswBoot.exe
[2011/01/09 23:56:06 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2011/01/09 23:55:35 | 000,114,630 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/01/09 22:26:49 | 052,390,856 | ---- | C] () -- C:\WINDOWS\System32\MRT.exe
[2011/01/09 21:33:10 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2011/01/09 21:11:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/01/08 21:08:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/01/08 16:05:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/01/08 16:01:53 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/01/08 10:56:20 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/01/08 10:55:38 | 000,265,416 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2001/08/23 01:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 01:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 01:00:00 | 000,314,508 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 01:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 01:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 01:00:00 | 000,138,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\afd.sys
[2001/08/23 01:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 01:00:00 | 000,040,836 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 01:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 01:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 01:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 01:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >

#5
RKinner

Posted 28 August 2011 - 08:18 AM

Malware Expert

Expert
24,623 posts

Copy the text in the code box by highlighting and Ctrl + c


:processes
killallprocesses

:Services


:OTL
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Somoto Toolbar) - {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - File not found
O3 - HKLM\..\Toolbar: (Somoto Toolbar) - {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [tray_ico] File not found
O4 - HKLM..\Run: [tray_ico1] File not found
O4 - HKLM..\Run: [tray_ico2] File not found
O4 - HKLM..\Run: [tray_ico3] File not found
O4 - HKLM..\Run: [tray_ico4] File not found
O4 - HKLM..\Run: [wxpdrv] File not found
O4 - HKCU..\Run: [ooVoo] File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O20 - Winlogon\Notify\TPSvc: DllName - TPSvc.dll - File not found
O31 - SafeBoot: AlternateShell - services32.exe
[2011/08/20 09:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/08/17 23:37:30 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.3
[2011/08/12 13:03:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/08/28 08:48:21 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/27 18:15:32 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/08/27 16:36:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/27 16:29:37 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hîsts
[2011/08/19 09:29:58 | 000,000,224 | ---- | M] () -- C:\WINDOWS\info1
[2011/08/18 21:21:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/08/12 13:03:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/08/12 13:03:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData


:Commands
[RESETHOSTS]
[purity]
[Reboot]

#6
sloppypa

Posted 28 August 2011 - 08:35 AM

Member

Topic Starter
Member
41 posts

when it rebooted an error cam up that says svchost.exe applicatioon error ...

========== PROCESSES ==========
All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico1 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico2 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico3 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico4 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wxpdrv deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ooVoo not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ deleted successfully.
C:\Program Files\Bonjour\mdnsNSP.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\0Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TPSvc\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\\AlternateShell deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Adobe\Flash Player\AssetCache\LYRJ75GK folder moved successfully.
C:\Documents and Settings\LocalService\Application Data\Adobe\Flash Player\AssetCache folder moved successfully.
C:\Documents and Settings\LocalService\Application Data\Adobe\Flash Player folder moved successfully.
C:\Documents and Settings\LocalService\Application Data\Adobe folder moved successfully.
C:\WINDOWS\update.3 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData\SelfUpd\bins folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData\SelfUpd folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData\pack\bins folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData\pack folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData\mkt\us folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData\mkt\res folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData\mkt\hi folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData\mkt folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData\logs folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MFAData folder moved successfully.
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job moved successfully.
C:\WINDOWS\system32\CONFIG.NT moved successfully.
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job moved successfully.
C:\WINDOWS\system32\drivers\etc\hîsts moved successfully.
C:\WINDOWS\info1 moved successfully.
C:\WINDOWS\tasks\AppleSoftwareUpdate.job moved successfully.
C:\Documents and Settings\All Users\Application Data\Common Files folder moved successfully.
Folder C:\Documents and Settings\All Users\Application Data\MFAData\ not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.6 log created on 08282011_102239

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#7
RKinner

Posted 28 August 2011 - 09:55 AM

Malware Expert

Expert
24,623 posts

Can you run MalwareBytes or Combofix?

Ron

#8
sloppypa

Posted 28 August 2011 - 10:22 AM

Member

Topic Starter
Member
41 posts

cant run malware i will try combofix

#9
sloppypa

Posted 28 August 2011 - 10:51 AM

Member

Topic Starter
Member
41 posts

ComboFix 11-08-27.01 - Family 08/28/2011 12:33:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2702 [GMT -4:00]
this is from combo fix i could run malware bytes before this and i didnt try after this here is the log

Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Family\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\$NtUninstallKB17763$
c:\windows\$NtUninstallKB17763$\29128965
c:\windows\$NtUninstallKB17763$\3045134109\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB17763$\3045134109\click.tlb
c:\windows\$NtUninstallKB17763$\3045134109\L\akygdmgo
c:\windows\$NtUninstallKB17763$\3045134109\loader.tlb
c:\windows\$NtUninstallKB17763$\3045134109\U\@00000001
c:\windows\$NtUninstallKB17763$\3045134109\U\@000000c0
c:\windows\$NtUninstallKB17763$\3045134109\U\@000000cb
c:\windows\$NtUninstallKB17763$\3045134109\U\@000000cf
c:\windows\$NtUninstallKB17763$\3045134109\U\@80000000
c:\windows\$NtUninstallKB17763$\3045134109\U\@800000c0
c:\windows\$NtUninstallKB17763$\3045134109\U\@800000cb
c:\windows\$NtUninstallKB17763$\3045134109\U\@800000cf
c:\windows\btc_client_iplist.txt
c:\windows\ddh_iplist.txt
c:\windows\front_ip_list.txt
c:\windows\geoiplist
c:\windows\geoiplist.rar
c:\windows\iecheck_iplist.txt
c:\windows\iplist.txt
c:\windows\loader2.exe_ok
c:\windows\phoenix
c:\windows\phoenix.rar
c:\windows\phoenix\kernels\phatk\__init__.py
c:\windows\phoenix\kernels\phatk\__init__.pyc
c:\windows\phoenix\kernels\phatk\BFIPatcher.py
c:\windows\phoenix\kernels\phatk\BFIPatcher.pyc
c:\windows\phoenix\kernels\phatk\kernel.cl
c:\windows\phoenix\kernels\poclbm\__init__.py
c:\windows\phoenix\kernels\poclbm\__init__.pyc
c:\windows\phoenix\kernels\poclbm\BFIPatcher.py
c:\windows\phoenix\kernels\poclbm\BFIPatcher.pyc
c:\windows\phoenix\kernels\poclbm\kernel.cl
c:\windows\phoenix\phoenix.exe
c:\windows\proc_list1.log
c:\windows\rpcminer
c:\windows\rpcminer.rar
c:\windows\rpcminer\bitcoinminercuda_10.cubin
c:\windows\rpcminer\bitcoinminercuda_11.cubin
c:\windows\rpcminer\bitcoinminercuda_20.cubin
c:\windows\rpcminer\bitcoinmineropencl.cl
c:\windows\rpcminer\cudart32_32_16.dll
c:\windows\rpcminer\curllib.dll
c:\windows\rpcminer\libeay32.dll
c:\windows\rpcminer\libsasl.dll
c:\windows\rpcminer\openldap.dll
c:\windows\rpcminer\rpcminer-4way.exe
c:\windows\rpcminer\rpcminer-cpu.exe
c:\windows\rpcminer\rpcminer-cuda.exe
c:\windows\rpcminer\rpcminer-opencl.exe
c:\windows\rpcminer\ssleay32.dll
c:\windows\system32\c_49813.nls
c:\windows\ufa.rar
c:\windows\update.1
c:\windows\update.2
c:\windows\update.5.0
c:\windows\w_distrib_iplist.txt
c:\windows\winlog-dirs.txt
c:\windows\winlog-ids.txt
c:\windows\winsetupapi.log
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
.
c:\windows\system32\Ati2evxx.exe . . . is infected!!
.
Infected copy of c:\windows\system32\ati2sgag.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{258F14C8-8A54-4987-A3A2-10C65CBCAD7A}\RP233\A0040667.exe
.
c:\program files\Bonjour\mDNSResponder.exe . . . is infected!!
.
c:\program files\Google\Update\GoogleUpdate.exe . . . is infected!!
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE . . . is infected!!
.
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe . . . is infected!!
.
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE . . . is infected!!
.
Infected copy of c:\windows\system32\ati2sgag.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{258F14C8-8A54-4987-A3A2-10C65CBCAD7A}\RP233\A0040667.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SRVBTCCLIENT
-------\Legacy_SRVIECHECK
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))
.
.
2011-08-28 16:30 . 2011-02-16 13:22 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-28 16:30 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-27 23:09 . 2011-08-27 23:09 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\PCHealth
2011-08-27 22:15 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\program files\AVAST Software
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-08-27 21:34 . 2011-08-27 21:35 -------- d-----w- c:\documents and settings\Administrator
2011-08-27 21:30 . 2011-08-27 21:30 -------- d-----w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
2011-08-27 21:30 . 2011-08-27 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-27 21:27 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-27 21:27 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-08-27 21:27 . 2011-08-27 21:27 -------- d-----w- C:\VIPRERESCUE
2011-08-19 23:42 . 2011-08-19 23:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-12 17:06 . 2011-08-27 22:03 -------- d-----w- c:\documents and settings\Family\Application Data\Sammsoft
2011-08-12 16:45 . 2011-08-12 16:45 -------- d-----w- c:\program files\Common Files\iS3
2011-08-12 16:45 . 2011-08-12 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-08-12 16:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-12 16:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-07-30 22:00 . 2011-07-30 22:00 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-30 22:00 . 2011-07-30 22:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-30 21:59 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-30 21:58 . 2011-08-28 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-30 21:58 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-30 21:44 . 2011-07-30 21:44 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2011-07-30 21:44 . 2011-07-30 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 22:00 . 2011-05-18 19:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-24 18:35 . 2011-07-24 18:29 246272 ----a-w- c:\windows\unrar.exe
2011-07-15 13:29 . 2001-08-23 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 05:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-04 11:43 . 2011-01-10 04:14 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:36 . 2011-01-10 04:15 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2011-01-10 04:15 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:35 . 2011-01-10 04:15 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-04 11:35 . 2011-01-10 04:15 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-04 11:32 . 2011-01-10 04:15 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2011-01-10 04:15 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-04 11:32 . 2011-01-10 04:15 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-24 14:10 . 2011-01-08 20:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2001-08-23 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2001-08-23 05:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2001-08-23 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2001-08-23 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2001-08-23 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-03-11 05:01 . 2010-03-11 05:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 05:40 . 2010-03-11 05:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 05:02 . 2010-03-11 05:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 05:01 . 2010-03-11 05:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 05:01 . 2010-03-11 05:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 05:00 . 2010-03-11 05:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 05:01 . 2010-03-11 05:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 05:01 . 2010-03-11 05:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 18:49 . 2009-10-05 18:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 05:02 . 2010-03-11 05:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe" [2009-11-16 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-1-9 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MSN Toolbar\\Platform\\4.0.0357.1\\mswinext.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Citrix\\ICA Client\\wfica32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\jucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/27/2011 6:15 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/10/2011 12:15 AM 309848]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 11:08 AM 65584]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/27/2011 5:27 PM 98392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/10/2011 12:15 AM 19544]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\g2pjybo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: [email protected] - c:\progra~1\AVASTS~1\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-28 12:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3580)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\stsystra.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-08-28 12:48:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-28 16:48
.
Pre-Run: 15,638,966,272 bytes free
Post-Run: 16,139,808,768 bytes free
.
- - End Of File - - AF5D0F0F21A3177B961E58B715437718

#10
sloppypa

Posted 28 August 2011 - 11:49 AM

Member

Topic Starter
Member
41 posts

Malwre Log

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7595

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/28/2011 1:35:16 PM
mbam-log-2011-08-28 (13-35-16).txt

Scan type: Quick scan
Objects scanned: 171399
Time elapsed: 1 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11
RKinner

Posted 28 August 2011 - 03:28 PM

Malware Expert

Expert
24,623 posts

Could you get the file:
C:\Qoobox\ComboFix-quarantined-files.txt

and copy and paste it or attach it to your next reply?

Start, Run, msconfig, OK

Under Startup, uncheck everything and Apply.
Under Services, check Hide Microsoft Services and then uncheck everything else. Apply and reboot. Cancel msconfig when it comes up.

Please download:

http://www.microsoft...lang=en&id=1000

and move it to the desktop of the sick PC. Drag it over to Combofix and let go. Combofix should start running and it should want to install the Recovery Console. Please let it. After it installs the recovery console let it run another scan and post the log.

Ron

#12
sloppypa

Posted 28 August 2011 - 05:11 PM

Member

Topic Starter
Member
41 posts

2022-04-13 23:28:42 . 2011-08-27 22:02:13 24,576 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\U\@80000000.vir
2022-04-02 06:30:50 . 2011-08-18 03:25:59 33,280 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\U\@800000c0.vir
2022-04-02 06:30:45 . 2011-08-18 03:25:59 1,536 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\U\@000000cf.vir
2022-03-29 03:32:16 . 2011-08-12 16:23:10 41,360 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\U\@00000001.vir
2022-03-27 23:41:24 . 2011-08-12 16:22:33 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\U\@000000cb.vir
2022-03-27 23:41:24 . 2011-08-12 16:22:34 27,648 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\U\@800000cb.vir
2022-03-27 23:41:24 . 2011-08-18 03:25:59 27,648 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\U\@800000cf.vir
2022-03-26 00:03:45 . 2011-08-08 07:01:15 2,560 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\U\@000000c0.vir
2011-08-28 16:47:35 . 2011-08-28 16:47:35 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2011-08-28 16:41:09 . 2011-08-28 16:41:09 214 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\_29128965_.zip
2011-08-28 16:39:46 . 2011-08-28 16:39:46 822 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SRVIECHECK.reg.dat
2011-08-28 16:39:46 . 2011-08-28 16:39:46 838 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SRVBTCCLIENT.reg.dat
2011-08-28 16:39:29 . 2011-08-28 16:39:29 6,157 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-08-28 16:27:05 . 2011-08-28 16:44:08 743 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-08-18 03:37:58 . 2011-08-20 15:00:24 10,340 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\w_distrib_iplist.txt.vir
2011-07-30 22:00:38 . 2011-07-30 22:00:38 153,376 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir
2011-07-29 07:32:30 . 2011-08-27 20:31:46 2,144 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\click.tlb.vir
2011-07-24 19:14:46 . 2011-08-28 13:25:11 2,540 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\loader.tlb.vir
2011-07-24 19:11:19 . 2011-08-28 14:35:07 25,600 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir
2011-07-24 19:07:52 . 2011-07-24 19:07:52 4,180 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\phatk\BFIPatcher.pyc.vir
2011-07-24 19:07:52 . 2011-07-24 19:07:52 11,491 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\phatk\__init__.pyc.vir
2011-07-24 19:06:19 . 2011-08-28 16:23:16 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}.vir
2011-07-24 19:06:19 . 2011-07-24 19:06:19 138,496 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB17763$\3045134109\L\akygdmgo.vir
2011-07-24 19:06:11 . 2011-07-24 19:06:11 4,190 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\poclbm\BFIPatcher.pyc.vir
2011-07-24 19:06:11 . 2011-07-24 19:06:11 11,870 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\poclbm\__init__.pyc.vir
2011-07-24 18:35:49 . 2011-06-14 19:51:54 6,962,815 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\phoenix.exe.vir
2011-07-24 18:35:49 . 2011-06-14 19:41:40 30,821 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\poclbm\kernel.cl.vir
2011-07-24 18:35:49 . 2011-06-14 19:41:40 17,266 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\poclbm\__init__.py.vir
2011-07-24 18:35:49 . 2011-06-14 19:41:40 5,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\poclbm\BFIPatcher.py.vir
2011-07-24 18:35:49 . 2003-10-24 04:27:46 110,592 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\openldap.dll.vir
2011-07-24 18:35:49 . 2011-06-14 19:41:40 16,922 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\phatk\__init__.py.vir
2011-07-24 18:35:49 . 2011-06-14 19:41:40 5,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\phatk\BFIPatcher.py.vir
2011-07-24 18:35:49 . 2011-06-14 19:41:40 10,366 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix\kernels\phatk\kernel.cl.vir
2011-07-24 18:35:49 . 2009-01-07 22:27:16 1,016,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\libeay32.dll.vir
2011-07-24 18:35:49 . 2009-01-07 22:27:58 200,192 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\ssleay32.dll.vir
2011-07-24 18:35:49 . 2010-11-06 08:41:48 384,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\cudart32_32_16.dll.vir
2011-07-24 18:35:49 . 2009-02-17 15:19:22 194,048 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\curllib.dll.vir
2011-07-24 18:35:49 . 2011-02-13 20:41:02 43,272 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\bitcoinminercuda_20.cubin.vir
2011-07-24 18:35:49 . 2010-12-18 15:23:48 65,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\libsasl.dll.vir
2011-07-24 18:35:49 . 2011-02-13 21:06:32 49,392 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\bitcoinminercuda_10.cubin.vir
2011-07-24 18:35:49 . 2011-02-13 21:07:10 49,392 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\bitcoinminercuda_11.cubin.vir
2011-07-24 18:35:49 . 2011-02-19 16:56:38 9,971 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\bitcoinmineropencl.cl.vir
2011-07-24 18:35:49 . 2011-02-27 13:46:44 241,664 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\rpcminer-cpu.exe.vir
2011-07-24 18:35:49 . 2011-02-27 13:48:20 294,912 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\rpcminer-4way.exe.vir
2011-07-24 18:35:49 . 2011-02-27 13:50:24 249,856 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\rpcminer-cuda.exe.vir
2011-07-24 18:35:49 . 2011-02-27 13:52:00 241,664 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer\rpcminer-opencl.exe.vir
2011-07-24 18:35:47 . 2011-07-24 18:35:47 182,617 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ufa.rar.vir
2011-07-24 18:35:47 . 2011-07-24 18:35:47 5,589,370 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\phoenix.rar.vir
2011-07-24 18:35:47 . 2011-07-24 18:35:47 1,075,284 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\rpcminer.rar.vir
2011-07-24 18:31:10 . 2011-08-27 21:04:09 11,748 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ddh_iplist.txt.vir
2011-07-24 18:29:51 . 2011-07-17 07:24:20 4,636,907 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\geoiplist.vir
2011-07-24 18:29:50 . 2011-07-24 18:32:14 904,792 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\geoiplist.rar.vir
2011-07-24 18:29:49 . 2011-08-20 14:59:01 10,647 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\btc_client_iplist.txt.vir
2011-07-24 18:29:41 . 2011-08-20 15:00:14 11,270 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\iecheck_iplist.txt.vir
2011-07-24 18:26:49 . 2011-08-20 14:59:28 11,270 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\iplist.txt.vir
2011-07-24 18:26:42 . 2011-07-24 18:27:18 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\loader2.exe_ok.vir
2011-07-24 18:26:09 . 2011-07-24 19:27:54 11,119 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\front_ip_list.txt.vir
2011-07-24 18:24:47 . 2011-07-24 18:27:18 11 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\winsetupapi.log.vir
2011-07-24 18:14:10 . 2011-07-24 18:14:10 102 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\winlog-dirs.txt.vir
2011-07-24 18:14:10 . 2011-07-24 18:14:10 5 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\winlog-ids.txt.vir
2011-07-24 18:14:04 . 2011-08-27 20:28:22 859 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\proc_list1.log.vir
2011-04-06 20:20:16 . 2011-04-06 20:20:16 356,352 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Bonjour\mDNSResponder.exe.vir
2011-01-10 04:15:09 . 2011-01-10 04:15:08 136,176 ----atw- C:\Qoobox\Quarantine\C\Program Files\Google\Update\GoogleUpdate.exe.vir
2011-01-10 03:56:06 . 2006-02-10 02:05:00 524,288 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ati2sgag.exe.vir
2011-01-10 03:55:35 . 2006-02-10 01:51:48 417,792 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Ati2evxx.exe.vir
2011-01-08 20:01:33 . 2001-08-02 02:58:12 16,415 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Messenger\msmsgsin.exe.vir
2011-01-08 20:01:11 . 2009-08-07 00:24:06 53,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir
2010-12-13 22:16:10 . 2010-12-13 22:16:10 826,368 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir
2010-10-29 14:34:02 . 2011-05-18 19:32:24 2,280 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\search.xml.vir
2010-10-16 05:40:40 . 2010-10-16 05:40:40 44,032 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir
2009-11-05 20:56:38 . 2009-11-05 20:56:38 247,808 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe.vir
2009-08-18 15:29:22 . 2009-08-18 15:29:22 1,534,976 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE.vir
2003-06-20 04:25:00 . 2003-06-20 04:25:00 323,584 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE.vir
2001-08-23 05:00:00 . 2001-08-23 05:00:00 43,408 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\c_49813.nls.vir
2001-08-23 05:00:00 . 2011-02-16 13:22:48 138,496 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir
2001-08-23 05:00:00 . 2011-02-16 13:22:48 138,496 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir_

#13
sloppypa

Posted 28 August 2011 - 05:42 PM

Member

Topic Starter
Member
41 posts

ComboFix 11-08-28.01 - Family 08/28/2011 19:22:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2586 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Family\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))
.
.
2011-08-28 16:30 . 2011-02-16 13:22 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-28 16:30 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-27 23:09 . 2011-08-27 23:09 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\PCHealth
2011-08-27 22:15 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\program files\AVAST Software
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-08-27 21:34 . 2011-08-27 21:35 -------- d-----w- c:\documents and settings\Administrator
2011-08-27 21:30 . 2011-08-27 21:30 -------- d-----w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
2011-08-27 21:30 . 2011-08-27 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-27 21:27 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-27 21:27 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-08-27 21:27 . 2011-08-27 21:27 -------- d-----w- C:\VIPRERESCUE
2011-08-19 23:42 . 2011-08-19 23:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-12 17:06 . 2011-08-27 22:03 -------- d-----w- c:\documents and settings\Family\Application Data\Sammsoft
2011-08-12 16:45 . 2011-08-12 16:45 -------- d-----w- c:\program files\Common Files\iS3
2011-08-12 16:45 . 2011-08-12 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-08-12 16:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-12 16:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-07-30 22:00 . 2011-07-30 22:00 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-30 22:00 . 2011-07-30 22:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-30 21:59 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-30 21:58 . 2011-08-28 17:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-30 21:58 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-30 21:44 . 2011-07-30 21:44 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2011-07-30 21:44 . 2011-07-30 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 22:00 . 2011-05-18 19:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-24 18:35 . 2011-07-24 18:29 246272 ----a-w- c:\windows\unrar.exe
2011-07-15 13:29 . 2001-08-23 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 05:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-04 11:43 . 2011-01-10 04:14 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:36 . 2011-01-10 04:15 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2011-01-10 04:15 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:35 . 2011-01-10 04:15 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-04 11:35 . 2011-01-10 04:15 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-04 11:32 . 2011-01-10 04:15 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2011-01-10 04:15 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-04 11:32 . 2011-01-10 04:15 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-24 14:10 . 2011-01-08 20:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2001-08-23 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2001-08-23 05:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2001-08-23 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2001-08-23 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2001-08-23 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-03-11 05:01 . 2010-03-11 05:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 05:40 . 2010-03-11 05:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 05:02 . 2010-03-11 05:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 05:01 . 2010-03-11 05:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 05:01 . 2010-03-11 05:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 05:00 . 2010-03-11 05:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 05:01 . 2010-03-11 05:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 05:01 . 2010-03-11 05:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 18:49 . 2009-10-05 18:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 05:02 . 2010-03-11 05:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 16:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2010-05-04 21:05 311296 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-02-10 02:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2010-03-11 05:21 300400 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 20:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 15:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-11-16 13:27 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-22 22:20 339968 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MSN Toolbar\\Platform\\4.0.0357.1\\mswinext.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Citrix\\ICA Client\\wfica32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\jucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/27/2011 6:15 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/10/2011 12:15 AM 309848]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 11:08 AM 65584]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/27/2011 5:27 PM 98392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/10/2011 12:15 AM 19544]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\g2pjybo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: [email protected] - c:\progra~1\AVASTS~1\Avast\WebRep\FF
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-28 19:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1928)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-08-28 19:33:01
ComboFix-quarantined-files.txt 2011-08-28 23:32
ComboFix2.txt 2011-08-28 16:49
.
Pre-Run: 16,106,995,712 bytes free
Post-Run: 16,091,811,840 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=AlwaysOff
.
- - End Of File - - F130E788FEB807F4010C48D5F1166636

#14
RKinner

Posted 28 August 2011 - 09:13 PM

Malware Expert

Expert
24,623 posts

Are you able to work in regular mode now?

The following programs have been corrupted by the virus and will need to be uninstalled (and redownloaded and reinstalled if you really use them)

Microsoft Search Enhancement Pack (I wouldn't bother reinstalling this one)

Apple Mobile Device Support (something for your iPod?)

Bonjour (It's from Apple. Looks for Apple updates I think)

Google Update

Java

Windows Live Essentials (Uninstall all of the windows live stuff. Only reinstall things you now you use.)

SuperAntiSpyware

After you uninstall the above you can go back into MSCONFIG and tell it to do a normal boot. (Rechecks everything) then reboot.

Are you able to get on the Internet?

Ron