Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google Redirect [Solved]

Started by rak6789 , Sep 14 2009 02:24 AM

This topic is locked

#31
rak6789

Posted 16 September 2009 - 06:08 AM

Member

Topic Starter
Member
23 posts

The AVZ scan stops responding with 78% remaining, I've tried it a few times with the same result.

I can remove Comodo if you think that will help.

#32
Perplexus

Posted 16 September 2009 - 06:15 AM

Lord of the Geeks

Malware Removal
1,185 posts

Initially I saw the signs of a pretty nasty infection but it disappeared. I'm thinking that maybe the first run of ComboFix zapped part of it because I've not been able to find it since. However, something is stopping all of our tools so I'm wondering if it isn't Comodo. This would not be the first time it has done that. Go ahead and uninstall Comodo and see if you can get a ComboFix run to go.

#33
rak6789

Posted 16 September 2009 - 07:19 AM

Member

Topic Starter
Member
23 posts

OK combofix will now run (at last!)

Here is the log:

ComboFix 09-09-14.02 - Ian 16/09/2009 13:50.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1560 [GMT 1:00]
Running from: c:\documents and settings\Ian\Desktop\shav.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
c:\documents and settings\dell\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
c:\documents and settings\Ian\Application Data\Microsoft\Installer\{043F125C-CB0D-4030-8E68-38760B0E79ED}\Anybus_IPconfig.ex_043F125CCB0D40308E6838760B0E79ED.exe
c:\documents and settings\Ian\Application Data\Microsoft\Installer\{043F125C-CB0D-4030-8E68-38760B0E79ED}\ARPPRODUCTICON.exe
c:\windows\system32\images
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-16 13:01 . 2009-09-16 13:01 -------- d-----w- c:\windows\LastGood
2009-09-16 07:52 . 2009-09-16 11:50 7168 ----a-w- c:\windows\system32\drivers\uteyotg2.sys
2009-09-15 16:23 . 2009-09-15 16:24 -------- d-----w- C:\32788R22FWJFW.18.tmp
2009-09-15 14:46 . 2009-09-15 14:46 135168 ----a-w- C:\zip.exe
2009-09-15 09:10 . 2009-09-15 09:12 -------- d-----w- c:\program files\WinPcap
2009-09-15 09:09 . 2008-03-21 14:42 4211 ----a-r- c:\windows\system32\drivers\alertdrv.sys
2009-09-15 09:09 . 2008-03-21 14:42 9924 ----a-r- c:\windows\system32\drivers\g3usb.sys
2009-09-15 09:09 . 2009-09-15 09:09 -------- d-----w- c:\program files\Red Lion Controls
2009-09-15 08:07 . 2009-09-15 08:31 -------- d-----w- C:\32788R22FWJFW.17.tmp
2009-09-15 08:06 . 2009-09-15 08:07 -------- d-----w- C:\32788R22FWJFW.16.tmp
2009-09-15 07:46 . 2009-09-15 08:06 -------- d-----w- C:\32788R22FWJFW.15.tmp
2009-09-15 07:13 . 2009-09-15 07:46 -------- d-----w- C:\32788R22FWJFW.14.tmp
2009-09-15 07:12 . 2009-09-15 07:13 -------- d-----w- C:\32788R22FWJFW.13.tmp
2009-09-15 07:10 . 2009-09-15 07:12 -------- d-----w- C:\32788R22FWJFW.12.tmp
2009-09-14 20:46 . 2009-09-15 07:10 -------- d-----w- C:\32788R22FWJFW.11.tmp
2009-09-14 20:33 . 2009-09-14 20:46 -------- d-----w- C:\32788R22FWJFW.10.tmp
2009-09-14 19:53 . 2009-09-14 20:33 -------- d-----w- C:\32788R22FWJFW.9.tmp
2009-09-14 19:52 . 2009-09-14 19:53 -------- d-----w- C:\32788R22FWJFW.8.tmp
2009-09-14 18:54 . 2009-09-14 19:52 -------- d-----w- C:\32788R22FWJFW.7.tmp
2009-09-14 18:48 . 2009-09-14 18:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-14 15:57 . 2009-09-14 15:59 -------- d-----w- C:\32788R22FWJFW.6.tmp
2009-09-14 15:56 . 2009-09-14 15:57 -------- d-----w- C:\32788R22FWJFW.5.tmp
2009-09-14 15:50 . 2009-09-14 15:56 -------- d-----w- C:\32788R22FWJFW.4.tmp
2009-09-14 13:27 . 2009-09-14 15:50 -------- d-----w- C:\32788R22FWJFW.3.tmp
2009-09-14 13:17 . 2009-09-14 13:27 -------- d-----w- C:\32788R22FWJFW.2.tmp
2009-09-14 13:16 . 2009-09-14 13:17 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-09-14 12:14 . 2009-09-14 18:42 -------- d-----w- C:\ComboFix
2009-09-13 19:09 . 2009-09-13 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 19:09 . 2009-09-16 12:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-13 19:09 . 2009-09-13 19:09 -------- d-----w- c:\documents and settings\Ian\Application Data\SUPERAntiSpyware.com
2009-09-13 17:00 . 2009-09-13 17:00 -------- d-----w- c:\program files\Sophos
2009-09-13 16:42 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 16:42 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 16:42 . 2009-09-13 18:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 15:49 . 2009-09-14 12:20 -------- d--h--w- c:\windows\PIF
2009-09-13 08:25 . 2009-09-13 08:25 -------- d-----w- c:\documents and settings\Ian\Application Data\Malwarebytes
2009-09-13 08:25 . 2009-09-13 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 15:11 . 2009-09-10 15:11 -------- d-----w- c:\documents and settings\Ian\Application Data\Schneider Electric
2009-09-10 14:10 . 2009-09-10 14:10 -------- d-----w- c:\documents and settings\Ian\Application Data\Macrovision
2009-09-10 14:10 . 2009-09-10 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-09-08 14:53 . 2009-09-12 17:40 664 ----a-w- c:\documents and settings\Ian\Local Settings\Application Data\d3d9caps.dat
2009-09-08 14:51 . 2009-09-08 14:51 -------- d-----w- c:\windows\Sun
2009-09-08 11:37 . 2009-09-08 11:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-08 10:32 . 2009-09-08 11:49 -------- d-----w- c:\program files\Modbus Tools
2009-09-07 08:36 . 2009-09-07 08:36 -------- d-----w- c:\documents and settings\Ian\Application Data\E-Designer
2009-09-01 11:03 . 2009-09-01 11:03 -------- d-----w- c:\documents and settings\Ian\Application Data\Rockwell Software
2009-09-01 10:51 . 2009-09-01 10:51 -------- d-----w- c:\program files\HMS
2009-08-20 13:01 . 2009-08-20 13:01 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel
2009-08-20 11:51 . 2009-08-20 11:51 -------- d-----w- c:\program files\Aladdin
2009-08-20 11:49 . 2008-02-11 15:55 586240 ----a-w- c:\windows\system32\drivers\hardlock.sys
2009-08-20 11:49 . 2009-08-20 11:49 -------- d-----w- c:\program files\Common Files\Aladdin Shared
2009-08-20 11:49 . 2008-04-24 12:40 2562048 ----a-w- c:\windows\system32\hasplms.exe
2009-08-20 11:49 . 2008-03-18 15:09 350720 ----a-w- c:\windows\system32\drivers\aksfridge.sys
2009-08-20 11:49 . 2009-08-20 11:49 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2009-08-20 11:49 . 2009-08-20 11:49 6656 ----a-w- c:\windows\system32\haspvdd.dll
2009-08-20 11:49 . 2009-08-20 11:49 383 ----a-w- c:\windows\system32\haspdos.sys
2009-08-19 12:21 . 2009-09-11 20:36 -------- d-----w- c:\program files\Common Files\Schneider Electric Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 12:45 . 2009-04-21 12:16 -------- d-----w- c:\program files\COMODO
2009-09-16 06:54 . 2009-08-05 09:20 -------- d-----w- c:\documents and settings\Ian\Application Data\Wave Systems Corp
2009-09-15 14:07 . 2009-08-05 09:25 36544 ----a-w- c:\documents and settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 13:46 . 2009-08-06 10:22 -------- d-----w- c:\documents and settings\Ian\Application Data\Autodesk
2009-09-15 13:46 . 2009-08-06 10:03 -------- d-----w- c:\program files\Autodesk
2009-09-15 13:39 . 2009-08-06 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-09-15 09:09 . 2009-04-21 08:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-11 20:36 . 2009-08-05 12:03 -------- d-----w- c:\program files\Schneider Electric
2009-09-03 10:39 . 2009-08-05 15:44 -------- d-----w- c:\program files\Common Files\Rockwell
2009-08-27 18:20 . 2009-08-06 19:26 -------- d-----w- c:\documents and settings\Ian\Application Data\ImgBurn
2009-08-21 13:10 . 2009-04-21 13:27 -------- d-----w- c:\program files\Roxio
2009-08-21 13:06 . 2009-04-21 13:28 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-18 10:12 . 2009-08-05 09:38 -------- d-----w- c:\documents and settings\Ian\Application Data\Apple Computer
2009-08-14 08:32 . 2009-08-14 08:32 -------- d-----w- c:\program files\ControlFLASH
2009-08-12 09:35 . 2009-08-12 09:35 -------- d-----w- c:\program files\Microsoft WSE
2009-08-12 08:10 . 2009-08-12 08:10 -------- d-----w- c:\program files\Common Files\EPSON
2009-08-11 15:58 . 2009-05-06 10:24 94778 ----a-w- c:\windows\system32\nvModes.dat
2009-08-11 08:44 . 2009-08-11 08:44 -------- d-----w- c:\program files\ProSoft Technology
2009-08-11 08:38 . 2009-08-11 08:38 -------- d-----w- c:\program files\Multitek M55x Monitor and Utilities
2009-08-11 08:38 . 2009-08-11 08:38 286720 ----a-w- c:\windows\iun506.exe
2009-08-10 15:33 . 2009-08-10 15:33 -------- d-----w- c:\program files\GPLGS
2009-08-10 08:25 . 2009-04-21 11:33 -------- d-----w- c:\program files\OpenOffice.org 3
2009-08-07 15:51 . 2009-08-07 15:51 -------- d-----w- c:\program files\Business Objects
2009-08-07 15:51 . 2009-08-07 15:20 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-08-07 15:50 . 2009-08-07 15:40 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-07 15:48 . 2009-08-07 15:20 -------- d-----w- c:\program files\Microsoft.NET
2009-08-07 15:39 . 2009-08-07 15:39 -------- d-----w- c:\program files\Microsoft Device Emulator
2009-08-07 15:39 . 2009-08-07 15:38 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2009-08-07 15:37 . 2009-08-07 15:37 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-08-07 15:37 . 2009-08-07 15:37 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-07 15:34 . 2009-08-07 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-07 15:28 . 2009-08-07 15:20 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-08-07 15:28 . 2009-08-07 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2009-08-07 15:24 . 2009-08-07 15:20 -------- d-----w- c:\program files\HTML Help Workshop
2009-08-07 15:24 . 2009-04-21 10:35 -------- d-----w- c:\program files\MSBuild
2009-08-07 15:20 . 2009-08-07 15:20 -------- d-----w- c:\program files\Microsoft SDKs
2009-08-07 15:20 . 2009-08-07 15:20 -------- d-----w- c:\program files\CE Remote Tools
2009-08-07 15:19 . 2009-08-07 15:19 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2009-08-07 14:35 . 2009-08-07 14:35 -------- d-----w- c:\program files\MSXML 6.0
2009-08-07 13:25 . 2009-08-07 13:25 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-08-07 10:52 . 2009-08-07 10:52 -------- d-----w- c:\program files\Siemens
2009-08-06 15:54 . 2009-08-06 15:54 -------- d-----w- c:\documents and settings\Ian\Application Data\OpenOffice.org
2009-08-06 15:41 . 2009-08-06 15:41 -------- d-----w- c:\program files\V6W
2009-08-06 15:35 . 2009-08-06 15:35 -------- d-----w- c:\documents and settings\Ian\Application Data\InstallShield
2009-08-06 15:32 . 2009-08-06 15:14 -------- d-----w- c:\program files\OMRON
2009-08-06 15:23 . 2009-08-06 15:23 -------- d-----w- c:\program files\Common Files\Hilscher
2009-08-06 15:22 . 2009-08-06 08:20 -------- d-----w- c:\program files\Common Files\OMRON
2009-08-06 15:18 . 2009-08-06 15:18 -------- d-----w- c:\program files\National Instruments
2009-08-06 15:18 . 2009-08-06 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Omron
2009-08-06 14:55 . 2009-08-06 14:50 -------- d-----w- c:\program files\Common Files\Beijers Shared
2009-08-06 14:54 . 2009-08-06 14:50 -------- d-----w- c:\program files\E-Designer
2009-08-06 14:17 . 2009-08-06 14:17 -------- d-----w- c:\program files\Acro Software
2009-08-06 14:05 . 2009-08-06 14:05 -------- d-----w- c:\program files\RSI
2009-08-06 14:05 . 2009-08-06 11:19 -------- d-----w- c:\program files\Allen-Bradley
2009-08-06 14:05 . 2009-08-06 07:34 -------- d-----w- c:\program files\Rockwell Software
2009-08-06 13:27 . 2009-08-06 13:27 1504 --sh--r- C:\EVRSI.SYS
2009-08-06 13:06 . 2009-08-06 13:06 -------- d-----w- c:\documents and settings\Ian\Application Data\AdobeUM
2009-08-06 13:06 . 2009-08-06 13:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-06 11:25 . 2009-08-06 08:20 -------- d-----w- c:\documents and settings\All Users\Application Data\WFCU
2009-08-06 11:22 . 2009-08-06 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Rockwell
2009-08-06 11:18 . 2009-08-06 11:18 1678 ----a-w- c:\windows\system32\RdcyReg.reg
2009-08-06 11:18 . 2009-08-06 11:18 1366 ----a-w- c:\windows\system32\Rsvchost.reg
2009-08-06 09:50 . 2009-08-06 09:48 -------- d-----w- c:\program files\Microsoft AutoRoute
2009-08-06 09:31 . 2009-08-06 09:31 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-06 08:26 . 2009-08-06 07:39 -------- d-----w- c:\program files\Rockwell Automation
2009-08-06 08:21 . 2009-08-06 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Rockwell Automation
2009-08-06 08:20 . 2009-08-06 08:20 -------- d-----w- c:\program files\Common Files\OPC Foundation
2009-08-06 07:46 . 2009-08-06 07:46 126 ----a-w- c:\documents and settings\Ian\Local Settings\Application Data\fusioncache.dat
2009-08-06 07:36 . 2009-08-06 07:36 -------- d-----w- c:\program files\RSLogix 5000 Module Profiles
2009-08-05 20:06 . 2009-08-05 20:06 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-08-05 11:55 . 2009-08-05 11:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-05 11:55 . 2009-04-21 08:47 -------- d-----w- c:\program files\Java
2009-08-05 11:55 . 2009-08-05 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-05 11:21 . 2009-08-05 11:21 -------- d-----w- c:\documents and settings\Ian\Application Data\Toshiba
2009-08-05 09:31 . 2009-08-05 09:30 -------- d-----w- c:\documents and settings\Ian\Application Data\Roxio
2009-08-05 09:20 . 2009-08-05 09:20 -------- d-----w- c:\documents and settings\Ian\Application Data\Dell
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:11 . 2009-08-05 09:11 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-08-05 09:01 . 2009-04-21 10:57 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-17 18:55 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 01:18 . 2004-08-04 10:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2006-03-04 03:33 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-04 10:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 10:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 10:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 10:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 10:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 10:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 10:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 10:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 10:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 10:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 10:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:17 . 2009-04-21 09:58 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2009-04-21 09:58 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2009-04-21 09:58 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:17 . 2004-08-04 10:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2004-08-04 10:00 56320 ----a-w- c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 148888]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2007-01-31 176128]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-01 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-07-31 65536]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-28 73728]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2008-05-27 434176]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-11-17 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-7-30 2158592]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-4-21 50688]
EPSON Status Monitor 3 Environment Check(3).lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2004-10-11 131584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v17\\Bin\\RS5000.Exe"=
"c:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=
"c:\\WINDOWS\\system32\\OpcEnum.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx\\RSLINX.EXE"=
"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RdcyHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\NmspHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\countermonitor.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe"=
"c:\\Automation\\ftp wanderer\\FTPWanderer.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Rockwell Software\\BOOTP-DHCP Server\\BootpServer.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HMS\\Anybus IPconfig\\Anybus IPconfig.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:Port 135 TCP
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 AlertDrv;AlertDrv;c:\windows\system32\drivers\alertdrv.sys [15/09/2009 10:09 4211]
R3 PcmkWdm;%PcmkWdm.DeviceDesc%;c:\windows\system32\drivers\PcmkWdm.sys [09/08/2009 08:19 58140]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 DUNTLW;SA UNITELWAY Protocol;c:\windows\system32\drivers\Duntlw.sys [06/08/2009 16:45 136224]
S3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [17/09/2007 23:36 217088]
S3 FTActivationBoost;FactoryTalk Activation Helper;c:\program files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [22/05/2008 17:50 58664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [09/07/2007 10:47 94208]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17.tmp --> c:\windows\system32\17.tmp [?]
S3 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [18/09/2007 00:57 212992]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [29/06/2007 01:01 42512]
S3 PccWdm;%PccWdm.DeviceDesc%;c:\windows\system32\drivers\PccWdm.sys [09/08/2009 08:14 57572]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\Drivers\pcidnt.sys --> c:\windows\system32\Drivers\pcidnt.sys [?]
S3 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [18/09/2007 00:57 212992]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [13/11/2002 14:38 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [05/07/2008 18:19 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [23/04/2002 19:02 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [05/07/2008 18:19 155440]
S3 uteyotg2;AVZ Kernel Driver;c:\windows\system32\drivers\uteyotg2.sys [16/09/2009 08:52 7168]
S3 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [04/08/2004 11:00 5120]
S3 XBTZG935 USB Link Cable;XBTZG935 USB Link Cable;c:\program files\Schneider Electric\Vijeo-Designer\Vijeo-Frame\XBTZG935\XBTGZ935_ulnk(36fc9e60-c465-11cf-8056-444553540000).exe [10/11/2008 20:08 93400]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\biolsp.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)
AddRemove-PL7 ProV34 - c:\windows\PL7SYS\UNINSTAL\SETUP PL7PRO/PL7 Pro/34/E
AddRemove-WIN 32 V3.1.2.22 - c:\windows\IsUninst.exe -fc:\program files\Siemens\STEP 7-MicroWIN 32\Uninst.isu
AddRemove-XBTL1000 - c:\windows\IsUninst.exe -fc:\program files\Schneider Electric\XBT-L1000\Uninst.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 14:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UsbCipHelper = c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe????????????j?w??????@???D????????|P?E????|????????????1??|????P?E?????????<???????????????????>?@?????`???<??????|?????????????$???? ???D??????>@????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\17.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1452)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(3312)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\hasplms.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\WLKEEPER.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
.
**************************************************************************
.
Completion time: 2009-09-16 14:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-16 13:07

Pre-Run: 39,280,324,608 bytes free
Post-Run: 39,088,918,528 bytes free

381 --- E O F --- 2009-09-14 07:28

#34
Perplexus

Posted 16 September 2009 - 08:15 AM

Lord of the Geeks

Malware Removal
1,185 posts

Yay!

I'm removing Comodo from my list of recommendations. This is not the first time that has happened!

Do you have internet back?

------------------
Step 1:
------------------

Please submit the following files to VirScan.org

Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- C:\zip.exe
Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

If VirScan.org server is too busy, please submit the file to VirusTotal instead.

------------------
Step 2:
------------------

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

:Files
C:\32788R22FWJFW.17.tmp
C:\32788R22FWJFW.16.tmp
C:\32788R22FWJFW.15.tmp
C:\32788R22FWJFW.14.tmp
C:\32788R22FWJFW.13.tmp
C:\32788R22FWJFW.12.tmp
C:\32788R22FWJFW.11.tmp
C:\32788R22FWJFW.10.tmp
C:\32788R22FWJFW.9.tmp
C:\32788R22FWJFW.8.tmp
C:\32788R22FWJFW.7.tmp
C:\32788R22FWJFW.6.tmp
C:\32788R22FWJFW.5.tmp
C:\32788R22FWJFW.4.tmp
C:\32788R22FWJFW.3.tmp
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post the log it produces in your next reply.

------------------
Step 3:
------------------

Please post back with the following:

How your machine is running
Virscan results
OTL fix results

#35
rak6789

Posted 16 September 2009 - 08:24 AM

Member

Topic Starter
Member
23 posts

Yes, internet is back up.

Here is the scan of c:\zip.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/07/18 18:00:49 (BST)
Scanner results: 3% Scanner(1/38) found malware!
File Name : zip.exe
File Size : 135168 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : db9b1cc34b35136f35e333de520c15f5
SHA1 : 538bc7ab67c44c44e998bac022fefdddbaa1976f
Online report : http://virscan.org/r...f2e309a9fb.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.3 20090718010457 2009-07-18 0.52 -
AhnLab V3 2009.07.18.00 2009.07.18 2009-07-18 0.99 -
AntiVir 8.2.0.222 7.1.4.252 2009-07-17 0.39 -
Antiy 2.0.18 20090716.2619098 2009-07-16 0.02 -
Arcavir 2009 200907180648 2009-07-18 0.07 -
Authentium 5.1.1 200907172230 2009-07-17 1.49 -
AVAST! 4.7.4 090717-0 2009-07-17 0.01 -
AVG 8.5.288 270.13.19/2245 2009-07-18 0.34 -
BitDefender 7.81008.3774081 7.26667 2009-07-18 3.32 -
CA (VET) 9.0.0.143 31.6.6623 2009-07-18 3.14 -
ClamAV 0.95.2 9587 2009-07-18 0.03 -
Comodo 3.10 1693 2009-07-18 0.69 Backdoor.Win32.GameThief.Nileage.cz
CP Secure 1.1.0.715 2009.07.18 2009-07-18 11.42 -
Dr.Web 4.44.0.9170 2009.07.18 2009-07-18 4.99 -
F-Prot 4.4.4.56 20090717 2009-07-17 1.43 -
F-Secure 5.51.6100 2009.07.18.01 2009-07-18 0.10 -
Fortinet 2.81-3.120 10.619 2009-07-18 0.28 -
GData 19.6542/19.400 20090718 2009-07-18 4.54 -
ViRobot 20090716 2009.07.16 2009-07-16 0.77 -
Ikarus T3.1.01.64 2009.07.18.73057 2009-07-18 3.38 -
JiangMin 11.0.800 2009.07.18 2009-07-18 3.75 -
Kaspersky 5.5.10 2009.07.18 2009-07-18 0.09 -
KingSoft 2009.2.5.15 2009.7.18.21 2009-07-18 0.49 -
McAfee 5.3.00 5680 2009-07-18 2.94 -
Microsoft 1.4803 2009.07.18 2009-07-18 5.41 -
mks_vir 2.01 2009.07.15 2009-07-15 3.30 -
Norman 6.01.09 6.01.00 2009-07-16 4.01 -
Panda 9.05.01 2009.07.17 2009-07-17 1.78 -
Trend Micro 8.700-1004 6.290.01 2009-07-18 0.00 -
Quick Heal 10.00 2009.07.17 2009-07-17 1.26 -
Rising 20.0 21.38.52.00 2009-07-18 0.81 -
Sophos 2.88.0 4.43 2009-07-18 2.86 -
Sunbelt 5267 5267 2009-07-17 1.02 -
Symantec 1.3.0.24 20090718.003 2009-07-18 0.08 -
nProtect 20090718.01 4801869 2009-07-18 7.16 -
The Hacker 6.3.4.3 v00370 2009-07-17 0.66 -
VBA32 3.12.10.8 20090717.0839 2009-07-17 1.98 -
VirusBuster 4.5.11.10 10.109.2/1838057 2009-07-18 2.26 -

OTL scan to follow

#36
rak6789

Posted 16 September 2009 - 08:33 AM

Member

Topic Starter
Member
23 posts

otl log

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\32788R22FWJFW.17.tmp\License moved successfully.
C:\32788R22FWJFW.17.tmp moved successfully.
C:\32788R22FWJFW.16.tmp\License moved successfully.
C:\32788R22FWJFW.16.tmp moved successfully.
C:\32788R22FWJFW.15.tmp\License moved successfully.
C:\32788R22FWJFW.15.tmp moved successfully.
C:\32788R22FWJFW.14.tmp\License moved successfully.
C:\32788R22FWJFW.14.tmp moved successfully.
C:\32788R22FWJFW.13.tmp\License moved successfully.
C:\32788R22FWJFW.13.tmp moved successfully.
C:\32788R22FWJFW.12.tmp\License moved successfully.
C:\32788R22FWJFW.12.tmp moved successfully.
C:\32788R22FWJFW.11.tmp\License moved successfully.
C:\32788R22FWJFW.11.tmp moved successfully.
C:\32788R22FWJFW.10.tmp\License moved successfully.
C:\32788R22FWJFW.10.tmp moved successfully.
C:\32788R22FWJFW.9.tmp\License moved successfully.
C:\32788R22FWJFW.9.tmp moved successfully.
C:\32788R22FWJFW.8.tmp\License moved successfully.
C:\32788R22FWJFW.8.tmp moved successfully.
C:\32788R22FWJFW.7.tmp\License moved successfully.
C:\32788R22FWJFW.7.tmp moved successfully.
C:\32788R22FWJFW.6.tmp\License moved successfully.
C:\32788R22FWJFW.6.tmp moved successfully.
C:\32788R22FWJFW.5.tmp\License moved successfully.
C:\32788R22FWJFW.5.tmp moved successfully.
C:\32788R22FWJFW.4.tmp\License moved successfully.
C:\32788R22FWJFW.4.tmp moved successfully.
C:\32788R22FWJFW.3.tmp\License moved successfully.
C:\32788R22FWJFW.3.tmp moved successfully.
C:\32788R22FWJFW.2.tmp\License moved successfully.
C:\32788R22FWJFW.2.tmp moved successfully.
C:\32788R22FWJFW.1.tmp\License moved successfully.
C:\32788R22FWJFW.1.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: dell
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Ian
->Temp folder emptied: 401 bytes
->Temporary Internet Files folder emptied: 6296838 bytes
->Java cache emptied: 13426615 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

C:\32788R22FWJFW.18.tmp\License folder deleted successfully.
C:\32788R22FWJFW.18.tmp folder deleted successfully.
%systemdrive% .tmp files removed: 3211731 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
File delete failed. C:\WINDOWS\temp\hlktmp scheduled to be deleted on reboot.
Windows Temp folder emptied: 8405015 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 32.02 mb

OTL by OldTimer - Version 3.0.11.0 log created on 09162009_152521

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Computer seems to be running OK

Bit concerned about no anti-virus software, can you suggest a good one (free), I thought comodo was pretty good but now I'm not so sure!
I have got AVG on my other machines but it's quite annoying how it hogs the resources sometimes checking for updates.

#37
Perplexus

Posted 16 September 2009 - 08:42 AM

Lord of the Geeks

Malware Removal
1,185 posts

These are my recommendations for antivirus:

AntiVirus software is used to identify and remove computer viruses. In real-time mode it can scan all incoming data for the presence of viruses and stop it before it has a chance to infect your machine. It is imperative that you have at least one but not more than one Antivirus program installed and running. Here are a few very good free Antivirus products which are available:

Avira AntiVir PersonalEdition is an excellent free AV.
avast! 4 Home Edition, yet another good free AV.
AVG AntiVirus version 8.5 is free for personal use.

And these are my recommendations for firewall:

Using a firewall will allow you to give/deny access for applications that want to go online. For instance, if a keylogger gets installed on your machine and wants to send its data out across the internet, a firewall will detect this and ask if you want to give/deny access, which of course you would want to deny. Select one of these, or another of your choice:

Outpost Firewall is another free firewall
Online Armor (Free edition) personal firewall.
Sunbelt Personal Firewall is an excellent firewall.

I use Avira and Outpost at home. Or course, you will have to put up with nag screens upon updates but that's the price of free

Here is a website to look at comparative results of antivirus applications: http://www.av-comparatives.org/

-----------------------------

Comodo is reporting C:\zip.exe as a backdoor, so we'll remove it too. Also will give you my backdoor speech.

You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

------------------
Step 1:
------------------

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following
```
:OTL

:Files
C:\zip.exe
```
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

------------------
Step 2:
------------------

Posted Image

Run Malwarebytes' Anti-Malware

Select the Update tab and then click Check for Updates.
If an update is found, it will download and install the latest version.
Once the program has loaded, select the Scanner tab and "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

------------------
Step 3:
------------------

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

------------------
Step 4:
------------------

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, adware, dialers, and other riskware
- Archives
- E-mail databases
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

------------------
Step 5:
------------------

Please post back with the following:

How your machine is running
MBAM log
KasReport.txt

#38
rak6789

Posted 17 September 2009 - 04:43 AM

Member

Topic Starter
Member
23 posts

Here is the latest report from otl

OTL logfile created on: 16/09/2009 16:27:16 - Run 2
OTL by OldTimer - Version 3.0.11.0 Folder = C:\Documents and Settings\Ian\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 74.36% Memory free
3.85 Gb Paging File | 3.52 Gb Available in Paging File | 91.56% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 36.48 Gb Free Space | 39.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 820I
Current User Name: Ian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2008/08/20 16:18:34 | 00,905,216 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2007/03/16 18:10:46 | 00,020,480 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
PRC - [2007/03/16 18:10:42 | 01,253,376 | ---- | M] (Dell Inc.) -- C:\WINDOWS\System32\bcmwltry.exe
PRC - [2008/08/20 16:38:30 | 00,860,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2008/04/24 13:40:56 | 02,562,048 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\WINDOWS\System32\hasplms.exe
PRC - [2007/02/20 12:24:34 | 00,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
PRC - [2008/08/20 16:08:02 | 00,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2007/02/01 09:21:22 | 01,466,368 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
PRC - [2008/08/20 16:28:34 | 00,348,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
PRC - [2009/02/06 10:41:05 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/02/06 10:41:05 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2007/06/13 11:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/06 10:41:05 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2004/08/04 11:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2007/03/16 18:10:46 | 01,392,640 | ---- | M] (Dell Inc.) -- C:\WINDOWS\System32\WLTRAY.exe
PRC - [2009/08/05 12:55:39 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2007/01/30 15:32:42 | 00,102,400 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
PRC - [2007/01/22 11:53:02 | 00,212,992 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
PRC - [2007/02/01 18:16:16 | 00,065,536 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe
PRC - [2007/01/25 17:34:22 | 00,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2007/07/31 22:10:04 | 00,065,536 | ---- | M] ( TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
PRC - [2007/01/29 19:07:18 | 00,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
PRC - [2007/08/28 17:43:14 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2006/09/08 15:10:22 | 00,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\HidFind.exe
PRC - [2007/02/19 14:26:32 | 00,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/09/08 15:06:08 | 00,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apntex.exe
PRC - [2008/08/20 16:27:36 | 01,368,064 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PRC - [2008/08/20 16:09:12 | 01,191,936 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2008/05/27 16:17:44 | 00,434,176 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
PRC - [2007/08/30 10:50:42 | 00,205,480 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2007/07/30 22:54:38 | 02,158,592 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2006/11/03 18:02:14 | 00,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2006/12/18 15:22:14 | 00,278,528 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2006/01/23 23:14:10 | 00,069,632 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
PRC - [2006/10/27 20:13:48 | 00,270,336 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
PRC - [2004/08/04 11:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe
PRC - [2006/09/28 21:08:46 | 00,270,336 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
PRC - [2007/07/20 16:30:28 | 00,311,296 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
PRC - [2007/07/20 16:48:00 | 02,170,880 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
PRC - [2009/09/14 09:00:35 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ian\Desktop\ot.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - File not found -- -- (Autodesk Licensing Service [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/05/27 11:20:38 | 00,070,952 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe -- (dnWhoDisp [On_Demand | Stopped])
SRV - [2007/09/17 23:36:32 | 00,282,624 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe -- (EventClientMultiplexer [On_Demand | Stopped])
SRV - [2007/09/17 23:36:08 | 00,217,088 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\EventServer.exe -- (EventServer [On_Demand | Stopped])
SRV - [2008/08/20 16:38:30 | 00,860,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/05/22 17:50:46 | 00,058,664 | ---- | M] (Rockwell Automation Inc.) -- C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe -- (FTActivationBoost [On_Demand | Stopped])
SRV - [2008/05/24 09:25:12 | 00,202,024 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE -- (Harmony [On_Demand | Stopped])
SRV - [2008/04/24 13:40:56 | 02,562,048 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\WINDOWS\System32\hasplms.exe -- (hasplms [Auto | Running])
SRV - [2004/08/04 11:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/08/05 12:55:39 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [On_Demand | Stopped])
SRV - File not found -- -- (Lavasoft Ad-Aware Service [On_Demand | Stopped])
SRV - [2007/07/09 10:47:58 | 00,094,208 | ---- | M] () -- C:\Program Files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe -- (LogReceiver [On_Demand | Stopped])
SRV - [2007/02/10 14:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS [On_Demand | Stopped])
SRV - [2005/10/14 11:50:19 | 00,045,272 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2007/11/07 08:58:18 | 03,004,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90 [Disabled | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/02/20 12:24:34 | 00,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe -- (NICCONFIGSVC [Auto | Running])
SRV - [2007/09/18 00:57:20 | 00,212,992 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\NmspHost.exe -- (NmspHost [On_Demand | Stopped])
SRV - [2007/11/17 03:03:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [On_Demand | Stopped])
SRV - [2005/11/25 09:11:02 | 00,098,304 | ---- | M] (OPC Foundation) -- C:\WINDOWS\System32\OpcEnum.exe -- (OpcEnum [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/09/18 00:57:28 | 00,212,992 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RdcyHost.exe -- (RdcyHost [On_Demand | Stopped])
SRV - [2008/08/20 16:08:02 | 00,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc [Auto | Running])
SRV - [2008/06/25 13:15:18 | 00,034,088 | ---- | M] (Rockwell Automation Inc.) -- C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe -- (RNADiagnosticsService [On_Demand | Stopped])
SRV - [2008/06/25 13:15:22 | 00,148,776 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe -- (RNADiagReceiver [On_Demand | Stopped])
SRV - [2007/09/17 23:42:44 | 00,897,024 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RnaDirServer.exe -- (RNADirectory [On_Demand | Stopped])
SRV - [2007/09/17 23:43:08 | 00,991,232 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe -- (RNADirMultiplexor [On_Demand | Stopped])
SRV - [2007/09/18 20:26:24 | 00,077,824 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe -- (Rockwell HMI Diagnostics [On_Demand | Stopped])
SRV - [2007/09/18 20:34:28 | 00,147,456 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe -- (Rockwell Tag Server [On_Demand | Stopped])
SRV - [2007/06/29 01:01:48 | 00,092,792 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])
SRV - [2008/07/25 09:39:26 | 01,971,768 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Software\RSLinx\RSLINX.EXE -- (RSLinx [On_Demand | Stopped])
SRV - [2007/06/26 15:11:48 | 00,217,088 | ---- | M] (Rockwell Automation) -- C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe -- (RSLinxNG [On_Demand | Stopped])
SRV - [2008/06/25 13:17:06 | 00,218,408 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RsvcHost.exe -- (RsvcHost [On_Demand | Stopped])
SRV - [2008/08/20 16:18:34 | 00,905,216 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
SRV - [2007/01/29 21:59:58 | 00,487,424 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService [On_Demand | Stopped])
SRV - [2007/02/10 14:29:47 | 00,242,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Disabled | Stopped])
SRV - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [On_Demand | Stopped])
SRV - File not found -- -- (stllssvr [On_Demand | Stopped])
SRV - [2007/02/01 09:21:22 | 01,466,368 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe [Auto | Running])
SRV - [2004/08/04 11:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (uploadmgr [Auto | Stopped])
SRV - [2008/08/20 16:28:34 | 00,348,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\WLKeeper.exe -- (WLANKEEPER [Auto | Running])
SRV - [2007/03/16 18:10:46 | 00,020,480 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2008/11/10 20:08:00 | 00,093,400 | ---- | M] (INDE Electronics, Inc.) -- C:\Program Files\Schneider Electric\Vijeo-Designer\Vijeo-Frame\XBTZG935\XBTGZ935_ulnk(36fc9e60-c465-11cf-8056-444553540000).exe -- (XBTZG935 USB Link Cable [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/06 17:30:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/08/05 12:55:40 | 00,000,000 | ---D | M]

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [EmbassySecurityCheck] C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvHotkey.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UsbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe (Rockwell Automation, Inc.)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\System32\spool\drivers\w32x86\3\E_SRCV03.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\wxvault.dll) - C:\WINDOWS\System32\wxvault.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/21 09:14:10 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/08/05 16:18:29 | 00,000,000 | ---D | M] - C:\Automation -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/09/16 15:25:46 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/09/16 15:25:21 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/09/16 12:50:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Desktop\LOG
[2009/09/16 08:52:54 | 00,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\uteyotg2.sys
[2009/09/16 08:50:00 | 05,655,040 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\avz.exe
[2009/09/15 17:27:07 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\gmer.exe
[2009/09/15 17:27:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Desktop\gmer
[2009/09/15 17:26:59 | 00,280,419 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\gmer.zip
[2009/09/15 16:10:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Desktop\SysProt
[2009/09/15 16:01:10 | 00,354,396 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\SysProt.zip
[2009/09/15 15:34:43 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\avenger.zip
[2009/09/15 15:33:05 | 00,000,074 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\copy.bat
[2009/09/15 13:28:27 | 00,000,143 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\FixReg.reg
[2009/09/15 10:10:34 | 00,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2009/09/15 10:09:31 | 00,009,924 | R--- | C] (Red Lion Controls Inc.) -- C:\WINDOWS\System32\drivers\g3usb.sys
[2009/09/15 10:09:12 | 00,000,000 | ---D | C] -- C:\Program Files\Red Lion Controls
[2009/09/15 10:00:58 | 21,455,09376 | -HS- | C] () -- C:\hiberfil.sys
[2009/09/15 08:07:22 | 00,000,575 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\Fixswen.inf
[2009/09/15 08:07:12 | 00,000,610 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\UnHookExec.inf
[2009/09/15 08:07:08 | 03,315,456 | R--- | C] () -- C:\Documents and Settings\Ian\Desktop\shav.exe
[2009/09/14 20:53:40 | 00,085,504 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\Inherit.exe
[2009/09/14 19:48:17 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/09/14 16:43:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Desktop\avz4
[2009/09/14 15:18:44 | 00,033,361 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\Win32kDiag.old
[2009/09/14 15:18:38 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\Win32kDiag.exe
[2009/09/14 13:14:13 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/09/14 13:12:18 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/14 13:12:18 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/14 13:12:18 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/14 13:12:18 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/14 13:12:18 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/14 13:12:18 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/14 13:12:18 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/14 13:12:18 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/14 13:12:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/14 13:09:06 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/14 09:00:23 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ian\Desktop\ot.exe
[2009/09/14 08:54:09 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\settings.dat
[2009/09/14 08:53:38 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Ian\Desktop\RootRepeal.exe
[2009/09/13 20:09:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/09/13 20:09:17 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/09/13 20:09:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Application Data\SUPERAntiSpyware.com
[2009/09/13 19:44:49 | 07,163,936 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\SUPERAntiSpyware.exe
[2009/09/13 18:00:04 | 00,000,000 | ---D | C] -- C:\Program Files\Sophos
[2009/09/13 17:59:37 | 01,339,288 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\sar_15_sfx.exe
[2009/09/13 17:42:22 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/13 17:42:21 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/13 17:42:14 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/13 17:30:43 | 00,218,112 | ---- | C] (Soeperman Enterprises Ltd.) -- C:\Documents and Settings\All Users\Documents\HijackThis.exe
[2009/09/13 16:49:56 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/09/13 09:25:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Application Data\Malwarebytes
[2009/09/13 09:25:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/13 09:23:25 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Ian\Desktop\ian.exe
[2009/09/12 11:33:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Desktop\tRENDS
[2009/09/11 15:23:41 | 00,072,192 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\ellipse.xls
[2009/09/11 11:33:42 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Ian\My Documents\Drawing1_recover.dwg
[2009/09/11 11:33:42 | 00,000,260 | ---- | C] () -- C:\Documents and Settings\Ian\My Documents\acad.err
[2009/09/11 10:03:16 | 00,002,481 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\Microsoft Excel.lnk
[2009/09/10 23:10:27 | 00,079,290 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\ht4 example.DXF
[2009/09/10 16:11:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Application Data\Schneider Electric
[2009/09/10 16:02:29 | 00,000,974 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Vijeo-Designer.lnk
[2009/09/10 15:10:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Application Data\Macrovision
[2009/09/10 15:10:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Macrovision
[2009/09/10 10:26:11 | 00,089,600 | ---- | C] () -- C:\Documents and Settings\Ian\Desktop\T&L Master Fault and Trip List.xls
[2009/09/08 15:53:36 | 00,000,664 | ---- | C] () -- C:\Documents and Settings\Ian\Local Settings\Application Data\d3d9caps.dat
[2009/09/08 15:51:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/09/08 12:49:38 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/09/08 12:37:56 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2009/09/08 11:32:26 | 00,000,000 | ---D | C] -- C:\Program Files\Modbus Tools
[2009/09/07 10:43:54 | 00,000,629 | ---- | C] () -- C:\WINDOWS\ModScan32.INI
[2009/09/07 10:42:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Desktop\modscan32
[2009/09/07 09:36:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Application Data\E-Designer

========== Files - Modified Within 14 Days ==========

[2009/09/16 16:26:41 | 00,094,778 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/09/16 16:26:19 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/16 16:26:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/16 16:26:08 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/16 16:26:04 | 21,455,09376 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/16 14:03:21 | 00,000,250 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/16 14:02:51 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/16 12:50:08 | 00,007,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\uteyotg2.sys
[2009/09/16 08:48:44 | 05,655,040 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\avz.exe
[2009/09/15 17:36:08 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\gmer.exe
[2009/09/15 17:24:58 | 00,280,419 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\gmer.zip
[2009/09/15 16:00:04 | 00,354,396 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\SysProt.zip
[2009/09/15 15:39:32 | 00,165,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/15 15:33:38 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\avenger.zip
[2009/09/15 15:33:05 | 00,000,074 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\copy.bat
[2009/09/15 15:07:52 | 00,036,544 | ---- | M] () -- C:\Documents and Settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/15 13:34:59 | 00,587,252 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/09/15 13:34:59 | 00,489,636 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/09/15 13:34:59 | 00,089,762 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/09/15 13:28:27 | 00,000,143 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\FixReg.reg
[2009/09/15 10:19:49 | 00,028,160 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\T&L hours.xls
[2009/09/15 08:04:36 | 03,315,456 | R--- | M] () -- C:\Documents and Settings\Ian\Desktop\shav.exe
[2009/09/15 08:04:12 | 00,000,610 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\UnHookExec.inf
[2009/09/15 08:03:46 | 00,000,575 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\Fixswen.inf
[2009/09/14 20:43:10 | 00,085,504 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\Inherit.exe
[2009/09/14 15:54:57 | 00,033,361 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\Win32kDiag.old
[2009/09/14 15:11:52 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\Win32kDiag.exe
[2009/09/14 09:00:35 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ian\Desktop\ot.exe
[2009/09/14 08:54:09 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\settings.dat
[2009/09/14 08:53:38 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Ian\Desktop\RootRepeal.exe
[2009/09/14 02:12:36 | 00,229,888 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/13 19:44:49 | 07,163,936 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\SUPERAntiSpyware.exe
[2009/09/13 17:59:48 | 01,339,288 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\sar_15_sfx.exe
[2009/09/13 09:23:25 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Ian\Desktop\ian.exe
[2009/09/12 18:40:16 | 00,000,664 | ---- | M] () -- C:\Documents and Settings\Ian\Local Settings\Application Data\d3d9caps.dat
[2009/09/11 18:50:10 | 00,072,192 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\ellipse.xls
[2009/09/11 15:41:51 | 00,002,481 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\Microsoft Excel.lnk
[2009/09/11 15:12:02 | 00,089,600 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\T&L Master Fault and Trip List.xls
[2009/09/11 11:35:32 | 00,000,260 | ---- | M] () -- C:\Documents and Settings\Ian\My Documents\acad.err
[2009/09/11 11:33:42 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Ian\My Documents\Drawing1_recover.dwg
[2009/09/10 23:10:27 | 00,079,290 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\ht4 example.DXF
[2009/09/10 16:02:29 | 00,000,974 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vijeo-Designer.lnk
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/08 13:38:11 | 00,000,629 | ---- | M] () -- C:\WINDOWS\ModScan32.INI
[2009/09/07 09:31:47 | 00,000,742 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/03 14:27:19 | 00,002,439 | ---- | M] () -- C:\Documents and Settings\Ian\Desktop\FactoryTalk View Studio.lnk
[2009/09/03 11:46:30 | 00,000,831 | ---- | M] () -- C:\WINDOWS\ODBC.INI

========== LOP Check ==========

[2009/09/16 13:44:23 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/06/02 01:02:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/09/08 12:49:45 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2009/09/15 14:39:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2009/04/21 10:10:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2009/05/06 11:18:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intel
[2009/09/10 15:10:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Macrovision
[2009/04/21 09:55:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
[2009/08/06 16:18:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Omron
[2009/08/07 16:28:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2009/08/06 12:22:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rockwell
[2009/08/06 09:21:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rockwell Automation
[2009/05/06 10:58:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2009/08/06 12:25:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WFCU
[2009/09/13 20:09:17 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Ian\Application Data
[2009/09/15 14:46:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\Autodesk
[2009/08/05 10:20:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\Dell
[2009/09/07 09:36:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\E-Designer
[2009/08/27 19:20:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\ImgBurn
[2009/05/06 11:20:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\Intel
[2009/09/10 15:10:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\Macrovision
[2009/08/06 16:54:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\OpenOffice.org
[2009/09/01 12:03:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\Rockwell Software
[2009/08/05 10:31:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\Roxio
[2009/09/10 16:11:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\Schneider Electric
[2009/08/05 12:21:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\Toshiba
[2009/09/16 07:54:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\Wave Systems Corp
[2004/08/04 11:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/09/16 16:26:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

< End of report >

Here is the malwarebytes report:

Malwarebytes' Anti-Malware 1.41
Database version: 2811
Windows 5.1.2600 Service Pack 2

16/09/2009 20:02:07
mbam-log-2009-09-16 (20-02-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 345927
Time elapsed: 1 hour(s), 17 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A514C1CC-499A-484A-B67E-3584577FFCF7}\RP136\A0050555.exe (Trojan.Banker) -> Quarantined and deleted successfully.

Here is the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 17, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 17, 2009 08:17:31
Records in database: 2838091
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 224279
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 04:02:44

No threats found. Scanned area is clean.

Selected area has been scanned.

#39
Perplexus

Posted 17 September 2009 - 05:10 AM

Lord of the Geeks

Malware Removal
1,185 posts

Well done! Your log appears clean!

------------------
Step 1:
------------------

We're almost done. We need to do some clean up and get you on your way.

Follow these steps to uninstall Combofix

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

(This will remove all restore points to rid your machine of saved infected files and create a new restore point)

------------------
Step 2:
------------------

We need to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions.

Run OTL.exe
Click the Clean Up button in top right corner.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any logs that you have left over on your desktop.

------------------
Step 3:
------------------

Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Note: It is a good idea to run TFC to clear out all your temp files every now and again. This helps to keep your computer running more efficiently. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

------------------
Step 4:
------------------

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Windows Updates are constantly being revised to combat the newest hacks and threats. Microsoft releases security updates that help your computer from becoming vunerable.

Please go to Microsoft's Windows Update and download all the critical updates to help prevent possible re-infection.

It is best if you have these set to download automatically.

Automatic Updates for Windows

Click Start.
Select Settings and then Control Panel.
Select Automatic Updates.
Click Automatic (recommended)
Choose a day and a time when you know the computer will be on and connected to the internet.
Click Apply then OK.

---------------------------------------------------------------------------------------------

This is a good time to set up protection against further attacks. Read our How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker, and a real time spyware program to prevent malware intrusions. Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

---------------------------------------------------------------------------------------------

Anti Virus Programs

One AntiVirus is a must have! But never more than one, as this can and will cause conflicts and false readings. It is imperative that you have an antivirus program installed on your computer to browse safely in the world of today's internet. Antivirus programs will find and delete any malicious files on your computer as well as protecting your computer from such files in the first place. The best of your antivirus program options are these:

Avira AntiVir PersonalEdition is an excellent free AV.
avast! 4 Home Edition, yet another good free AV.
AVG AntiVirus version 8.5 is free for personal use.

---------------------------------------------------------------------------------------------

Personal Firewalls

Firewalls help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are some free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Outpost Firewall is another free firewall
Online Armor (Free edition) personal firewall.
Sunbelt Personal Firewall is an excellent firewall.

---------------------------------------------------------------------------------------------

Anti Spyware

Anti Spyware helps to eliminate certain types of infections. I would recommend getting these and running the scans at least twice a month. Also a real-time protector is beneficial to stop infections before they start. SpywareGuard is an excellent choice here.

SUPERAntiSpyware is a powerful tool that can eliminate nasties that make it onto your machine.
SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

---------------------------------------------------------------------------------------------

Safer Web Browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are some good free alternatives:

All are faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these.

If you choose FireFox, here are a couple of addons that I recommend:

NoScript - for blocking ads and other potential website attacks
McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must have if you do alot of Google searches.

---------------------------------------------------------------------------------------------

Other Recommendations

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

Take Care and Happy Surfing!

#40
rak6789

Posted 18 September 2009 - 01:16 AM

Member

Topic Starter
Member
23 posts

Computer now seems to be running OK, I've installed Avira and Outpost.

However Avira will not update, when I run update it does not do anything, I've waited 15 minutes, maybe I should be waiting longer can you advise?

#41
Perplexus

Posted 18 September 2009 - 04:58 AM

Lord of the Geeks

Malware Removal
1,185 posts

The first time it can take longer to update, but it brings up a popup to show you what it's doing. Is that popup coming up?

#42
rak6789

Posted 18 September 2009 - 05:57 AM

Member

Topic Starter
Member
23 posts

Yes its coming up, I've left it for 15 mins and nothing happenned, I'll leave it longer.

#43
Perplexus

Posted 18 September 2009 - 05:59 AM

Lord of the Geeks

Malware Removal
1,185 posts

Ok, let me know. The popup should be showing it's downloading files or something.

#44
rak6789

Posted 19 September 2009 - 01:05 AM

Member

Topic Starter
Member
23 posts

I have uninstalled and reinstalled Avira, I ran a scan overnight and then did an update this morning and it worked OK.
Computer all seems to be running fine again.

Thanks for working with me on this one, you've done a great job.