Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Internet redirect virus

Started by paladin181 , Nov 14 2011 09:16 AM

  • Please log in to reply

#1
paladin181
Posted 14 November 2011 - 09:16 AM

paladin181

    New Member

  • Member
  • Pip
  • 2 posts
Good day,
I have an issue with a work PC where link clicked on by a search engine results in a redirect to an unrelated site. After about 5 attempts on the same link, one can get to the site they were attempting to, but this is obviously not normal behavior. I have run the procedure for a fix here and had no luck. Unfortunately some of the other "computer savvy guys" at the shop took a crack at it before the problem was brought to my attention. I do not know exactly how they attempted to solve the problem, nor do I know what other damages they may have caused. The system is Windows XP professional, SP3. The problem occurs in Internet Explorer 8; there are no other Web Browsers installed to my knowledge.


OTL logfile created on: 11/14/2011 10:02:33 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = F:\Redirect removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.98 Mb Total Physical Memory | 534.67 Mb Available Physical Memory | 52.32% Memory free
1.28 Gb Paging File | 0.81 Gb Available in Paging File | 63.62% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.70 Gb Total Space | 39.00 Gb Free Space | 54.40% Space Free | Partition Type: NTFS
Drive D: | 568.25 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 37.24 Gb Total Space | 18.55 Gb Free Space | 49.79% Space Free | Partition Type: NTFS
Drive F: | 1.86 Gb Total Space | 1.28 Gb Free Space | 69.05% Space Free | Partition Type: FAT
Drive R: | 2779.26 Gb Total Space | 2712.74 Gb Free Space | 97.61% Space Free | Partition Type: NTFS

Computer Name: DRIVES | User Name: theresa | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/14 09:45:08 | 000,584,192 | ---- | M] (OldTimer Tools) -- F:\Redirect removal\OTL.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/08/09 16:56:40 | 000,417,112 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
PRC - [2011/08/09 16:38:38 | 000,328,536 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
PRC - [2011/07/01 06:57:32 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/27 06:33:43 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/12/09 10:23:58 | 000,059,392 | ---- | M] () -- C:\Program Files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe
PRC - [2010/08/02 16:09:55 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/09 20:42:00 | 000,492,896 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
PRC - [2008/04/09 19:23:22 | 000,909,208 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2008/04/09 19:14:28 | 000,136,472 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2008/04/09 19:14:18 | 000,431,384 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2008/04/09 19:11:24 | 002,595,792 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2008/03/13 15:03:34 | 000,225,280 | ---- | M] (Schneider Automation) -- C:\WINDOWS\SYSTEM32\ModbusDrv.exe
PRC - [2005/09/13 15:22:52 | 000,049,152 | ---- | M] (Schneider Automation SAS) -- C:\WINDOWS\SYSTEM32\NA_Service.exe
PRC - [2004/06/30 14:33:04 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/09 16:43:20 | 000,130,904 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 4\ASCv4ExtMenu.dll
MOD - [2010/12/09 10:23:58 | 000,059,392 | ---- | M] () -- C:\Program Files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe
MOD - [2010/06/17 15:27:22 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
MOD - [2008/04/09 20:42:00 | 000,492,896 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
MOD - [2008/04/09 17:46:56 | 001,328,408 | ---- | M] () -- C:\Program Files\Acronis\TrueImageHome\fox.dll
MOD - [2001/09/24 07:59:00 | 000,045,056 | ---- | M] () -- C:\WINDOWS\SYSTEM32\NavLogon.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/09 16:38:38 | 000,328,536 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe -- (AdvancedSystemCareService)
SRV - [2011/07/01 06:57:32 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/27 06:33:43 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/12/09 10:23:58 | 000,059,392 | ---- | M] () [Auto | Running] -- C:\Program Files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe -- (MCT10 Service)
SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2008/04/09 20:42:00 | 000,492,896 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2008/04/09 19:14:18 | 000,431,384 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008/02/05 14:51:30 | 000,222,480 | ---- | M] (Cyberlogic Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\Cyberlogic\Ethernet MBX Driver\EMbxRpcS.exe -- (eMBX)
SRV - [2007/10/04 10:00:08 | 000,182,544 | ---- | M] (Cyberlogic Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Cyberlogic Shared\gMbxRpcS.exe -- (gMBX)
SRV - [2005/09/13 15:22:52 | 000,049,152 | ---- | M] (Schneider Automation SAS) [Auto | Running] -- C:\WINDOWS\SYSTEM32\NA_Service.exe -- (NA_Service)


========== Driver Services (SafeList) ==========

DRV - [2011/10/14 09:20:54 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2011/10/14 09:20:54 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys -- (tifsfilter)
DRV - [2011/10/14 09:20:45 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2011/10/14 09:20:39 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys -- (MBAMProtector)
DRV - [2011/07/01 06:57:35 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys -- (avipbb)
DRV - [2011/07/01 06:57:35 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys -- (avgntflt)
DRV - [2010/11/26 18:02:54 | 000,014,776 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2010/06/17 15:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 15:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/11/12 13:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2008/03/28 18:27:48 | 000,094,608 | ---- | M] (Cyberlogic Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\CLMbxUsb.sys -- (CLMbxUsb) Cyberlogic MBX Driver (USB)
DRV - [2007/02/25 11:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2006/11/27 14:40:30 | 000,019,968 | R--- | M] (BEC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\USBMotion.sys -- (USBMotion)
DRV - [2006/10/05 15:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2004/04/26 10:49:56 | 000,381,056 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
DRV - [2003/11/30 21:54:20 | 000,043,136 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ser2pl.sys -- (Ser2pl)
DRV - [2003/11/17 16:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 16:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 16:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 192.168.0.1:9877

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=2.5: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2011/11/14 09:38:12 | 000,000,098 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKCU..\Run: [Advanced SystemCare 4] C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe (IObit)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.micr...tualEarth3D.cab (Reg Error: Value error.)
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} http://cadenas.partc...3d/cnsweb3d.cab (PARTcommunity 3D Web Viewer)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Value error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1122031458812 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} http://www.investors...ocx/plotwon.ocx (Plotwon Control)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,23/mcgdmgr.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6B427887-88E1-4491-B6A2-7E417D2CF021}: NameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\SYSTEM32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\theresa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\theresa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (relog_ap) -C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/06 09:27:32 | 000,000,079 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - Unable to obtain root file information for disk E:\
O33 - MountPoints2\{4c907bd0-88e1-11de-83c0-001111afd579}\Shell - "" = AutoRun
O33 - MountPoints2\{4c907bd0-88e1-11de-83c0-001111afd579}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4c907bd0-88e1-11de-83c0-001111afd579}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (SmartDefragBootTime.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/14 09:31:10 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/11/14 09:30:37 | 000,000,000 | ---D | C] -- C:\ERDNT
[2011/11/14 09:29:39 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/11/14 09:29:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/11/14 09:29:07 | 001,564,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\theresa\Desktop\TDSSKiller.exe
[2011/11/14 09:29:06 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\theresa\Desktop\erunt-setup.exe
[2011/11/14 09:29:06 | 000,523,264 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\theresa\Desktop\OTM.exe
[2011/11/14 08:06:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Acronis
[2011/11/11 14:30:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/11 14:25:01 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/11/11 08:50:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Advanced SystemCare 4
[2011/11/10 14:02:49 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/10 09:28:19 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\theresa\Desktop\firefox.com
[2011/11/10 08:06:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/11/09 08:42:36 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/11/09 08:39:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theresa\Application Data\Malwarebytes
[2011/11/09 08:39:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/11/08 08:05:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/11/08 08:04:51 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/11/08 08:04:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/10/20 07:15:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theresa\Start Menu\Programs\Schneider Electric
[2011/10/20 06:45:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Schneider Electric
[2011/10/20 06:45:48 | 000,421,376 | ---- | C] (FTDI Ltd.) -- C:\WINDOWS\System32\FTDIUNIN.exe
[2011/10/20 06:45:48 | 000,102,472 | ---- | C] (Schneider Electric) -- C:\WINDOWS\System32\NA_XWAY.exe
[2011/10/20 06:45:48 | 000,057,820 | ---- | C] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\ftser2k.sys
[2011/10/20 06:45:48 | 000,048,625 | ---- | C] (FTDI Ltd.) -- C:\WINDOWS\System32\ftserui2.dll
[2011/10/20 06:45:48 | 000,045,056 | ---- | C] (Schneider Automation) -- C:\WINDOWS\System32\XwayMgrU.dll
[2011/10/20 06:45:48 | 000,036,864 | ---- | C] (FTDI) -- C:\WINDOWS\System32\FTLang.dll
[2011/10/20 06:45:48 | 000,024,369 | ---- | C] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\ftdibus.sys
[2011/10/20 06:45:47 | 000,491,520 | ---- | C] (Schneider Automation SAS) -- C:\WINDOWS\System32\XWAYMgr.cpl
[2011/10/20 06:45:47 | 000,167,936 | ---- | C] (Schneider Automation SAS) -- C:\WINDOWS\System32\NA_Config.exe
[2011/10/20 06:45:47 | 000,086,086 | ---- | C] (Schneider Automation SAS) -- C:\WINDOWS\System32\NA_MBP.exe
[2011/10/20 06:45:47 | 000,073,728 | ---- | C] (Schneider Automation SAS) -- C:\WINDOWS\System32\NA_Util.dll
[2011/10/20 06:45:47 | 000,061,440 | ---- | C] (Schneider Automation) -- C:\WINDOWS\WDTGR2.DLL
[2011/10/20 06:45:47 | 000,061,440 | ---- | C] (Schneider Automation SAS) -- C:\WINDOWS\Wnetway2.dll
[2011/10/20 06:45:47 | 000,049,152 | ---- | C] (Schneider Automation SAS) -- C:\WINDOWS\System32\NA_Service.exe
[2011/10/20 06:45:47 | 000,037,888 | ---- | C] (Schneider Automation) -- C:\WINDOWS\WCDTGR2.DLL
[2011/10/20 06:45:47 | 000,024,576 | ---- | C] (Schneider Automation) -- C:\WINDOWS\WNETWT32.DLL
[2011/10/20 06:45:23 | 000,327,757 | ---- | C] (Schneider Automation) -- C:\WINDOWS\System32\DrvModbus.dll
[2011/10/20 06:45:23 | 000,225,280 | ---- | C] (Schneider Automation) -- C:\WINDOWS\System32\ModbusDrv.exe
[2011/10/20 06:45:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theresa\Application Data\InstallShield
[2011/10/19 14:18:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theresa\Local Settings\Application Data\WinZip
[2011/10/19 13:29:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinZip
[2011/10/19 13:28:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/10/19 13:28:28 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2011/10/19 12:35:56 | 000,000,000 | ---D | C] -- C:\Program Files\Schneider Electric
[2005/02/03 14:01:43 | 000,589,824 | ---- | C] (Fred's Software Company) -- C:\Program Files\Printkey.exe

========== Files - Modified Within 30 Days ==========

[2011/11/14 09:39:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2011/11/14 09:39:31 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/11/14 09:39:14 | 000,000,322 | -HS- | M] () -- C:\WINDOWS\tasks\XGEO.job
[2011/11/14 09:39:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/11/14 09:39:11 | 1071,697,920 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/14 09:38:12 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\Hosts
[2011/11/14 09:29:40 | 000,000,626 | ---- | M] () -- C:\Documents and Settings\theresa\Desktop\ERUNT.lnk
[2011/11/14 09:24:06 | 000,523,264 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\theresa\Desktop\OTM.exe
[2011/11/14 09:21:12 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\theresa\Desktop\erunt-setup.exe
[2011/11/14 09:19:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/11/14 08:36:50 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\system.ldb
[2011/11/11 15:48:16 | 001,564,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\theresa\Desktop\TDSSKiller.exe
[2011/11/11 14:59:01 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/11/11 08:50:58 | 000,000,930 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Quick Care.lnk
[2011/11/11 08:50:58 | 000,000,908 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 4.lnk
[2011/11/10 09:48:21 | 000,709,968 | ---- | M] () -- C:\WINDOWS\is-7FO1M.exe
[2011/11/10 09:48:21 | 000,010,498 | ---- | M] () -- C:\WINDOWS\is-7FO1M.msg
[2011/11/10 09:48:21 | 000,000,365 | ---- | M] () -- C:\WINDOWS\is-7FO1M.lst
[2011/11/10 09:28:30 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\theresa\Desktop\firefox.com
[2011/11/09 16:28:03 | 000,000,716 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/11/09 16:17:31 | 000,000,173 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/11/08 16:52:45 | 000,438,069 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20111109-164239.backup
[2011/11/08 08:05:03 | 000,000,985 | ---- | M] () -- C:\Documents and Settings\theresa\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/11/08 08:05:02 | 000,000,967 | ---- | M] () -- C:\Documents and Settings\theresa\Desktop\Spybot - Search & Destroy.lnk
[2011/11/07 12:45:55 | 000,069,120 | RHS- | M] () -- C:\WINDOWS\System32\imaadp32M.dll
[2011/11/07 06:56:59 | 000,515,686 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2011/11/07 06:56:59 | 000,091,246 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2011/10/20 15:34:00 | 000,000,052 | ---- | M] () -- C:\WINDOWS\ultimadll.INI
[2011/10/20 07:23:27 | 000,003,120 | ---- | M] () -- C:\WINDOWS\131894
[2011/10/19 15:12:17 | 385,277,952 | ---- | M] () -- C:\Documents and Settings\theresa\Desktop\POWERSUITE2.6.iso

========== Files Created - No Company Name ==========

[2011/11/14 09:29:40 | 000,000,626 | ---- | C] () -- C:\Documents and Settings\theresa\Desktop\ERUNT.lnk
[2011/11/14 08:36:49 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\system.ldb
[2011/11/11 14:56:57 | 000,225,262 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msimain.sdb
[2011/11/11 14:56:47 | 000,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/11/11 14:32:05 | 1071,697,920 | -HS- | C] () -- C:\hiberfil.sys
[2011/11/11 08:50:58 | 000,000,930 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Quick Care.lnk
[2011/11/11 08:50:58 | 000,000,908 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare 4.lnk
[2011/11/10 09:48:21 | 000,709,968 | ---- | C] () -- C:\WINDOWS\is-7FO1M.exe
[2011/11/10 09:48:21 | 000,010,498 | ---- | C] () -- C:\WINDOWS\is-7FO1M.msg
[2011/11/10 09:48:21 | 000,000,365 | ---- | C] () -- C:\WINDOWS\is-7FO1M.lst
[2011/11/08 08:05:03 | 000,000,985 | ---- | C] () -- C:\Documents and Settings\theresa\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/11/08 08:05:02 | 000,000,967 | ---- | C] () -- C:\Documents and Settings\theresa\Desktop\Spybot - Search & Destroy.lnk
[2011/11/07 12:45:55 | 000,069,120 | RHS- | C] () -- C:\WINDOWS\System32\imaadp32M.dll
[2011/11/07 12:45:55 | 000,000,322 | -HS- | C] () -- C:\WINDOWS\tasks\XGEO.job
[2011/10/20 08:38:52 | 000,000,052 | ---- | C] () -- C:\WINDOWS\ultimadll.INI
[2011/10/20 07:23:27 | 000,003,120 | ---- | C] () -- C:\WINDOWS\131894
[2011/10/20 06:45:48 | 000,000,128 | ---- | C] () -- C:\WINDOWS\System32\FTDIUN2K.INI
[2011/10/20 06:45:47 | 000,013,888 | ---- | C] () -- C:\WINDOWS\WDTGR.DLL
[2011/10/20 06:45:47 | 000,008,096 | ---- | C] () -- C:\WINDOWS\WCDTGR.DLL
[2011/10/20 06:45:47 | 000,006,656 | ---- | C] () -- C:\WINDOWS\WNETWAY.DLL
[2011/10/20 06:45:47 | 000,004,064 | ---- | C] () -- C:\WINDOWS\WNETWT16.DLL
[2011/10/19 15:11:38 | 385,277,952 | ---- | C] () -- C:\Documents and Settings\theresa\Desktop\POWERSUITE2.6.iso
[2011/03/11 08:39:32 | 000,028,496 | ---- | C] () -- C:\WINDOWS\System32\SmartDefragBootTime.exe
[2011/03/11 08:39:32 | 000,014,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
[2011/03/02 11:24:55 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2009/06/19 12:12:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CPC10Q.INI
[2008/09/10 08:44:53 | 000,000,817 | ---- | C] () -- C:\WINDOWS\VOLOV EReg.ini
[2008/07/30 09:57:46 | 000,087,312 | ---- | C] () -- C:\WINDOWS\System32\CybPass.dll
[2005/09/02 08:57:24 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\theresa\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/02/14 13:05:44 | 000,009,717 | ---- | C] () -- C:\WINDOWS\extend.dat
[2005/01/06 09:20:37 | 000,000,183 | ---- | C] () -- C:\WINDOWS\PMX.INI
[2004/12/15 18:03:00 | 000,320,512 | R--- | C] () -- C:\WINDOWS\System32\W32mkde.exe
[2004/12/15 18:03:00 | 000,110,080 | R--- | C] () -- C:\WINDOWS\System32\W32mkrc.dll
[2004/12/15 18:02:59 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\Nwlocale.dll
[2004/12/15 18:02:59 | 000,000,772 | ---- | C] () -- C:\WINDOWS\Bti.ini
[2004/12/15 17:34:26 | 000,006,177 | ---- | C] () -- C:\WINDOWS\PAW35.INI
[2004/12/15 17:32:17 | 000,002,884 | ---- | C] () -- C:\WINDOWS\PAW50.INI
[2004/12/15 17:17:50 | 000,001,280 | ---- | C] () -- C:\WINDOWS\Paw70.ini
[2004/12/15 14:52:14 | 000,002,746 | ---- | C] () -- C:\WINDOWS\DevMgr.ini
[2004/12/15 14:49:58 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2004/12/15 13:58:15 | 000,000,285 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2004/12/15 13:58:14 | 000,003,399 | R--- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2004/12/15 08:13:47 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2004/12/15 08:13:46 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/12/14 17:33:02 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/12/09 18:58:28 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/12/09 18:53:43 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/12/09 18:49:59 | 000,000,173 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/12/09 18:35:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/12/09 18:34:48 | 000,515,686 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/12/09 18:34:48 | 000,091,246 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/12/09 18:21:52 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/11 18:25:56 | 000,000,791 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/11 18:20:10 | 000,193,776 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/11 18:14:38 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/11 18:12:16 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/11 11:31:24 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2004/08/11 11:31:24 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2004/08/04 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\SECUPD.DAT
[2004/08/04 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 06:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2004/07/19 17:01:02 | 000,045,056 | ---- | C] () -- C:\WINDOWS\SETPWRCG.EXE
[2004/05/26 16:09:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\DSRIRREM.EXE
[2003/06/25 01:38:06 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll
[2001/09/24 07:59:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[1997/07/11 00:00:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\WRKGADM.EXE
[1997/07/11 00:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\XLREC.DLL
[1997/07/11 00:00:00 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\RECNCL.DLL
[1997/07/11 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1997/07/11 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/07/11 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1996/08/20 19:37:20 | 000,015,840 | ---- | C] () -- C:\WINDOWS\System32\Machnm1.exe
[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2011/10/13 14:46:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2011/03/02 11:25:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2011/03/03 12:39:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Danfoss Drives
[2008/12/11 12:45:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PassMark
[2011/11/08 07:10:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/10/19 14:18:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2008/09/10 08:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theresa\Application Data\Autodesk
[2011/07/08 12:03:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theresa\Application Data\cadenas
[2011/03/02 11:25:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theresa\Application Data\Canneverbe Limited
[2011/11/11 08:51:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theresa\Application Data\IObit
[2005/01/18 16:30:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theresa\Application Data\Leadertech
[2008/03/12 11:11:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theresa\Application Data\MSNInstaller
[2011/10/03 14:37:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theresa\Application Data\NCDrive
[2011/11/14 09:39:14 | 000,000,322 | -HS- | M] () -- C:\WINDOWS\Tasks\XGEO.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BC359956

< End of report >

Edited by paladin181, 14 November 2011 - 09:37 AM.

  • 0

Advertisements

#2
RKinner
Posted 14 November 2011 - 12:52 PM

RKinner

    Malware Expert

  • Expert
  • 21,003 posts
  • MVP
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Uninstall:
IOBIT/Advanced System Care 4


Tell Avira not to interfere:
1. Open Avira AntiVir Personal. (There is likely an icon on your desktop, or in your system tray by the clock.)
2. Click the "Configuration" link on the main screen. This opens the configuration panel.
3. Check the "Expert mode" option.
4. Click on General > Security.
5. *Uncheck* the option titled "Protect files and registry entries from manipulation".
6. Click the "OK" button.
7. Reboot your computer.

Copy the text in the code box by highlighting and Ctrl + c 

:processes
killallprocesses

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 192.168.0.1:9877
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=2.5: File not found
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.micr...tualEarth3D.cab (Reg Error: Value error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Value error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,23/mcgdmgr.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Value error.)
[2011/11/10 09:48:21 | 000,709,968 | ---- | M] () -- C:\WINDOWS\is-7FO1M.exe
[2011/11/10 09:48:21 | 000,010,498 | ---- | M] () -- C:\WINDOWS\is-7FO1M.msg
[2011/11/10 09:48:21 | 000,000,365 | ---- | M] () -- C:\WINDOWS\is-7FO1M.lst
[2011/11/07 12:45:55 | 000,069,120 | RHS- | M] () -- C:\WINDOWS\System32\imaadp32M.dll
[2011/10/20 15:34:00 | 000,000,052 | ---- | M] () -- C:\WINDOWS\ultimadll.INI
[2011/10/20 07:23:27 | 000,003,120 | ---- | M] () -- C:\WINDOWS\131894
[2011/11/07 12:45:55 | 000,000,322 | -HS- | C] () -- C:\WINDOWS\tasks\XGEO.job
[2011/10/20 06:45:47 | 000,013,888 | ---- | C] () -- C:\WINDOWS\WDTGR.DLL
[2011/10/20 06:45:47 | 000,008,096 | ---- | C] () -- C:\WINDOWS\WCDTGR.DLL
[2011/10/20 06:45:47 | 000,006,656 | ---- | C] () -- C:\WINDOWS\WNETWAY.DLL
[2011/10/20 06:45:47 | 000,004,064 | ---- | C] () -- C:\WINDOWS\WNETWT16.DLL

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
     
:Commands
[RESETHOSTS]
[EMPTYJAVA]
[purity]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.


ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Ron
  • 0

#3
paladin181
Posted 14 November 2011 - 04:08 PM

paladin181

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thanks for the speedy respons. Here are the three logs you requested. on aswMBR, the Fix button was NOT enabled.

ETA This seems to have fixed the problem we were having. Thanks.

OTL Read out:
========== PROCESSES ==========
All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=2.5\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{BA52B914-B692-46c4-B683-905236F6F655} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA52B914-B692-46c4-B683-905236F6F655}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Starting removal of ActiveX control {0DB074F0-617E-4EE9-912C-2965CF2AA5A4}
C:\WINDOWS\Downloaded Program Files\VE3DInstall.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0DB074F0-617E-4EE9-912C-2965CF2AA5A4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DB074F0-617E-4EE9-912C-2965CF2AA5A4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0DB074F0-617E-4EE9-912C-2965CF2AA5A4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DB074F0-617E-4EE9-912C-2965CF2AA5A4}\ not found.
Starting removal of ActiveX control {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
C:\WINDOWS\Downloaded Program Files\McGDMgr.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\WINDOWS\is-7FO1M.exe moved successfully.
C:\WINDOWS\is-7FO1M.msg moved successfully.
C:\WINDOWS\is-7FO1M.lst moved successfully.
C:\WINDOWS\SYSTEM32\imaadp32M.dll moved successfully.
C:\WINDOWS\ultimadll.INI moved successfully.
C:\WINDOWS\131894 moved successfully.
C:\WINDOWS\tasks\XGEO.job moved successfully.
C:\WINDOWS\WDTGR.DLL moved successfully.
C:\WINDOWS\WCDTGR.DLL moved successfully.
C:\WINDOWS\WNETWAY.DLL moved successfully.
C:\WINDOWS\WNETWT16.DLL moved successfully.
========== FILES ==========
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\theresa\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theresa\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\theresa\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theresa\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\theresa\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theresa\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\theresa\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theresa\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: My Documents

User: NetworkService

User: theresa
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 11142011_163337

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


Combofix log

ComboFix 11-11-14.02 - theresa 11/14/2011 16:45:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.526 [GMT -5:00]
Running from: c:\documents and settings\theresa\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\theresa\WINDOWS
c:\program files\Internet Explorer\SET1B6.tmp
c:\program files\Internet Explorer\SETF7.tmp
c:\program files\Internet Explorer\SETFC.tmp
c:\windows\offitems.log
c:\windows\system32\smtp.ocx
.
.
((((((((((((((((((((((((( Files Created from 2011-10-14 to 2011-11-14 )))))))))))))))))))))))))))))))
.
.
2011-11-14 21:33 . 2011-11-14 21:33 -------- d-----w- C:\_OTL
2011-11-14 14:31 . 2011-11-14 14:31 -------- d-----w- C:\_OTM
2011-11-14 14:30 . 2011-11-14 14:30 -------- d-----w- C:\ERDNT
2011-11-14 14:29 . 2011-11-14 14:29 -------- d-----w- c:\program files\ERUNT
2011-11-11 19:30 . 2011-11-11 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2011-11-10 19:02 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 16:17 . 2011-11-10 16:17 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-10 13:06 . 2011-11-11 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-09 13:43 . 2011-11-09 13:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-11-09 13:43 . 2011-11-09 13:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-11-09 13:39 . 2011-11-09 13:39 -------- d-----w- c:\documents and settings\theresa\Application Data\Malwarebytes
2011-11-09 13:39 . 2011-11-09 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-08 13:04 . 2011-11-14 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-11-08 13:04 . 2011-11-08 13:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-19 19:18 . 2011-11-08 13:00 -------- d-----w- c:\documents and settings\theresa\Local Settings\Application Data\WinZip
2011-10-19 18:28 . 2011-10-19 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-10-19 17:35 . 2011-10-20 12:19 -------- d-----w- c:\program files\Schneider Electric
2011-10-19 17:35 . 2001-02-23 18:12 57344 ----a-w- c:\windows\system32\mfc42loc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-14 14:20 . 2011-10-13 19:46 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2011-10-14 14:20 . 2011-10-13 19:46 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-10-14 14:20 . 2011-10-13 19:46 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-10-14 14:20 . 2011-10-13 19:45 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2011-10-10 14:22 . 2004-08-04 11:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:15 . 2011-06-03 11:12 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-28 07:06 . 2004-08-04 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 11:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 11:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-08-04 11:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 11:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
1998-12-05 01:02 . 2005-02-03 19:01 589824 -c--a-w- c:\program files\Printkey.exe
2004-08-04 11:00 94784 -csh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 50688 -csh--w- c:\windows\twain_32.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 84992 --sha-w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"gusvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Cyberlogic\\Ethernet MBX Driver\\EMbxRpcS.exe"=
"c:\\Program Files\\Common Files\\Cyberlogic Shared\\gMbxRpcS.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Schneider Electric\\PowerSuite\\atvpc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:*:Disabled:DCOM
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\SYSTEM32\DRIVERS\SmartDefragDriver.sys [3/11/2011 8:39 AM 14776]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/19/2010 11:27 AM 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/10/2011 2:02 PM 366152]
R2 NA_Service;NetAccess Service;c:\windows\SYSTEM32\NA_Service.exe [10/20/2011 6:45 AM 49152]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [11/10/2011 2:02 PM 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2010 3:38 PM 136176]
S2 MCT10 Service;MCT10 Service;c:\program files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe [12/9/2010 10:23 AM 59392]
S3 ClmbxPnP;Cyberlogic MBX Driver (PnP);c:\windows\system32\Drivers\ClmbxPnP.sys --> c:\windows\system32\Drivers\ClmbxPnP.sys [?]
S3 CLMbxUsb;Cyberlogic MBX Driver (USB);c:\windows\SYSTEM32\DRIVERS\CLMbxUsb.sys [3/2/2010 10:45 AM 94608]
S3 eMBX;Cyberlogic Ethernet MBX Driver;c:\program files\Cyberlogic\Ethernet MBX Driver\EMbxRpcS.exe [2/5/2008 2:51 PM 222480]
S3 gMBX;Cyberlogic MBX Gateway Server;c:\program files\Common Files\Cyberlogic Shared\gMbxRpcS.exe [10/4/2007 10:00 AM 182544]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2010 3:38 PM 136176]
S3 USBMotion;USBMotion.SYS - USB Motion Controller;c:\windows\SYSTEM32\DRIVERS\USBMotion.sys [11/27/2006 2:40 PM 19968]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 6:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 20:37]
.
2011-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 20:37]
.
2008-11-06 c:\windows\Tasks\HPFRU Task 2003-06-24 19:40ewlett-Packard2003-06-24 19:40p officejet 7100 series2889F2163A36016833EE17BCE444564664912314103143488.job
- c:\program files\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe [2003-06-25 06:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: Interfaces\{6B427887-88E1-4491-B6A2-7E417D2CF021}: NameServer = 192.168.1.1
DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} - hxxp://cadenas.partcommunity.com/partserver/viewer/cnsweb3d/cnsweb3d.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-{10B15004-CD2A-49BD-ACB7-DFA124F39273} - c:\program files\InstallShield Installation Information\{10B15004-CD2A-49BD-ACB7-DFA124F39273}\setup.exe -runfromtemp -l0x0009 -removeonly\ -REMV
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-14 16:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\NavLogon.dll
.
- - - - - - - > 'lsass.exe'(956)
c:\windows\system32\relog_ap.dll
.
Completion time: 2011-11-14 16:53:49
ComboFix-quarantined-files.txt 2011-11-14 21:53
.
Pre-Run: 41,798,598,656 bytes free
Post-Run: 41,756,987,392 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0784723FE5C3624451B4F26077F0F1C4


aswMBR log

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-14 16:57:28
-----------------------------
16:57:28.156 OS Version: Windows 5.1.2600 Service Pack 3
16:57:28.156 Number of processors: 1 586 0x401
16:57:28.156 ComputerName: DRIVES UserName:
16:57:28.484 Initialize success
16:58:35.937 AVAST engine defs: 11111401
16:58:39.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:58:39.265 Disk 0 Vendor: ST380011A 8.16 Size: 76293MB BusType: 3
16:58:41.281 Disk 0 MBR read successfully
16:58:41.281 Disk 0 MBR scan
16:58:41.328 Disk 0 unknown MBR code
16:58:41.328 Disk 0 scanning sectors +156232125
16:58:41.437 Disk 0 scanning C:\WINDOWS\system32\drivers
16:58:56.687 Service scanning
16:58:57.562 Modules scanning
16:59:11.656 AVAST engine scan C:\WINDOWS
16:59:19.046 AVAST engine scan C:\WINDOWS\system32
17:01:55.859 AVAST engine scan C:\WINDOWS\system32\drivers
17:02:17.921 AVAST engine scan C:\Documents and Settings\theresa
17:04:57.640 AVAST engine scan C:\Documents and Settings\All Users
17:05:17.671 Scan finished successfully
17:05:50.093 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\theresa\Desktop\MBR.dat"
17:05:50.109 The log file has been saved successfully to "C:\Documents and Settings\theresa\Desktop\aswMBR.txt"

Edited by paladin181, 14 November 2011 - 04:10 PM.

  • 0

#4
RKinner
Posted 15 November 2011 - 02:52 PM

RKinner

    Malware Expert

  • Expert
  • 21,003 posts
  • MVP
That's about all I see so I think we can clean up now.

We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 27 or 7 update 0). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP