Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

i may have a virus

Started by blade1957 , Sep 25 2009 08:28 AM

  • Please log in to reply

#1
blade1957
Posted 25 September 2009 - 08:28 AM

blade1957

    Member

  • Member
  • PipPip
  • 51 posts
hi guys, my pc is acting very strange of late can someone help me out heres a hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:27:59, on 25/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Accept-encode: (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -"http://www.bbc.co.uk...find_the.shtml"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1239911162296
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - https://register.bti...lcontrol013.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6039 bytes

i am in the uk so it might take alittle longer to sort lol
  • 0

Advertisements

#2
blade1957
Posted 25 September 2009 - 08:47 AM

blade1957

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
sorry didnt read about hijack this first here are the otl logs

OTL logfile created on: 25/09/2009 15:43:23 - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\alex\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.49 Mb Total Physical Memory | 635.11 Mb Available Physical Memory | 62.05% Memory free
2.40 Gb Paging File | 2.04 Gb Available in Paging File | 84.75% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 58.32 Gb Free Space | 76.41% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALEX-
Current User Name: alex
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/09/08 20:50:04 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PRC - [2009/04/14 10:54:25 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2001/12/31 17:04:34 | 00,114,755 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2009/03/03 19:57:23 | 00,075,064 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrA.exe
PRC - [2009/09/23 22:03:12 | 00,189,768 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.exe
PRC - [2009/09/08 20:50:06 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/09/08 20:50:06 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/09/08 20:50:06 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/09/08 20:50:07 | 02,007,832 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2002/07/13 00:33:12 | 01,581,056 | ---- | M] (C-Media Electronic Inc. (www.cmedia.com.tw)) -- C:\WINDOWS\Mixer.exe
PRC - [2007/04/16 15:28:22 | 00,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/08/04 05:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2004/08/04 05:56:50 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 05:56:52 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/09/25 15:37:25 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\alex\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/09/10 14:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Disabled | Stopped])
SRV - [2009/07/09 12:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/09/08 20:50:06 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Disabled | Stopped])
SRV - [2009/09/08 20:50:04 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Disabled | Stopped])
SRV - [2005/09/23 08:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2002/01/29 13:33:14 | 00,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe -- (EpsonBidirectionalService [Auto | Stopped])
SRV - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2 [Auto | Running])
SRV - [2004/08/04 05:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/07/13 14:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/04/14 10:54:25 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2001/12/31 17:04:34 | 00,114,755 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2009/03/03 19:57:23 | 00,075,064 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])
SRV - [2009/09/23 22:03:12 | 00,189,768 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.exe -- (PnkBstrB [Auto | Running])
SRV - [2007/01/19 12:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOWS\Mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla\4.0 ( File not found
O4 - Startup: C:\Documents and Settings\alex\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ShutdownWithoutLogon = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.micros...cs/i386/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} http://downloads.ewi...oOnlineScan.cab (ewidoOnlineScan Control)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1239911162296 (WUWebControl Class)
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} https://register.bti...lcontrol013.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoft...s/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} Reg Error: Value error. (JInitiator 1.3.1.22)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/24 16:43:14 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[9 C:\WINDOWS\*.tmp files]
[2009/09/25 15:37:21 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\alex\Desktop\OTL.exe
[2009/09/25 15:35:27 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\settings.dat
[2009/09/25 15:34:56 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\alex\Desktop\RootRepeal.exe
[2009/09/25 15:32:46 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\alex\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/09/25 15:32:35 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\NTREGOPT.lnk
[2009/09/25 15:32:34 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\ERUNT.lnk
[2009/09/25 15:32:30 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/09/25 15:32:05 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\alex\Desktop\erunt_setup.exe
[2009/09/25 15:03:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/09/25 14:58:44 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/25 14:58:44 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/25 14:58:44 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/25 14:58:44 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/25 14:58:44 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/25 14:58:44 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/25 14:58:44 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/25 14:58:44 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/25 14:58:29 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/25 14:12:00 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/09/25 14:11:56 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/09/25 12:58:28 | 00,009,693 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\TTWipe.bat
[2009/09/25 12:51:46 | 00,277,631 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\RSIT.exe
[2009/09/23 00:37:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/09/21 12:33:45 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\HARWORTH COLLIERY U14 09 10.doc
[2009/09/16 12:12:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\alex\Desktop\internet
[2009/09/12 19:32:02 | 00,428,817 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\boy2.jpg

========== Files - Modified Within 14 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[9 C:\WINDOWS\*.tmp files]
[2009/09/25 15:37:25 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\alex\Desktop\OTL.exe
[2009/09/25 15:37:00 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\settings.dat
[2009/09/25 15:34:59 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\alex\Desktop\RootRepeal.exe
[2009/09/25 15:32:46 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\alex\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/09/25 15:32:35 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\NTREGOPT.lnk
[2009/09/25 15:32:34 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\ERUNT.lnk
[2009/09/25 15:32:12 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\alex\Desktop\erunt_setup.exe
[2009/09/25 15:05:55 | 00,003,873 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/09/25 15:05:13 | 00,000,252 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/25 15:04:56 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/25 15:04:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/25 15:04:42 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/25 14:57:00 | 00,277,631 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\RSIT.exe
[2009/09/25 12:58:28 | 00,009,693 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\TTWipe.bat
[2009/09/25 12:49:49 | 00,000,915 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/09/25 10:06:00 | 04,838,962 | -H-- | M] () -- C:\Documents and Settings\alex\Local Settings\Application Data\IconCache.db
[2009/09/25 09:53:06 | 41,751,848 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/09/24 16:45:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/09/24 16:03:57 | 00,112,900 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/09/24 13:37:28 | 00,018,088 | ---- | M] () -- C:\Documents and Settings\alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/23 22:03:22 | 00,137,928 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/09/23 22:03:12 | 00,189,768 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2009/09/23 22:03:12 | 00,189,768 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2009/09/23 00:36:45 | 10,733,03552 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2009/09/21 12:33:45 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\HARWORTH COLLIERY U14 09 10.doc
[2009/09/18 14:22:21 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/14 02:12:36 | 00,229,888 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/12 19:32:12 | 00,428,817 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\boy2.jpg
[2009/09/11 16:46:21 | 00,000,595 | ---- | M] () -- C:\WINDOWS\System\Cmicnfg3.ini

========== LOP Check ==========

[2009/09/07 22:39:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data
[2009/04/01 17:57:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Anvil Studio
[2008/04/19 12:13:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\EPSON
[2009/08/29 20:30:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\GlobalSCAPE
[2009/09/24 20:19:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\HLSW
[2007/04/24 16:57:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\InterTrust
[2009/07/30 00:40:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Jasc
[2009/09/07 01:11:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\LimeWire
[2008/07/22 20:56:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\MSNInstaller
[2009/04/01 17:32:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Music Editor Free
[2009/07/30 02:10:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Opera
[2009/08/06 12:52:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\passport_photo
[2007/11/12 19:50:53 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\alex\Application Data\SecuROM
[2009/08/06 23:19:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Serif
[2009/07/27 13:14:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\SmartFTP
[2007/12/25 11:59:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Sports Interactive
[2008/09/21 23:11:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\teamspeak2
[2009/09/08 21:00:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Ventrilo
[2009/06/18 15:41:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\wsInspector
[2009/09/24 20:16:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Xfire
[2009/09/24 15:43:28 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/04/26 11:45:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/07/22 13:43:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\27213
[2009/03/19 20:43:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2009/08/29 20:30:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
[2008/09/11 02:03:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2009/01/06 18:15:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/07/07 03:28:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009/08/02 15:20:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sports Interactive
[2007/05/03 12:58:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/24 16:45:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/07 01:17:22 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/09/25 15:04:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2004/08/04 05:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll
[2 C:\WINDOWS\system32\*.tmp files]

< %systemroot%\system32\scecli.dll >
[2004/08/04 05:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll
[2 C:\WINDOWS\system32\*.tmp files]

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4295826C
< End of report >
  • 0

#3
blade1957
Posted 25 September 2009 - 08:48 AM

blade1957

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
OTL Extras logfile created on: 25/09/2009 15:43:23 - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\alex\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.49 Mb Total Physical Memory | 635.11 Mb Available Physical Memory | 62.05% Memory free
2.40 Gb Paging File | 2.04 Gb Available in Paging File | 84.75% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 58.32 Gb Free Space | 76.41% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALEX-
Current User Name: alex
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1 File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Documents and Settings\alex\Application Data\printer.exe" = C:\Documents and Settings\alex\Application Data\printer.exe:*:Enabled:@xpsp2res.dll,-22019 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Messenger -- (Microsoft Corporation)
"C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe" = C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s -- ()
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- ()
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- ()
"C:\AV-CLS\WGET.EXE" = C:\AV-CLS\WGET.EXE:*:Enabled:WGET.EXE -- ()
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{09234F0D-5971-4701-94EE-89CB6926E273}" = Serif PhotoPlus SE
"{25BEC3AB-5CD4-481D-9143-215C1BBB189E}" = Sony Ericsson PC Suite
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{3248F0A8-6813-11D6-A77B-00B0D0150160}" = J2SE Runtime Environment 5.0 Update 16
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B4A5C13-069F-4AFE-AE57-C497B4E33C7E}" = Call of Duty® 2 Patch 1.3
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}" = VIA Integrated Setup Wizard
"{949DBB22-2FB7-4de1-804C-23D495A988D8}" = CuteFTP 8 Home
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A3EABC0-CA06-11D4-BF77-00104B130C19}" = EPSON TWAIN 5
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}" = Sony Ericsson Drivers
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}" = Sony Ericsson Device Data
"{CAFECAFE-0013-0001-0122-ABCDEFABCDEF}" = Oracle JInitiator 1.3.1.22
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"{D6BF6477-8369-489F-8DE6-3731F4B88560}" = Sony Ericsson PC Suite
"{DDBB28C8-B2AA-45A1-8DCE-059A798509FB}" = MobileMe Control Panel
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F2901EBD-CF73-47B5-AB76-D6B9DFC387FD}" = RconMax(WW)
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG8Uninstall" = AVG Free 8.5
"CCleaner" = CCleaner (remove only)
"C-Media PCI Sound" = C-Media PCI Audio Device
"C-Media USB Sound" = USB 3D Sound Configuration
"CoD RconTool" = CoD RconTool
"CoD RconTool 10" = CoD RconTool 10
"Enable S3 for USB Device" = Enable S3 for USB Device
"EPSON Printer and Utilities" = EPSON Printer Software
"ERUNT_is1" = ERUNT 1.1j
"HD Tune_is1" = HD Tune 2.55
"HijackThis" = HijackThis 2.0.2
"HLSW_is1" = HLSW v1.3.2.1
"InstallShield_{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}" = VIA Integrated Setup Wizard
"InstallShield_{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"LimeWire" = LimeWire 5.1.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McDonald's Fairies " = McDonald's Fairies
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Nero - Burning Rom!UninstallKey" = Ahead Nero Burning ROM
"NVIDIA Drivers" = NVIDIA Drivers
"Panda ActiveScan" = Panda ActiveScan
"PCI Audio Driver" = PCI Audio Driver
"PunkBusterSvc" = PunkBuster Services
"RealPlayer 6.0" = RealPlayer
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"WinRAR archiver" = WinRAR archiver
"Xfire" = Xfire (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{DBFF7A38-F460-419A-A2E7-2D55BD2D9AD4}" = Dynasty Warriors 4 Hyper
"PassportPhoto" = PassportPhoto (remove)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 22/09/2009 21:12:17 | Computer Name = ALEX- | Source = Application Hang | ID = 1002
Description = Hanging application SUPERAntiSpyware.exe, version 4.26.0.1000, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 23/09/2009 05:50:51 | Computer Name = ALEX- | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.

Error - 24/09/2009 10:55:28 | Computer Name = ALEX- | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.

Error - 24/09/2009 10:55:32 | Computer Name = ALEX- | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 25/09/2009 06:27:19 | Computer Name = ALEX- | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module msvcr80.dll, version 8.0.50727.3053, fault address 0x0004f029.

Error - 25/09/2009 06:40:11 | Computer Name = ALEX- | Source = Application Error | ID = 1000
Description = Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe,
version 0.0.0.0, fault address 0x0004cdfb.

Error - 25/09/2009 09:09:05 | Computer Name = ALEX- | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 25/09/2009 09:10:18 | Computer Name = ALEX- | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 25/09/2009 09:29:18 | Computer Name = ALEX- | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 25/09/2009 09:54:17 | Computer Name = ALEX- | Source = Application Error | ID = 1000
Description = Faulting application the_comedian.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 25/09/2009 09:59:58 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 25/09/2009 09:59:58 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7034
Description = The PnkBstrB service terminated unexpectedly. It has done this 1
time(s).

Error - 25/09/2009 09:59:58 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7034
Description = The PnkBstrA service terminated unexpectedly. It has done this 1
time(s).

Error - 25/09/2009 09:59:58 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 25/09/2009 09:59:58 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7034
Description = The EPSON Printer Status Agent2 service terminated unexpectedly.
It has done this 1 time(s).

Error - 25/09/2009 09:59:58 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7031
Description = The AVG Free8 WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 25/09/2009 09:59:58 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7034
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s).

Error - 25/09/2009 10:03:36 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.

Error - 25/09/2009 10:07:35 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7022
Description = The EpsonBidirectionalService service hung on starting.

Error - 25/09/2009 10:07:35 | Computer Name = ALEX- | Source = Service Control Manager | ID = 7034
Description = The EpsonBidirectionalService service terminated unexpectedly. It
has done this 1 time(s).


< End of report >
  • 0

#4
emeraldnzl
Posted 03 October 2009 - 12:23 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello blade1957,

Please download RootRepeal.zip and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
Post the contents of RootRepeal.txt in your next reply.

Next

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

So when you return please post
  • RootRepeal.txt
  • MBAM log
  • 0

#5
blade1957
Posted 04 October 2009 - 09:40 AM

blade1957

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/04 16:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF74AD000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2056832 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF5B2D000 Size: 138496 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF743F000 Size: 95360 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7C80000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xF59D7000 Size: 328576 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF793C000 Size: 21120 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xF5B77000 Size: 101888 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7AFC000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79EC000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF6E60000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF778C000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF761C000 Size: 53248 File Visible: - Signed: -
Status: -

Name: cmudax3.sys
Image Path: C:\WINDOWS\system32\drivers\cmudax3.sys
Address: 0xF6F16000 Size: 1516672 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF760C000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7457000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7AE2000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF776C000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF591F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B20000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF5C3F000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7C49000 Size: 4096 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF78C4000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF76BC000 Size: 34944 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF78FC000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF73F5000 Size: 124800 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7AFA000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF747D000 Size: 125056 File Visible: - Signed: -
Status: -

Name: gagp30kx.sys
Image Path: gagp30kx.sys
Address: 0xF762C000 Size: 46464 File Visible: - Signed: -
Status: -

Name: gameenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\gameenum.sys
Address: 0xF7A94000 Size: 10624 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF77AC000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806CE000 Size: 131968 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF771C000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF794C000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF7A80000 Size: 9600 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF3BB4000 Size: 263040 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF77DC000 Size: 52736 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF777C000 Size: 41856 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF5A50000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF5BE8000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75DC000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF78CC000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7ADC000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF166E000 Size: 171776 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF6ECF000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF73CC000 Size: 92032 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7AFE000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF78EC000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF7A84000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF75EC000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xF3C1D000 Size: 181248 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF5A71000 Size: 451456 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF791C000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF781C000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF7AB4000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF72F7000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7312000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7A98000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6E81000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF783C000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF76AC000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF5B4F000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7924000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF733F000 Size: 574592 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2056832 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7BBD000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 4132864 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xF709D000 Size: 2167552 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF6E98000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF7864000 Size: 18688 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7B80000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pavboot.sys
Image Path: pavboot.sys
Address: 0xF786C000 Size: 21888 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF749C000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF785C000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2056832 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6EF2000 Size: 147456 File Visible: - Signed: -
Status: -

Name: processr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\processr.sys
Address: 0xF775C000 Size: 35328 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6E70000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF78DC000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF72BF000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF77EC000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF77FC000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF780C000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF78E4000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2056832 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF5AE0000 Size: 176512 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7B00000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF6D9F000 Size: 196864 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF779C000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2ADF000 Size: 49152 File Visible: No Signed: -
Status: -

Name: Rtlnic51.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys
Address: 0xF77BC000 Size: 65280 File Visible: - Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF792C000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xF5B0C000 Size: 135168 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xF7414000 Size: 98304 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF7A90000 Size: 15488 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF77CC000 Size: 64896 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF73E3000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF3981000 Size: 336256 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7AF2000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF3F74000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF5B90000 Size: 359040 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF78D4000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF782C000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6D43000 Size: 209408 File Visible: - Signed: -
Status: -

Name: usbaudio.sys
Image Path: C:\WINDOWS\system32\drivers\usbaudio.sys
Address: 0xF772C000 Size: 59264 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF7944000 Size: 31616 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7AF4000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF78BC000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF766C000 Size: 57600 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6EAC000 Size: 143360 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF78B4000 Size: 20480 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7914000 Size: 20992 File Visible: - Signed: -
Status: -

Name: viaagp1.sys
Image Path: viaagp1.sys
Address: 0xF7874000 Size: 27904 File Visible: - Signed: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xF7AE0000 Size: 5376 File Visible: - Signed: -
Status: -

Name: viasraid.sys
Image Path: viasraid.sys
Address: 0xF742C000 Size: 75904 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF7089000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF75FC000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF76CC000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF797C000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF3E2F000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1839104 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1839104 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7ADE000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2056832 File Visible: - Signed: -
Status: -



Malwarebytes' Anti-Malware 1.41
Database version: 2904
Windows 5.1.2600 Service Pack 2

04/10/2009 17:53:17
mbam-log-2009-10-04 (17-53-17).txt

Scan type: Quick Scan
Objects scanned: 102718
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{359a2abb-6050-47f1-8642-eff82f23a4f4} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by blade1957, 04 October 2009 - 10:55 AM.

  • 0

#6
emeraldnzl
Posted 04 October 2009 - 06:18 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello blade1957,

Please download ComboFix from one of these locations:

NOTE: If you are guest watching this topic. ComboFix is a very powerful tool. The disclaimer clearly states that you should not use it without supervision. There is good reason for this as ComboFix can, and sometimes does, run into conflict on a computer and render it unusable.

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#7
blade1957
Posted 05 October 2009 - 02:44 AM

blade1957

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
ComboFix 09-10-04.01 - alex 05/10/2009 9:34.16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.641 [GMT 1:00]
Running from: c:\documents and settings\alex\Desktop\virus stuff\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-09-29 15:38 . 2009-09-29 15:38 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-25 22:20 . 2009-09-25 22:20 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-25 14:32 . 2009-09-25 14:32 -------- d-----w- c:\program files\ERUNT
2009-09-25 13:12 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-25 13:11 . 2009-09-25 13:11 -------- d-----w- c:\program files\Panda Security
2009-09-09 19:13 . 2009-10-04 14:59 -------- d-----w- C:\$AVG8.VAULT$
2009-09-09 08:53 . 2009-09-09 08:53 -------- d-----w- C:\5bea91cdb3e16078fc71d32d
2009-09-09 08:45 . 2009-09-09 08:45 -------- d-----w- C:\rsit
2009-09-09 08:10 . 2009-09-09 08:10 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2009-09-08 19:50 . 2009-09-08 19:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-08 19:50 . 2009-09-08 19:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-08 19:50 . 2009-09-08 19:50 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-08 19:50 . 2009-09-08 19:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-08 19:50 . 2009-10-04 13:03 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-08 15:58 . 2004-08-07 00:17 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2009-09-08 15:57 . 2004-08-07 00:16 132608 -c--a-w- c:\windows\system32\dllcache\fxsclntr.dll
2009-09-08 15:50 . 2003-07-01 20:42 27904 ----a-w- c:\windows\system32\drivers\VIAAGP1.SYS
2009-09-08 15:38 . 2004-08-07 00:17 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-09-08 15:38 . 2004-08-07 00:17 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-09-08 15:38 . 2004-08-07 00:16 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-09-08 15:38 . 2004-08-07 00:16 13312 ----a-w- c:\windows\system32\irclass.dll
2009-09-08 15:14 . 2008-09-10 18:58 270336 ----a-r- c:\windows\system32\CMRMDRV3.exe
2009-09-08 15:14 . 2008-09-03 18:12 1516672 ----a-r- c:\windows\system32\drivers\cmudax3.sys
2009-09-08 15:14 . 2007-02-26 20:30 36864 ----a-r- c:\windows\system32\cmudax3.DLL
2009-09-08 15:14 . 2008-09-11 11:10 278528 ----a-r- c:\windows\CmiPCIUninstall.exe
2009-09-08 15:14 . 2009-09-08 15:14 -------- d-----w- c:\program files\C-Media PCI Audio Device
2009-09-08 07:59 . 2006-08-01 14:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2009-09-08 07:58 . 2009-09-08 07:58 -------- d-----w- c:\program files\Realtek AC97
2009-09-08 07:58 . 2006-07-31 10:27 217088 ----a-w- c:\windows\Alcrmv.exe
2009-09-08 07:58 . 2006-07-31 10:19 315392 ----a-w- c:\windows\alcupd.exe
2009-09-07 21:39 . 2009-09-08 20:00 -------- d-----w- c:\documents and settings\alex\Application Data\Ventrilo
2009-09-07 21:38 . 2009-09-07 21:38 -------- d-----w- c:\program files\Ventrilo
2009-09-06 19:02 . 2006-10-18 01:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2009-09-06 19:02 . 2003-12-11 15:54 391424 ----a-r- c:\windows\system32\drivers\ALCXSENS.SYS
2009-09-06 19:02 . 2006-12-08 14:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2009-09-06 19:02 . 2008-09-24 09:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2009-09-06 19:02 . 2007-04-16 14:28 577536 ----a-w- c:\windows\soundman.exe
2009-09-06 16:06 . 2009-09-06 16:06 -------- d-----w- c:\program files\Nikita

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 20:49 . 2007-10-16 20:25 137928 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-04 20:49 . 2007-10-16 20:25 189768 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-04 20:49 . 2008-11-04 01:03 -------- d-----w- c:\documents and settings\alex\Application Data\HLSW
2009-10-04 18:58 . 2008-10-28 19:20 -------- d-----w- c:\documents and settings\alex\Application Data\Xfire
2009-10-03 12:58 . 2008-10-28 19:20 -------- d-----w- c:\program files\Xfire
2009-10-02 12:37 . 2008-09-11 00:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-26 15:36 . 2009-03-19 19:41 103720 ----a-w- c:\documents and settings\alex\GoToAssistDownloadHelper.exe
2009-09-25 12:06 . 2007-07-09 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-24 14:43 . 2009-07-24 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-09-24 12:37 . 2007-10-04 20:58 18088 ----a-w- c:\documents and settings\alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 13:54 . 2008-09-11 00:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2008-09-11 00:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:53 . 2009-08-30 14:33 -------- d-s---w- c:\program files\HLSW
2009-09-08 22:53 . 2009-08-06 11:52 -------- d-----w- c:\program files\PassportPhoto
2009-09-08 22:53 . 2008-07-26 11:13 -------- d-----w- c:\program files\LimeWire
2009-09-08 15:54 . 2007-04-24 15:40 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-08 07:58 . 2007-04-24 15:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-07 21:38 . 2009-01-16 22:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-07 00:11 . 2008-01-08 18:31 -------- d-----w- c:\documents and settings\alex\Application Data\LimeWire
2009-09-03 08:12 . 2009-07-02 20:28 -------- d-----w- c:\program files\CoD RconTool
2009-08-31 19:52 . 2009-08-31 19:52 -------- d-----w- c:\program files\PLAYXPERT
2009-08-29 19:30 . 2009-08-29 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\GlobalSCAPE
2009-08-29 19:30 . 2009-08-29 19:30 -------- d-----w- c:\documents and settings\alex\Application Data\GlobalSCAPE
2009-08-29 19:29 . 2009-08-29 19:29 -------- d-----w- c:\program files\GlobalSCAPE
2009-08-12 11:19 . 2009-08-12 11:19 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-12 11:19 . 2009-08-12 11:18 -------- d-----w- c:\program files\Common Files\Real
2009-08-12 11:18 . 2009-08-12 11:18 -------- d-----w- c:\program files\Real
2009-08-06 22:19 . 2009-08-06 22:19 -------- d-----w- c:\documents and settings\alex\Application Data\Serif
2009-08-06 22:18 . 2009-08-06 22:18 -------- d-----w- c:\program files\AskSearch
2009-08-06 22:17 . 2009-08-06 22:17 -------- d-----w- c:\program files\Serif
2009-08-06 11:52 . 2009-08-06 11:52 -------- d-----w- c:\documents and settings\alex\Application Data\passport_photo
2009-07-24 14:20 . 2009-07-24 14:20 964 ----a-w- c:\program files\wxxn.txt
2009-01-16 11:30 . 2009-01-16 11:30 46592 --sha-r- c:\windows\system32\3com_dmil.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-09-25_14.05.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-18 14:32 . 2009-09-29 15:38 354084 c:\windows\system32\Restore\rstrlog.dat
+ 2009-09-30 08:53 . 2009-09-30 08:53 638976 c:\windows\erdnt\AutoBackup\30-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-30 08:53 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\30-09-2009\ERDNT.EXE
+ 2009-09-29 10:25 . 2009-09-29 10:25 638976 c:\windows\erdnt\AutoBackup\29-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-28 10:28 . 2009-09-28 10:28 638976 c:\windows\erdnt\AutoBackup\28-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-27 13:43 . 2009-09-27 13:43 638976 c:\windows\erdnt\AutoBackup\27-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-27 13:43 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\27-09-2009\ERDNT.EXE
+ 2009-09-26 08:55 . 2009-09-26 08:55 638976 c:\windows\erdnt\AutoBackup\26-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-26 08:55 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\26-09-2009\ERDNT.EXE
+ 2009-09-25 14:50 . 2009-09-25 14:50 638976 c:\windows\erdnt\AutoBackup\25-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-25 14:50 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\25-09-2009\ERDNT.EXE
+ 2009-10-05 08:13 . 2009-10-05 08:13 638976 c:\windows\erdnt\AutoBackup\05-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-05 08:13 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\05-10-2009\ERDNT.EXE
+ 2009-10-04 13:01 . 2009-10-04 13:01 638976 c:\windows\erdnt\AutoBackup\04-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-04 13:01 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\04-10-2009\ERDNT.EXE
+ 2009-10-03 12:59 . 2009-10-03 12:59 638976 c:\windows\erdnt\AutoBackup\03-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-03 12:59 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\03-10-2009\ERDNT.EXE
+ 2009-10-02 08:06 . 2009-10-02 08:06 638976 c:\windows\erdnt\AutoBackup\02-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-02 08:06 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\02-10-2009\ERDNT.EXE
+ 2009-10-01 08:49 . 2009-10-01 08:49 638976 c:\windows\erdnt\AutoBackup\01-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-01 08:49 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\01-10-2009\ERDNT.EXE
+ 2009-09-30 08:53 . 2009-09-30 08:53 7000064 c:\windows\erdnt\AutoBackup\30-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-29 10:25 . 2009-09-29 10:25 6930432 c:\windows\erdnt\AutoBackup\29-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-28 10:28 . 2009-09-28 10:28 6930432 c:\windows\erdnt\AutoBackup\28-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-27 13:43 . 2009-09-27 13:43 6930432 c:\windows\erdnt\AutoBackup\27-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-26 08:55 . 2009-09-26 08:55 6930432 c:\windows\erdnt\AutoBackup\26-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-25 14:50 . 2009-09-25 14:50 6930432 c:\windows\erdnt\AutoBackup\25-09-2009\Users\00000001\NTUSER.DAT
+ 2009-10-05 08:13 . 2009-10-05 08:13 7024640 c:\windows\erdnt\AutoBackup\05-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-04 13:01 . 2009-10-04 13:01 7008256 c:\windows\erdnt\AutoBackup\04-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-03 12:59 . 2009-10-03 12:59 7008256 c:\windows\erdnt\AutoBackup\03-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-02 08:06 . 2009-10-02 08:06 7008256 c:\windows\erdnt\AutoBackup\02-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-01 08:49 . 2009-10-01 08:49 7008256 c:\windows\erdnt\AutoBackup\01-10-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-08 2007832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2001-12-31 3756032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-07-12 1581056]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\alex\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-10 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-30 19:38 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-08 19:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^alex^Start Menu^Programs^Startup^findfast.exe]
path=c:\documents and settings\alex\Start Menu\Programs\Startup\findfast.exe
backup=c:\windows\pss\findfast.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^alex^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\alex\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\AV-CLS\\WGET.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [25/09/2009 14:12 28544]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [24/04/2007 16:58 75904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/09/2009 20:50 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/09/2009 20:50 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 11:39 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/09/2009 20:50 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/09/2009 20:50 297752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - hxxps://register.btinternet.com/templates/btmailcontrol013.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 09:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1085031214-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{31BDDCDD-3FB9-7D71-C722-6AC2A5ED44B0}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eacidcbdnl"=hex:66,61,69,69,69,6d,6d,68,69,66,6b,67,00,fc
"dafimbgn"=hex:64,62,67,6b,61,67,69,6c,62,6b,70,69,68,68,63,64,62,63,6c,6a,69,
6d,6a,70,63,6b,6a,69,6f,64,68,69,66,68,61,6f,6b,61,61,62,00,00
"iakjgliihjphpcfnpe"=hex:6b,61,6e,6d,69,6e,61,6e,6b,64,62,6d,6e,70,62,62,64,6b,
65,68,67,6e,00,00
"haakmlkbfpcnheoo"=hex:6b,61,6e,6d,69,6e,61,6e,6b,64,62,6d,6e,70,62,62,64,6b,
65,68,67,6e,00,55

[HKEY_USERS\S-1-5-21-842925246-1085031214-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:73,71,71,ef,f8,7f,b3,9d,c9,57,98,05,b2,2a,d0,8f,14,ad,e0,e0,f3,76,42,
c1,a3,6c,ec,f0,f9,bf,9f,96,77,73,29,1d,95,9d,dd,f2,7e,31,25,78,64,64,f1,f4,\
"??"=hex:d0,fe,e9,75,d6,d8,cd,ad,c3,8d,7d,75,23,88,83,bf

[HKEY_USERS\S-1-5-21-842925246-1085031214-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f0,b6,28,b9,d8,e4,17,de,a0,c9,d4,b4,5c,97,29,5e,36,b6,c7,bd,c8,
5f,8c,6a,d3,ee,be,eb,ad,31,e3,0d,b6,75,86,12,11,df,3e,09,ec,9e,83,f9,ba,f2,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-10-05 9:41
ComboFix-quarantined-files.txt 2009-10-05 08:41
ComboFix2.txt 2009-09-25 14:09
ComboFix3.txt 2009-09-25 12:20

Pre-Run: 61,672,345,600 bytes free
Post-Run: 61,883,518,976 bytes free

273
  • 0

#8
emeraldnzl
Posted 05 October 2009 - 01:04 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello blade1957,

  • c:\windows\system32\3com_dmil.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Folder::
c:\program files\AskSearch

REGNULL::
[HKEY_USERS\S-1-5-21-842925246-1085031214-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{31BDDCDD-3FB9-7D71-C722-6AC2A5ED44B0}*]

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

So when you return please post
  • Virscan report
  • ComboFix.txt
  • 0

#9
blade1957
Posted 06 October 2009 - 03:40 AM

blade1957

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
VirSCAN.org Scanned Report :
Scanned time : 2009/10/06 09:56:15 (BST)
Scanner results: 51% Scanner(19/37) found malware!
File Name : 3com_dmil.exe
File Size : 46592 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 6bed85e59996cdc9eb109f9ae24f2889
SHA1 : 29feb0a52145745ab06168f92e49204bd2917b90
Online report : http://virscan.org/r...aa2eba6eca.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091005163530 2009-10-05 7.47 Trojan-Dropper.Win32.Wlord!IK
AhnLab V3 2009.10.06.05 2009.10.06 2009-10-06 0.79 -
AntiVir 8.2.1.33 7.1.6.75 2009-10-05 0.15 TR/Dropper.Gen
Antiy 2.0.18 20091005.2966709 2009-10-05 0.28 -
Arcavir 2009 200910051956 2009-10-05 0.04 -
Authentium 5.1.1 200910052203 2009-10-05 1.21 W32/Trojan-Obfuscated.2!Generic (Possible)
AVAST! 4.7.4 091005-0 2009-10-05 0.01 Win32:Falder [Trj]
AVG 8.5.288 270.14.4/2416 2009-10-06 0.33 -
BitDefender 7.81008.4315425 7.28111 2009-10-06 3.81 Gen:Trojan.Heur.Hype.ciW@amdn2Ug
CA (VET) 9.0.0.143 31.6.6777 2009-10-06 20.98 -
ClamAV 0.95.2 9866 2009-10-03 0.02 -
Comodo 3.11 2523 2009-10-06 1.35 -
CP Secure 1.3.0.5 2009.10.05 2009-10-05 0.04 -
Dr.Web 4.44.0.9170 2009.10.06 2009-10-06 5.61 -
F-Prot 4.4.4.56 20091005 2009-10-05 1.21 W32/Trojan-Obfuscated.2!Generic
F-Secure 7.02.73807 2009.10.06.05 2009-10-06 2.19 Trojan-Dropper.Win32.Wlord.aey [AVP]
Fortinet 2.81-3.120 10.911 2009-10-06 0.71 W32/FakeAle.AEY!tr
GData 19.8244/19.500 20091006 2009-10-06 7.21 Trojan-Dropper.Win32.Wlord.aey [Engine:A]
ViRobot 20091005 2009.10.05 2009-10-05 1.26 -
Ikarus T3.1.01.72 2009.10.06.73946 2009-10-06 5.37 Trojan-Dropper.Win32.Wlord
JiangMin 11.0.800 2009.10.05 2009-10-05 22.02 -
Kaspersky 5.5.10 2009.10.06 2009-10-06 0.05 Trojan-Dropper.Win32.Wlord.aey
KingSoft 2009.2.5.15 2009.10.6.14 2009-10-06 0.87 Win32.Troj.ClickerT.gj.7168
McAfee 5.3.00 5762 2009-10-05 3.29 Hatigh
Microsoft 1.5101 2009.10.06 2009-10-06 8.99 VirTool:Win32/DelfInject.gen!AM
Norman 6.01.09 6.01.00 2009-09-16 1.87 -
Panda 9.05.01 2009.10.05 2009-10-05 6.18 -
Trend Micro 8.700-1004 6.509.00 2009-10-05 0.04 -
Quick Heal 10.00 2009.10.06 2009-10-06 2.11 Suspicious - DNAScan
Rising 20.0 21.49.22.00 2009-09-30 1.63 -
Sophos 2.90.1 4.45 2009-10-06 5.00 Troj/FakeAle-LE
Sunbelt 5431 5431 2009-10-05 3.45 -
Symantec 1.3.0.24 20091005.003 2009-10-05 0.04 Trojan Horse
nProtect 20091006.01 5735552 2009-10-06 14.70 -
The Hacker 6.5.0.2 v00011 2009-09-18 1.45 -
VBA32 3.12.10.11 20091005.0813 2009-10-05 2.06 Malware-Cryptor.Win32.Stit
VirusBuster 4.5.11.10 10.112.59/1942018 2009-10-05 2.53 VirTool.DelfInject.QCU



ComboFix 09-10-05.01 - alex 06/10/2009 10:27.17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.675 [GMT 1:00]
Running from: c:\documents and settings\alex\Desktop\virus stuff\ComboFix.exe
Command switches used :: c:\documents and settings\alex\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSearch

.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-09-29 15:38 . 2009-09-29 15:38 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-25 22:20 . 2009-09-25 22:20 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-25 14:32 . 2009-09-25 14:32 -------- d-----w- c:\program files\ERUNT
2009-09-25 13:12 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-25 13:11 . 2009-09-25 13:11 -------- d-----w- c:\program files\Panda Security
2009-09-09 19:13 . 2009-10-04 14:59 -------- d-----w- C:\$AVG8.VAULT$
2009-09-09 08:53 . 2009-09-09 08:53 -------- d-----w- C:\5bea91cdb3e16078fc71d32d
2009-09-09 08:45 . 2009-09-09 08:45 -------- d-----w- C:\rsit
2009-09-09 08:10 . 2009-09-09 08:10 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2009-09-08 19:50 . 2009-09-08 19:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-08 19:50 . 2009-09-08 19:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-08 19:50 . 2009-09-08 19:50 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-08 19:50 . 2009-09-08 19:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-08 19:50 . 2009-10-06 08:52 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-08 15:58 . 2004-08-07 00:17 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2009-09-08 15:57 . 2004-08-07 00:16 132608 -c--a-w- c:\windows\system32\dllcache\fxsclntr.dll
2009-09-08 15:50 . 2003-07-01 20:42 27904 ----a-w- c:\windows\system32\drivers\VIAAGP1.SYS
2009-09-08 15:38 . 2004-08-07 00:17 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-09-08 15:38 . 2004-08-07 00:17 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-09-08 15:38 . 2004-08-07 00:16 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-09-08 15:38 . 2004-08-07 00:16 13312 ----a-w- c:\windows\system32\irclass.dll
2009-09-08 15:14 . 2008-09-10 18:58 270336 ----a-r- c:\windows\system32\CMRMDRV3.exe
2009-09-08 15:14 . 2008-09-03 18:12 1516672 ----a-r- c:\windows\system32\drivers\cmudax3.sys
2009-09-08 15:14 . 2007-02-26 20:30 36864 ----a-r- c:\windows\system32\cmudax3.DLL
2009-09-08 15:14 . 2008-09-11 11:10 278528 ----a-r- c:\windows\CmiPCIUninstall.exe
2009-09-08 15:14 . 2009-09-08 15:14 -------- d-----w- c:\program files\C-Media PCI Audio Device
2009-09-08 07:59 . 2006-08-01 14:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2009-09-08 07:58 . 2009-09-08 07:58 -------- d-----w- c:\program files\Realtek AC97
2009-09-08 07:58 . 2006-07-31 10:27 217088 ----a-w- c:\windows\Alcrmv.exe
2009-09-08 07:58 . 2006-07-31 10:19 315392 ----a-w- c:\windows\alcupd.exe
2009-09-07 21:39 . 2009-09-08 20:00 -------- d-----w- c:\documents and settings\alex\Application Data\Ventrilo
2009-09-07 21:38 . 2009-09-07 21:38 -------- d-----w- c:\program files\Ventrilo
2009-09-06 19:02 . 2006-10-18 01:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2009-09-06 19:02 . 2003-12-11 15:54 391424 ----a-r- c:\windows\system32\drivers\ALCXSENS.SYS
2009-09-06 19:02 . 2006-12-08 14:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2009-09-06 19:02 . 2008-09-24 09:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2009-09-06 19:02 . 2007-04-16 14:28 577536 ----a-w- c:\windows\soundman.exe
2009-09-06 16:06 . 2009-09-06 16:06 -------- d-----w- c:\program files\Nikita

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 20:56 . 2008-11-04 01:03 -------- d-----w- c:\documents and settings\alex\Application Data\HLSW
2009-10-05 20:17 . 2007-10-16 20:25 138352 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-05 20:17 . 2007-10-16 20:25 191304 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-05 18:58 . 2008-10-28 19:20 -------- d-----w- c:\documents and settings\alex\Application Data\Xfire
2009-10-03 12:58 . 2008-10-28 19:20 -------- d-----w- c:\program files\Xfire
2009-10-02 12:37 . 2008-09-11 00:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-26 15:36 . 2009-03-19 19:41 103720 ----a-w- c:\documents and settings\alex\GoToAssistDownloadHelper.exe
2009-09-25 12:06 . 2007-07-09 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-24 14:43 . 2009-07-24 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-09-24 12:37 . 2007-10-04 20:58 18088 ----a-w- c:\documents and settings\alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 13:54 . 2008-09-11 00:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2008-09-11 00:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:53 . 2009-08-30 14:33 -------- d-s---w- c:\program files\HLSW
2009-09-08 22:53 . 2009-08-06 11:52 -------- d-----w- c:\program files\PassportPhoto
2009-09-08 22:53 . 2008-07-26 11:13 -------- d-----w- c:\program files\LimeWire
2009-09-08 15:54 . 2007-04-24 15:40 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-08 07:58 . 2007-04-24 15:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-07 21:38 . 2009-01-16 22:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-07 00:11 . 2008-01-08 18:31 -------- d-----w- c:\documents and settings\alex\Application Data\LimeWire
2009-09-03 08:12 . 2009-07-02 20:28 -------- d-----w- c:\program files\CoD RconTool
2009-08-31 19:52 . 2009-08-31 19:52 -------- d-----w- c:\program files\PLAYXPERT
2009-08-29 19:30 . 2009-08-29 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\GlobalSCAPE
2009-08-29 19:30 . 2009-08-29 19:30 -------- d-----w- c:\documents and settings\alex\Application Data\GlobalSCAPE
2009-08-29 19:29 . 2009-08-29 19:29 -------- d-----w- c:\program files\GlobalSCAPE
2009-08-12 11:19 . 2009-08-12 11:19 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-12 11:19 . 2009-08-12 11:18 -------- d-----w- c:\program files\Common Files\Real
2009-08-12 11:18 . 2009-08-12 11:18 -------- d-----w- c:\program files\Real
2009-07-24 14:20 . 2009-07-24 14:20 964 ----a-w- c:\program files\wxxn.txt
2009-01-16 11:30 . 2009-01-16 11:30 46592 --sha-r- c:\windows\system32\3com_dmil.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-09-25_14.05.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-06 09:32 . 2009-10-06 09:32 16384 c:\windows\temp\Perflib_Perfdata_7b0.dat
+ 2009-06-18 14:32 . 2009-09-29 15:38 354084 c:\windows\system32\Restore\rstrlog.dat
+ 2009-09-30 08:53 . 2009-09-30 08:53 638976 c:\windows\erdnt\AutoBackup\30-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-30 08:53 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\30-09-2009\ERDNT.EXE
+ 2009-09-29 10:25 . 2009-09-29 10:25 638976 c:\windows\erdnt\AutoBackup\29-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-28 10:28 . 2009-09-28 10:28 638976 c:\windows\erdnt\AutoBackup\28-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-27 13:43 . 2009-09-27 13:43 638976 c:\windows\erdnt\AutoBackup\27-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-27 13:43 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\27-09-2009\ERDNT.EXE
+ 2009-09-26 08:55 . 2009-09-26 08:55 638976 c:\windows\erdnt\AutoBackup\26-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-26 08:55 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\26-09-2009\ERDNT.EXE
+ 2009-09-25 14:50 . 2009-09-25 14:50 638976 c:\windows\erdnt\AutoBackup\25-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-25 14:50 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\25-09-2009\ERDNT.EXE
+ 2009-10-06 08:50 . 2009-10-06 08:50 638976 c:\windows\erdnt\AutoBackup\06-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-06 08:50 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\06-10-2009\ERDNT.EXE
+ 2009-10-05 08:13 . 2009-10-05 08:13 638976 c:\windows\erdnt\AutoBackup\05-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-05 08:13 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\05-10-2009\ERDNT.EXE
+ 2009-10-04 13:01 . 2009-10-04 13:01 638976 c:\windows\erdnt\AutoBackup\04-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-04 13:01 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\04-10-2009\ERDNT.EXE
+ 2009-10-03 12:59 . 2009-10-03 12:59 638976 c:\windows\erdnt\AutoBackup\03-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-03 12:59 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\03-10-2009\ERDNT.EXE
+ 2009-10-02 08:06 . 2009-10-02 08:06 638976 c:\windows\erdnt\AutoBackup\02-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-02 08:06 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\02-10-2009\ERDNT.EXE
+ 2009-10-01 08:49 . 2009-10-01 08:49 638976 c:\windows\erdnt\AutoBackup\01-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-01 08:49 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\01-10-2009\ERDNT.EXE
+ 2009-09-30 08:53 . 2009-09-30 08:53 7000064 c:\windows\erdnt\AutoBackup\30-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-29 10:25 . 2009-09-29 10:25 6930432 c:\windows\erdnt\AutoBackup\29-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-28 10:28 . 2009-09-28 10:28 6930432 c:\windows\erdnt\AutoBackup\28-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-27 13:43 . 2009-09-27 13:43 6930432 c:\windows\erdnt\AutoBackup\27-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-26 08:55 . 2009-09-26 08:55 6930432 c:\windows\erdnt\AutoBackup\26-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-25 14:50 . 2009-09-25 14:50 6930432 c:\windows\erdnt\AutoBackup\25-09-2009\Users\00000001\NTUSER.DAT
+ 2009-10-06 08:50 . 2009-10-06 08:50 7024640 c:\windows\erdnt\AutoBackup\06-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-05 08:13 . 2009-10-05 08:13 7024640 c:\windows\erdnt\AutoBackup\05-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-04 13:01 . 2009-10-04 13:01 7008256 c:\windows\erdnt\AutoBackup\04-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-03 12:59 . 2009-10-03 12:59 7008256 c:\windows\erdnt\AutoBackup\03-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-02 08:06 . 2009-10-02 08:06 7008256 c:\windows\erdnt\AutoBackup\02-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-01 08:49 . 2009-10-01 08:49 7008256 c:\windows\erdnt\AutoBackup\01-10-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2001-12-31 3756032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-07-12 1581056]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-10 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-30 19:38 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-08 19:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^alex^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\alex\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^alex^Start Menu^Programs^Startup^findfast.exe]
path=c:\documents and settings\alex\Start Menu\Programs\Startup\findfast.exe
backup=c:\windows\pss\findfast.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^alex^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\alex\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\AV-CLS\\WGET.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [25/09/2009 14:12 28544]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [24/04/2007 16:58 75904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/09/2009 20:50 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/09/2009 20:50 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 11:39 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/09/2009 20:50 908056]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/09/2009 20:50 297752]
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - hxxps://register.btinternet.com/templates/btmailcontrol013.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 10:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1085031214-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:73,71,71,ef,f8,7f,b3,9d,c9,57,98,05,b2,2a,d0,8f,14,ad,e0,e0,f3,76,42,
c1,a3,6c,ec,f0,f9,bf,9f,96,77,73,29,1d,95,9d,dd,f2,7e,31,25,78,64,64,f1,f4,\
"??"=hex:d0,fe,e9,75,d6,d8,cd,ad,c3,8d,7d,75,23,88,83,bf

[HKEY_USERS\S-1-5-21-842925246-1085031214-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f0,b6,28,b9,d8,e4,17,de,a0,c9,d4,b4,5c,97,29,5e,36,b6,c7,bd,c8,
5f,8c,6a,d3,ee,be,eb,ad,31,e3,0d,b6,75,86,12,11,df,3e,09,ec,9e,83,f9,ba,f2,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-06 10:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 09:37
ComboFix2.txt 2009-10-05 08:41
ComboFix3.txt 2009-09-25 14:09
ComboFix4.txt 2009-09-25 12:20

Pre-Run: 61,660,393,472 bytes free
Post-Run: 61,729,886,208 bytes free

279
  • 0

#10
emeraldnzl
Posted 06 October 2009 - 01:12 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello blade1957,

Virscan found malware in that one.

Let's nuke it.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...06#entry1655306
KillAll::

Collect::
c:\windows\system32\3com_dmil.exe

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.
  • 0

Advertisements

#11
blade1957
Posted 06 October 2009 - 03:01 PM

blade1957

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
ComboFix 09-10-05.01 - alex 06/10/2009 21:33.18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.651 [GMT 1:00]
Running from: c:\documents and settings\alex\Desktop\virus stuff\ComboFix.exe
Command switches used :: c:\documents and settings\alex\Desktop\CFScript.txt

file zipped: c:\windows\system32\3com_dmil.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3com_dmil.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-09-29 15:38 . 2009-09-29 15:38 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-25 22:20 . 2009-09-25 22:20 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-25 14:32 . 2009-09-25 14:32 -------- d-----w- c:\program files\ERUNT
2009-09-25 13:12 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-25 13:11 . 2009-09-25 13:11 -------- d-----w- c:\program files\Panda Security
2009-09-09 19:13 . 2009-10-04 14:59 -------- d-----w- C:\$AVG8.VAULT$
2009-09-09 08:53 . 2009-09-09 08:53 -------- d-----w- C:\5bea91cdb3e16078fc71d32d
2009-09-09 08:45 . 2009-09-09 08:45 -------- d-----w- C:\rsit
2009-09-09 08:10 . 2009-09-09 08:10 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2009-09-08 19:50 . 2009-09-08 19:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-08 19:50 . 2009-09-08 19:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-08 19:50 . 2009-09-08 19:50 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-08 19:50 . 2009-09-08 19:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-08 19:50 . 2009-10-06 08:52 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-08 15:58 . 2004-08-07 00:17 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2009-09-08 15:57 . 2004-08-07 00:16 132608 -c--a-w- c:\windows\system32\dllcache\fxsclntr.dll
2009-09-08 15:50 . 2003-07-01 20:42 27904 ----a-w- c:\windows\system32\drivers\VIAAGP1.SYS
2009-09-08 15:38 . 2004-08-07 00:17 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-09-08 15:38 . 2004-08-07 00:17 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-09-08 15:38 . 2004-08-07 00:16 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-09-08 15:38 . 2004-08-07 00:16 13312 ----a-w- c:\windows\system32\irclass.dll
2009-09-08 15:14 . 2008-09-10 18:58 270336 ----a-r- c:\windows\system32\CMRMDRV3.exe
2009-09-08 15:14 . 2008-09-03 18:12 1516672 ----a-r- c:\windows\system32\drivers\cmudax3.sys
2009-09-08 15:14 . 2007-02-26 20:30 36864 ----a-r- c:\windows\system32\cmudax3.DLL
2009-09-08 15:14 . 2008-09-11 11:10 278528 ----a-r- c:\windows\CmiPCIUninstall.exe
2009-09-08 15:14 . 2009-09-08 15:14 -------- d-----w- c:\program files\C-Media PCI Audio Device
2009-09-08 07:59 . 2006-08-01 14:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2009-09-08 07:58 . 2009-09-08 07:58 -------- d-----w- c:\program files\Realtek AC97
2009-09-08 07:58 . 2006-07-31 10:27 217088 ----a-w- c:\windows\Alcrmv.exe
2009-09-08 07:58 . 2006-07-31 10:19 315392 ----a-w- c:\windows\alcupd.exe
2009-09-07 21:39 . 2009-09-08 20:00 -------- d-----w- c:\documents and settings\alex\Application Data\Ventrilo
2009-09-07 21:38 . 2009-09-07 21:38 -------- d-----w- c:\program files\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 16:28 . 2008-11-04 01:03 -------- d-----w- c:\documents and settings\alex\Application Data\HLSW
2009-10-06 16:00 . 2007-10-16 20:25 138352 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-06 15:59 . 2007-10-16 20:25 191304 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-05 18:58 . 2008-10-28 19:20 -------- d-----w- c:\documents and settings\alex\Application Data\Xfire
2009-10-03 12:58 . 2008-10-28 19:20 -------- d-----w- c:\program files\Xfire
2009-10-02 12:37 . 2008-09-11 00:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-26 15:36 . 2009-03-19 19:41 103720 ----a-w- c:\documents and settings\alex\GoToAssistDownloadHelper.exe
2009-09-25 12:06 . 2007-07-09 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-24 14:43 . 2009-07-24 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-09-24 12:37 . 2007-10-04 20:58 18088 ----a-w- c:\documents and settings\alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 13:54 . 2008-09-11 00:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2008-09-11 00:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:53 . 2009-08-30 14:33 -------- d-s---w- c:\program files\HLSW
2009-09-08 22:53 . 2009-08-06 11:52 -------- d-----w- c:\program files\PassportPhoto
2009-09-08 22:53 . 2008-07-26 11:13 -------- d-----w- c:\program files\LimeWire
2009-09-08 15:54 . 2007-04-24 15:40 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-08 07:58 . 2007-04-24 15:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-07 21:38 . 2009-01-16 22:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-07 00:11 . 2008-01-08 18:31 -------- d-----w- c:\documents and settings\alex\Application Data\LimeWire
2009-09-06 16:06 . 2009-09-06 16:06 -------- d-----w- c:\program files\Nikita
2009-09-03 08:12 . 2009-07-02 20:28 -------- d-----w- c:\program files\CoD RconTool
2009-08-31 19:52 . 2009-08-31 19:52 -------- d-----w- c:\program files\PLAYXPERT
2009-08-29 19:30 . 2009-08-29 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\GlobalSCAPE
2009-08-29 19:30 . 2009-08-29 19:30 -------- d-----w- c:\documents and settings\alex\Application Data\GlobalSCAPE
2009-08-29 19:29 . 2009-08-29 19:29 -------- d-----w- c:\program files\GlobalSCAPE
2009-08-12 11:19 . 2009-08-12 11:19 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-12 11:19 . 2009-08-12 11:18 -------- d-----w- c:\program files\Common Files\Real
2009-08-12 11:18 . 2009-08-12 11:18 -------- d-----w- c:\program files\Real
2009-07-24 14:20 . 2009-07-24 14:20 964 ----a-w- c:\program files\wxxn.txt
.

((((((((((((((((((((((((((((( SnapShot@2009-09-25_14.05.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-06 20:38 . 2009-10-06 20:38 16384 c:\windows\temp\Perflib_Perfdata_794.dat
+ 2009-06-18 14:32 . 2009-09-29 15:38 354084 c:\windows\system32\Restore\rstrlog.dat
+ 2009-09-30 08:53 . 2009-09-30 08:53 638976 c:\windows\erdnt\AutoBackup\30-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-30 08:53 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\30-09-2009\ERDNT.EXE
+ 2009-09-29 10:25 . 2009-09-29 10:25 638976 c:\windows\erdnt\AutoBackup\29-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-28 10:28 . 2009-09-28 10:28 638976 c:\windows\erdnt\AutoBackup\28-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-27 13:43 . 2009-09-27 13:43 638976 c:\windows\erdnt\AutoBackup\27-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-27 13:43 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\27-09-2009\ERDNT.EXE
+ 2009-09-26 08:55 . 2009-09-26 08:55 638976 c:\windows\erdnt\AutoBackup\26-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-26 08:55 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\26-09-2009\ERDNT.EXE
+ 2009-09-25 14:50 . 2009-09-25 14:50 638976 c:\windows\erdnt\AutoBackup\25-09-2009\Users\00000002\UsrClass.dat
+ 2009-09-25 14:50 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\25-09-2009\ERDNT.EXE
+ 2009-10-06 08:50 . 2009-10-06 08:50 638976 c:\windows\erdnt\AutoBackup\06-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-06 08:50 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\06-10-2009\ERDNT.EXE
+ 2009-10-05 08:13 . 2009-10-05 08:13 638976 c:\windows\erdnt\AutoBackup\05-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-05 08:13 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\05-10-2009\ERDNT.EXE
+ 2009-10-04 13:01 . 2009-10-04 13:01 638976 c:\windows\erdnt\AutoBackup\04-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-04 13:01 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\04-10-2009\ERDNT.EXE
+ 2009-10-03 12:59 . 2009-10-03 12:59 638976 c:\windows\erdnt\AutoBackup\03-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-03 12:59 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\03-10-2009\ERDNT.EXE
+ 2009-10-02 08:06 . 2009-10-02 08:06 638976 c:\windows\erdnt\AutoBackup\02-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-02 08:06 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\02-10-2009\ERDNT.EXE
+ 2009-10-01 08:49 . 2009-10-01 08:49 638976 c:\windows\erdnt\AutoBackup\01-10-2009\Users\00000002\UsrClass.dat
+ 2009-10-01 08:49 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\01-10-2009\ERDNT.EXE
+ 2009-09-30 08:53 . 2009-09-30 08:53 7000064 c:\windows\erdnt\AutoBackup\30-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-29 10:25 . 2009-09-29 10:25 6930432 c:\windows\erdnt\AutoBackup\29-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-28 10:28 . 2009-09-28 10:28 6930432 c:\windows\erdnt\AutoBackup\28-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-27 13:43 . 2009-09-27 13:43 6930432 c:\windows\erdnt\AutoBackup\27-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-26 08:55 . 2009-09-26 08:55 6930432 c:\windows\erdnt\AutoBackup\26-09-2009\Users\00000001\NTUSER.DAT
+ 2009-09-25 14:50 . 2009-09-25 14:50 6930432 c:\windows\erdnt\AutoBackup\25-09-2009\Users\00000001\NTUSER.DAT
+ 2009-10-06 08:50 . 2009-10-06 08:50 7024640 c:\windows\erdnt\AutoBackup\06-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-05 08:13 . 2009-10-05 08:13 7024640 c:\windows\erdnt\AutoBackup\05-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-04 13:01 . 2009-10-04 13:01 7008256 c:\windows\erdnt\AutoBackup\04-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-03 12:59 . 2009-10-03 12:59 7008256 c:\windows\erdnt\AutoBackup\03-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-02 08:06 . 2009-10-02 08:06 7008256 c:\windows\erdnt\AutoBackup\02-10-2009\Users\00000001\NTUSER.DAT
+ 2009-10-01 08:49 . 2009-10-01 08:49 7008256 c:\windows\erdnt\AutoBackup\01-10-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2001-12-31 3756032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-07-12 1581056]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-10 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-30 19:38 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-08 19:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^alex^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\alex\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^alex^Start Menu^Programs^Startup^findfast.exe]
path=c:\documents and settings\alex\Start Menu\Programs\Startup\findfast.exe
backup=c:\windows\pss\findfast.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^alex^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\alex\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\AV-CLS\\WGET.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [25/09/2009 14:12 28544]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [24/04/2007 16:58 75904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/09/2009 20:50 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/09/2009 20:50 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 11:39 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/09/2009 20:50 908056]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/09/2009 20:50 297752]
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - hxxps://register.btinternet.com/templates/btmailcontrol013.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 21:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1085031214-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:73,71,71,ef,f8,7f,b3,9d,c9,57,98,05,b2,2a,d0,8f,14,ad,e0,e0,f3,76,42,
c1,a3,6c,ec,f0,f9,bf,9f,96,77,73,29,1d,95,9d,dd,f2,7e,31,25,78,64,64,f1,f4,\
"??"=hex:d0,fe,e9,75,d6,d8,cd,ad,c3,8d,7d,75,23,88,83,bf

[HKEY_USERS\S-1-5-21-842925246-1085031214-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f0,b6,28,b9,d8,e4,17,de,a0,c9,d4,b4,5c,97,29,5e,36,b6,c7,bd,c8,
5f,8c,6a,d3,ee,be,eb,ad,31,e3,0d,b6,75,86,12,11,df,3e,09,ec,9e,83,f9,ba,f2,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-06 21:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 20:42
ComboFix2.txt 2009-10-06 09:37
ComboFix3.txt 2009-10-05 08:41
ComboFix4.txt 2009-09-25 14:09
ComboFix5.txt 2009-10-06 20:33

Pre-Run: 61,725,876,224 bytes free
Post-Run: 61,714,518,016 bytes free

276
  • 0

#12
emeraldnzl
Posted 06 October 2009 - 08:46 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello again blade1957,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

Close all windows other than HiJackThis, then click Fix Checked.

Close HiJackThis.

Next

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3.

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste that information in your next post.

So when you return please post
  • a fresh HijackThis log
  • MBAM log
  • Kaspersky scan results
  • and tell me how your computer is performing now
  • 0

#13
blade1957
Posted 07 October 2009 - 06:24 AM

blade1957

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:20, on 07/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Accept-encode: (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -"http://www.bbc.co.uk...find_the.shtml"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1239911162296
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - https://register.bti...lcontrol013.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebo...oUploader55.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5876 bytes

Malwarebytes' Anti-Malware 1.41
Database version: 2917
Windows 5.1.2600 Service Pack 2

07/10/2009 11:13:05
mbam-log-2009-10-07 (11-13-05).txt

Scan type: Quick Scan
Objects scanned: 98049
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


KASPERSKY ONLINE SCANNER 7.0: scan reportKASPERSKY ONLINE SCANNER 7.0:
scan report
Wednesday, October 7, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build
2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, October 07, 2009 11:53:15
Records in database: 2928134


Scan settings
scan using the following databaseextended
Scan archivesyes
Scan e-mail databasesyes

Scan areaMy Computer
A:\
C:\
D:\

Scan statistics
Objects scanned36781
Threats found1
Infected objects found1
Suspicious objects found0
Scan duration01:08:35

File nameThreatThreats count
C:\Qoobox\Quarantine\[4]-Submit_2009-10-06_21.33.53.zipInfected:
Trojan-Dropper.Win32.Wlord.aey1

Selected area has been scanned.

seems to be running a lot better

that qoobox has now been removed completly
  • 0

#14
emeraldnzl
Posted 07 October 2009 - 02:23 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello blade1957,

that qoobox has now been removed completly


Qoobox is part of ComboFix. Kaspersky identified it because it had infected files in quarantine. We will fix that with this post.

I think your machine is clean.

We have a couple of last steps to perform and then you're all set.Posted Image

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


    Posted Image
Step 2
  • Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. Erunt can also be uninstalled via the add/remove programs utility, for some though, it may be a useful backup program to hold on to. The RootRepeal folder can be deleted if it is still there after CleanUp.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know a bout them:

---------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program:--------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is more secure than Internet Explorer. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from Here

NoScripts is a good Add-on for Firefox that prevents execution of malicious scripts.

-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting
monthly.

It is recommended that you do set Windows to check, download and install your updates automatically.
  • Click Start > Control Panel > Automatic Updates
  • Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet.
  • Click Apply then OK.
Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!
  • 0

#15
blade1957
Posted 07 October 2009 - 03:58 PM

blade1957

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
can i just say a massive thank you for your help

Many Thanks

Alex
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP