Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware/Trojan (Google Redirects, Applications Prevented)

Started by Charlemagne_920 , Aug 19 2010 01:44 PM

  • This topic is locked This topic is locked

#1
Charlemagne_920
Posted 19 August 2010 - 01:44 PM

Charlemagne_920

    Member

  • Member
  • PipPip
  • 17 posts
Hello!

I'm back with another infected laptop (same mother-in-law...different laptop). The good news is she thinks she knows which site she went to to get infected.

Any help on getting this back up and running would be very much appreciated! I've run MBAM, Norton, and AdAware all in safe mode. These are the logs I have after doing that (DDS "Attach" log is attached):

HiJackThis:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:36:01 PM, on 8/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [\\FAMILY-ROOM\EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P37 "\\FAMILY-ROOM\EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kycvbuoi] C:\Documents and Settings\NetworkService\Local Settings\Application Data\jglqgewfe\hxgmjhjtssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174008100046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://activex.micro...jects/ocget.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6833 bytes





DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Pozydaev at 15:36:29.12 on Thu 08/19/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.620 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Documents and Settings\Pozydaev\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netscape.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [Google Update] "c:\documents and settings\pozydaev\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [\\FAMILY-ROOM\EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaba.exe /p37 "\\family-room\EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AtiPTA] atiptaxx.exe
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [kycvbuoi] c:\documents and settings\networkservice\local settings\application data\jglqgewfe\hxgmjhjtssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174008100046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://activex.microsoft.com/objects/ocget.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Hosts: 91.212.65.122 browser-security.microsoft.com
Hosts: 91.212.65.122 antiwareprotect.com
Hosts: 91.212.65.122 www.antiwareprotect.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pozydaev\applic~1\mozilla\firefox\profiles\6qizzd76.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=
FF - plugin: c:\documents and settings\pozydaev\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\pozydaev\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\pozydaev\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=
============= SERVICES / DRIVERS ===============

R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-12-4 8464]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-12-5 471040]
S3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-12-4 175472]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100811.002\NAVENG.sys [2010-8-11 85424]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100811.002\NAVEX15.sys [2010-8-11 1362608]

=============== Created Last 30 ================

2010-08-09 13:34:48 782336 ----a-w- c:\windows\system32\drivers\ehzzl.sys
2010-08-09 13:34:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-07-28 17:04:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================


============= FINISH: 15:38:00.43 ===============





Thanks in advance!!

Attached Files


  • 0

Advertisements

#2
Aaron
Posted 20 August 2010 - 06:04 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Hi, welcome to Geeks to Go :) !
I'm Maser00 and I will be helping you with your problem(s).

Before we start I need to mention a few things:
  • Please post all the requested logs directly in your reply, do not attach or put them in Quote/Code boxes unless asked to.
  • I recommend reading my instructions at least once before carrying them out, this will make sure you understand them before you start.
  • Try to reply every one-two days, I'll try to do the same. At some point your computer will run better (hopefully :)), but this doesn't mean all malware is removed!
    Therefore it's very important to keep following my instructions. I'll tell you when we are done.
  • Please don't run any other malware removal tools/programs or instructions that I didn't asked for.
  • It's important follow all instructions as told. If you have any questions, don't hesitate to ask!

Please follow these steps:

============ Step one ============

Download OTL to your Desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Select Scan all users
Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your next reply.

============ Step two ============

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Please post the logs of OTL and GMER in your next reply.
  • 0

#3
Charlemagne_920
Posted 21 August 2010 - 06:09 PM

Charlemagne_920

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello!

Thanks for your quick reply and for the help! I really appreciate it, and I will be more prompt with my replies in the future!
I had a bear of a time with GMER freezing and hanging, but it finally worked.

Here are the logs:

OTL.txt
OTL logfile created on: 8/21/2010 9:31:07 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Pozydaev\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 399.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 137.00 Gb Total Space | 121.77 Gb Free Space | 88.88% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.21 Gb Free Space | 62.14% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: P-LAPTOP
Current User Name: Pozydaev
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/21 09:26:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/03/24 18:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2001/12/05 11:53:54 | 000,073,728 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\vptray.exe
PRC - [2001/12/05 11:45:38 | 000,471,040 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\rtvscan.exe
PRC - [2001/12/05 11:37:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\defwatch.exe
PRC - [2000/09/18 17:12:40 | 000,014,336 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\MSGSYS.EXE


========== Modules (SafeList) ==========

MOD - [2010/08/21 09:26:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2001/12/05 11:45:38 | 000,471,040 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\NavNT\rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2001/12/05 11:37:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\NavNT\defwatch.exe -- (DefWatch)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\s24trans.sys -- (s24trans)
DRV - [2010/08/11 04:00:00 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100811.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/08/11 04:00:00 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100811.002\NAVENG.SYS -- (NAVENG)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/06 16:37:26 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2006/11/15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 20:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/01 13:48:10 | 000,033,664 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\BCMWLNPF.SYS -- (BCMWLNPF)
DRV - [2006/10/12 16:28:42 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/05/03 12:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/03/24 18:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/03/08 13:35:10 | 000,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/12/01 02:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 02:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 02:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/08/05 12:32:16 | 000,045,312 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2004/07/14 12:54:42 | 000,676,864 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2001/12/04 20:30:46 | 000,008,464 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\NavNT\Navapel.sys -- (NAVAPEL)
DRV - [2001/12/04 20:29:18 | 000,175,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\NavNT\navap.sys -- (NAVAP)
DRV - [2001/10/16 14:19:00 | 000,058,032 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522



IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..keyword.URL: "http://search.search...10101052100&s="

FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.search...10101052100&s="

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/11 19:06:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/11 21:11:24 | 000,000,000 | ---D | M]

[2008/09/03 08:12:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Extensions
[2010/08/13 12:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions
[2010/08/02 07:41:19 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/08/02 07:41:23 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/07/18 06:52:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions\[email protected]
[2008/06/20 07:49:56 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\searchplugins\wikipedia-en.xml
[2010/08/16 21:57:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/10 09:34:02 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2009/05/02 08:20:11 | 000,000,156 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O4 - HKLM..\Run: [\\FAMILY-ROOM\EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AtiPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\NavNT\vptray.exe (Symantec Corporation)
O4 - HKU\.DEFAULT..\Run: [kycvbuoi] C:\Documents and Settings\NetworkService\Local Settings\Application Data\jglqgewfe\hxgmjhjtssd.exe File not found
O4 - HKU\.DEFAULT..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKU\S-1-5-18..\Run: [kycvbuoi] C:\Documents and Settings\NetworkService\Local Settings\Application Data\jglqgewfe\hxgmjhjtssd.exe File not found
O4 - HKU\S-1-5-18..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-790525478-1220945662-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-790525478-1220945662-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1174008100046 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://activex.micro...jects/ocget.dll (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.11.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/03/15 20:01:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a0809d7f-ca1a-11de-b20c-0019b95e5cea}\Shell\p\command - "" = C:\WINDOWS\Explorer.exe -- [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{d3ff5e3c-0418-11dd-af42-0019b95e5cea}\Shell\AutoRun\command - "" = F:\wd_windows_tools\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465059307421696)

========== Files/Folders - Created Within 90 Days ==========

[2010/08/21 09:27:53 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
[2010/08/16 21:43:08 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe
[2010/08/13 12:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\gjyamrsrp
[2010/08/12 19:01:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/11 19:06:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2010/08/11 19:06:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2010/08/09 09:34:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\jglqgewfe
[2010/08/09 09:34:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/08/02 21:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/30 22:22:00 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup-1.46.exe
[2010/07/30 13:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/30 13:17:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/28 13:04:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/28 11:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[1996/11/18 01:00:00 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\Implode.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[16 C:\Documents and Settings\Pozydaev\My Documents\*.tmp files -> C:\Documents and Settings\Pozydaev\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/21 13:34:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/08/21 13:15:46 | 000,000,990 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003UA.job
[2010/08/21 12:31:48 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\ehzzl.sys
[2010/08/21 09:26:50 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.zip
[2010/08/21 09:26:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
[2010/08/20 19:13:17 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003Core.job
[2010/08/19 15:40:14 | 001,033,306 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/19 15:40:14 | 000,410,014 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/19 15:40:14 | 000,004,850 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/19 15:37:16 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/19 15:35:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/19 15:35:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/19 15:35:25 | 1072,103,424 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/16 21:44:49 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Pozydaev\NTUSER.DAT
[2010/08/16 21:44:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Pozydaev\ntuser.ini
[2010/08/12 13:47:53 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\The Art of Thank You Note Writing.doc
[2010/08/12 13:40:27 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\Microsoft Word.lnk
[2010/08/08 00:23:17 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/04 14:18:00 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe
[2010/08/04 12:15:08 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\dds.scr
[2010/07/30 22:29:33 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup-1.46.exe
[2010/07/28 17:22:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/07/27 22:23:53 | 000,242,176 | ---- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\digi - carrollers.doc
[2010/07/27 22:23:53 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\~$gi - carrollers.doc
[2010/07/26 16:29:36 | 002,531,687 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\awhiholger.zip
[2010/07/20 21:26:41 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\Mary Jane Pozydaev Resume.doc
[2010/06/30 12:25:39 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\brunch invitation 2010.doc
[2010/06/16 16:20:56 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\budget.xls
[2010/06/15 11:02:45 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\AmericorpsStatement.doc
[2010/06/11 10:08:08 | 000,196,160 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 09:51:49 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[16 C:\Documents and Settings\Pozydaev\My Documents\*.tmp files -> C:\Documents and Settings\Pozydaev\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/21 09:33:25 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.exe
[2010/08/21 09:27:43 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.zip
[2010/08/19 15:35:25 | 1072,103,424 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/16 21:43:15 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\dds.scr
[2010/08/12 13:47:53 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\The Art of Thank You Note Writing.doc
[2010/08/09 09:34:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\ehzzl.sys
[2010/08/09 09:34:24 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2010/07/28 13:04:50 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/27 22:23:53 | 000,242,176 | ---- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\digi - carrollers.doc
[2010/07/27 22:23:53 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\~$gi - carrollers.doc
[2010/07/26 16:29:14 | 002,531,687 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\awhiholger.zip
[2010/07/20 21:26:41 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\Mary Jane Pozydaev Resume.doc
[2010/06/30 08:23:42 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\brunch invitation 2010.doc
[2010/06/16 16:20:56 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\budget.xls
[2010/06/09 16:03:32 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\AmericorpsStatement.doc
[2010/02/24 21:14:36 | 000,000,176 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/06/20 12:07:19 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/05/19 19:22:16 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2008/06/16 10:40:16 | 000,000,018 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Local Settings\Application Data\msesbucf.txt
[2008/04/06 16:37:27 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2008/01/20 19:12:53 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2007/09/04 21:29:24 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Application Data\PFP120JPR.{PB
[2007/09/04 21:29:24 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Application Data\PFP120JCM.{PB
[2007/07/29 05:02:01 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/03/16 22:33:04 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/03/16 18:04:57 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/03/15 23:09:49 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/03/15 21:53:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2007/03/15 21:47:09 | 000,000,592 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/03/15 21:43:35 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/03/15 21:43:34 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/03/15 21:28:30 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Local Settings\Application Data\fusioncache.dat
[2007/03/15 21:06:19 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/02/23 00:29:56 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/12/12 12:24:42 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/03/31 16:00:35 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.ini
[2005/08/10 11:56:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ESxUtil.dll
[2004/06/24 02:20:02 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2001/12/05 11:52:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2000/09/18 17:12:40 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\CSSMS_IN.DLL
[1996/11/18 01:00:00 | 000,748,160 | ---- | C] () -- C:\WINDOWS\System32\Co2c40en.dll
[1996/11/18 01:00:00 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\P2sodbc.dll
[1996/11/18 01:00:00 | 000,054,272 | ---- | C] () -- C:\WINDOWS\System32\P2irdao.dll
[1996/11/18 01:00:00 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\P2ctdao.dll
[1996/11/18 01:00:00 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\P2bbnd.dll
[1996/05/25 17:00:00 | 000,107,008 | ---- | C] () -- C:\WINDOWS\System32\fxtls432.dll

========== LOP Check ==========

[2008/07/31 14:25:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Examsoft
[2010/08/16 22:56:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update
[2008/02/23 14:43:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Opera
[2007/03/20 13:02:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Thunderbird
[2010/08/21 13:34:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\Updater.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2007/03/15 20:01:33 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2007/03/15 21:17:46 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2007/03/15 20:01:33 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/08/19 15:35:25 | 1072,103,424 | -HS- | M] () -- C:\hiberfil.sys
[2007/03/15 20:01:33 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/03/15 20:01:33 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/10/10 21:55:08 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/19 15:35:24 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2007/03/15 21:48:10 | 000,003,395 | -H-- | M] () -- C:\_NavCClt.Log
[1 C:\*.tmp files -> C:\*.tmp -> ]

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2007/03/15 20:01:06 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/12/03 18:55:24 | 000,278,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2007/03/15 14:20:05 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/03/15 14:20:05 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/03/15 14:20:05 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >
[2008/07/31 12:17:11 | 000,000,000 | ---D | M] -- C:\Program Files\ExamSoft\SofTest\bak

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/10/10 22:13:42 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009/10/11 09:59:18 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Pozydaev\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2007/03/15 21:01:31 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2009/12/15 11:24:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.exe
[2010/03/12 14:34:49 | 000,569,520 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\GoogleVoiceAndVideoSetup.exe
[2010/08/04 14:18:00 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe
[2008/09/22 15:44:06 | 001,495,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Pozydaev\Desktop\install_flash_player(2).exe
[2008/09/22 15:38:30 | 001,495,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Pozydaev\Desktop\install_flash_player.exe
[2010/07/30 22:29:33 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup-1.46.exe
[2009/05/02 09:38:10 | 002,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup.exe
[2010/08/21 09:26:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
[2009/09/15 18:13:30 | 009,775,465 | ---- | M] (Digital Smoke ) -- C:\Documents and Settings\Pozydaev\Desktop\SolCity.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-19 12:38:01
< End of report >


Extras.txt
OTL Extras logfile created on: 8/21/2010 9:31:07 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Pozydaev\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 399.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 137.00 Gb Total Space | 121.77 Gb Free Space | 88.88% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.21 Gb Free Space | 62.14% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: P-LAPTOP
Current User Name: Pozydaev
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Schwab\Velocity Velocity\lib\jre\bin\jre.exe" = C:\Program Files\Schwab\Velocity Velocity\lib\jre\bin\jre.exe:*:Enabled:jre -- File not found
"C:\Program Files\Schwab\Velocity Velocity\lib\jre\bin\java.exe" = C:\Program Files\Schwab\Velocity Velocity\lib\jre\bin\java.exe:*:Enabled:java -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE" = C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Enabled:SAgent4 -- File not found
"C:\Program Files\ExamSoft\SofTest\SoftLnch.exe" = C:\Program Files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch
-- File not found
"C:\Program Files\ExamSoft\SofTest\softest.exe" = C:\Program Files\ExamSoft\SofTest.exe:*:Enabled:SofTest
-- File not found
"E:\setup\HPZNUI01.EXE" = E:\setup\HPZNUI01.EXE:*:Enabled:hpznui01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{0E549A13-2B3D-4633-BA41-DC88C2D6F9A3}" = ProductContext
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{1147FF9A-D576-4cb5-B5E7-FCA21D1E7D26}" = J4680
"{188C0E25-3D65-4DAC-9C00-7483FBA4C7EB}" = Status
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{26B878A8-5704-3B64-BDBC-4F0EACA38121}" = Google Talk Plugin
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3825B383-7880-48C8-AADD-49B0D764B151}" = 4660_4680_Help
"{50802F8E-03B4-479D-A643-16DE5A3586CB}" = BPDSoftware_Ini
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6
"{623F4D5E-F01F-4E8E-BF02-A296ED4000F9}" = SofTest Bar Edition
"{67335AB1-6341-4f87-A5B4-7FA92CEB77A4}" = HP Officejet All-In-One Series
"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.3
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{73090A5A-E0C0-4E0B-A320-E183877061A5}" = ALLDATA for Windows
"{74EC78BC-B379-4E29-9006-8F161DCAABA6}" = Apple Software Update
"{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}" = Ad-Aware SE Personal
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}" = Broadcom 440x 10/100 Integrated Controller
"{A02ED372-22FA-448B-AB6A-1B0FC23B7D08}" = ATI Catalyst Control Center
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}" = Apple Mobile Device Support
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{ABA00898-9467-4689-9F40-DE7F58C8429C}" = Fax
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{ACDE260A-602B-4cfb-A650-D0DBA6FFAD85}" = NetDeviceManager
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}" = Norton AntiVirus Corporate Edition
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D3737952-FF6E-4E72-BDEE-B0DC1C69F80B}" = BPD_HPSU
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{E14B8A08-42B3-4676-9E91-1D39F8158DA1}" = HP Print Diagnostic Utility
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F4EAEBEA-3E46-43b8-A63C-AD180AE86918}" = BPDSoftware
"{FB706A00-C234-4716-AB1F-27DCB192C664}" = Opera 9.26
"4569969E1360D2854474C661EF9B4D54F143EB16" = Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver (Omega 3.8.252)
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"CSCLIB" = Canon Camera Support Core Library
"DivX Content Uploader" = DivX Content Uploader
"DVD Shrink_is1" = DVD Shrink 3.2
"EOS Utility" = Canon Utilities EOS Utility
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Smart Web Printing" = HP Smart Web Printing
"HPOCR" = OCR Software by I.R.I.S. 10.0
"LiveUpdate1.7" = LiveUpdate 1.7 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MultiRes (remove only)" = MultiRes (remove only)
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"Panda ActiveScan" = Panda ActiveScan
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa2" = Picasa 2
"Radeon Omega Drivers for Windows 2k/XPv3.8.252" = Radeon Omega Drivers v3.8.252 Setup Files and Tools
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Velocity Velocity 4.6 (Schwab)" = Velocity Velocity 4.6 (Schwab)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/21/2010 5:13:26 AM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

Error - 8/21/2010 6:13:36 AM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

Error - 8/21/2010 7:13:29 AM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

Error - 8/21/2010 8:13:24 AM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

Error - 8/21/2010 9:13:34 AM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

Error - 8/21/2010 10:13:41 AM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

Error - 8/21/2010 11:30:49 AM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

Error - 8/21/2010 12:15:15 PM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

Error - 8/21/2010 1:15:35 PM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

Error - 8/21/2010 2:14:04 PM | Computer Name = P-LAPTOP | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 8/16/2010 10:22:06 PM | Computer Name = P-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 8/16/2010 10:23:37 PM | Computer Name = P-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 8/16/2010 10:23:53 PM | Computer Name = P-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 8/16/2010 10:28:31 PM | Computer Name = P-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 8/16/2010 10:30:40 PM | Computer Name = P-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 8/16/2010 10:56:32 PM | Computer Name = P-LAPTOP | Source = PlugPlayManager | ID = 12
Description = The device 'zwfuhslde3' (Root\LEGACY_ZWFUHSLDE3\0000) disappeared
from the system without first being prepared for removal.

Error - 8/16/2010 11:34:58 PM | Computer Name = P-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/19/2010 3:35:32 PM | Computer Name = P-LAPTOP | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume3'. It has stopped monitoring
the volume.

Error - 8/19/2010 3:36:31 PM | Computer Name = P-LAPTOP | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 8/19/2010 3:37:12 PM | Computer Name = P-LAPTOP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.


< End of report >



Ark.txt
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-21 20:06:06
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Pozydaev\LOCALS~1\Temp\ugriapow.sys


---- System - GMER 1.0.15 ----

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B870B16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B870AFC2

Code \SystemRoot\system32\drivers\zwfuhslde3.sys ZwEnumerateKey [0xEE2FBADA]
Code \SystemRoot\system32\drivers\zwfuhslde3.sys ObInsertObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeRegisterBugCheckReasonCallback + 208 804F9480 5 Bytes JMP EE309D56 \SystemRoot\system32\drivers\zwfuhslde3.sys
PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP EE2FBBEE \SystemRoot\system32\drivers\zwfuhslde3.sys
PAGE ntkrnlpa.exe!ZwEnumerateKey 80624014 5 Bytes JMP EE2FBADE \SystemRoot\system32\drivers\zwfuhslde3.sys
? ehzzl.sys A device attached to the system is not functioning. !
PAGE Ntfs.sys F71BDE55 4 Bytes CALL 86FAC841
.rsrc C:\WINDOWS\system32\DRIVERS\i8042prt.sys entry point in ".rsrc" section [0xF75CB194]
? C:\WINDOWS\system32\drivers\zwfuhslde3.sys The system cannot find the path specified.
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB83BD400, 0x82482, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xB845D420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xB845D420]
.protectÿÿÿÿhardlockunknown last code section [0xB845D200, 0x5105, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB845D200, 0x5105, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\Explorer.EXE[536] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B0000A
.text C:\WINDOWS\Explorer.EXE[536] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
.text C:\WINDOWS\System32\svchost.exe[1296] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01F2000A
.text C:\WINDOWS\System32\svchost.exe[1296] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D3000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F91428

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs zwfuhslde3.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp zwfuhslde3.sys
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86C9BEC5

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] ehzzl <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\zwfuhslde3.sys (*** hidden *** ) [SYSTEM] zwfuhslde3 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ehzzl@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ehzzl@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ehzzl@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ehzzl@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3@ImagePath system32\drivers\zwfuhslde3.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3@DisplayName zwfuhslde3.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3@Group Filter
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3@hwbls 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3@hwsht 0x00 0x00
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3@hwbcr 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\zwfuhslde3\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\ehzzl@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\ehzzl@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\ehzzl@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ehzzl@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3@ImagePath system32\drivers\zwfuhslde3.sys
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3@DisplayName zwfuhslde3.sys
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3@Group Filter
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3@hwbls 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3@hwsht 0x00 0x00
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3@hwbcr 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\zwfuhslde3\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\zwfuhslde3.sys 82944 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\DRIVERS\i8042prt.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
  • 0

#4
Aaron
Posted 22 August 2010 - 12:41 PM

Aaron

    Expert

  • Expert
  • 3,155 posts
Hi

O7 - HKU\S-1-5-21-790525478-1220945662-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1

Did you set this up yourself? This means that this user has a limited space on the drive for e.g. files and programs. See here for more information; http://technet.micro...y/cc959451.aspx

Please follow these steps:
============ Step one ============

Run OTL again

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-21-790525478-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    FF - user.js..keyword.URL: "http://search.search...10101052100&s="
    O4 - HKU\.DEFAULT..\Run: [kycvbuoi] C:\Documents and Settings\NetworkService\Local Settings\Application Data\jglqgewfe\hxgmjhjtssd.exe File not found
    O4 - HKU\S-1-5-18..\Run: [kycvbuoi] C:\Documents and Settings\NetworkService\Local Settings\Application Data\jglqgewfe\hxgmjhjtssd.exe File not found
    O33 - MountPoints2\{d3ff5e3c-0418-11dd-af42-0019b95e5cea}\Shell\AutoRun\command - "" = F:\wd_windows_tools\setup.exe -- File not found
    [2010/08/13 12:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\gjyamrsrp
    [2010/08/09 09:34:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\jglqgewfe
    [2010/08/21 12:31:48 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\ehzzl.sys
    [2010/08/09 09:34:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\ehzzl.sys
    [2008/06/16 10:40:16 | 000,000,018 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Local Settings\Application Data\msesbucf.txt
    [2007/09/04 21:29:24 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Application Data\PFP120JPR.{PB
    [2007/09/04 21:29:24 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Application Data\PFP120JCM.{PB

    :Services

    :Reg
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a0809d7f-ca1a-11de-b20c-0019b95e5cea}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a0809d7f-ca1a-11de-b20c-0019b95e5cea}]

    :Files

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done and save the log it produces.
  • Open OTL again and click the Quick Scan button. Now post the log it produces together with the log you saved from running the fix. Post both logs in your next reply please.

============ Step two ============

Run OTL again:

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    C:\Documents and Settings\All Users\Application Data\Update\*.*
  • Set every item to none (processes, modules, services, drivers, standard & extra registry and files modified & created within)
  • Then click the Run Scan button at the top
  • Let the program run unhindered and post the log it produces in your next reply.

============ Step three ============

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#5
Charlemagne_920
Posted 22 August 2010 - 03:05 PM

Charlemagne_920

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
We did not set up the Profile Quota on purpose. I don't know why that's enabled.

Here's the log from the first OTL runthrough:
All processes killed
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-21-790525478-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-21-790525478-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-790525478-1220945662-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\Documents and Settings\Pozydaev\Application Data\Mozilla\FireFox\Profiles\6qizzd76.default\user.js moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\kycvbuoi deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\kycvbuoi not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3ff5e3c-0418-11dd-af42-0019b95e5cea}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d3ff5e3c-0418-11dd-af42-0019b95e5cea}\ not found.
File F:\wd_windows_tools\setup.exe not found.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\gjyamrsrp folder moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\jglqgewfe folder moved successfully.
File C:\WINDOWS\System32\drivers\ehzzl.sys not found.
File C:\WINDOWS\System32\drivers\ehzzl.sys not found.
C:\Documents and Settings\Pozydaev\Local Settings\Application Data\msesbucf.txt moved successfully.
C:\Documents and Settings\Pozydaev\Application Data\PFP120JPR.{PB moved successfully.
C:\Documents and Settings\Pozydaev\Application Data\PFP120JCM.{PB moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a0809d7f-ca1a-11de-b20c-0019b95e5cea}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a0809d7f-ca1a-11de-b20c-0019b95e5cea}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a0809d7f-ca1a-11de-b20c-0019b95e5cea}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a0809d7f-ca1a-11de-b20c-0019b95e5cea}\ not found.
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 22629622 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8126983 bytes
->FireFox cache emptied: 15332379 bytes
->Flash cache emptied: 4635 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 18729841 bytes
->Java cache emptied: 4040 bytes
->Flash cache emptied: 12168 bytes

User: Pozydaev
->Temp folder emptied: 820190381 bytes
->Temporary Internet Files folder emptied: 85588862 bytes
->Java cache emptied: 123284087 bytes
->FireFox cache emptied: 38517779 bytes
->Flash cache emptied: 91470 bytes

%systemdrive% .tmp files removed: 88866816 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 37927173 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 64721812 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1677788 bytes

Total Files Cleaned = 1,266.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Pozydaev
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.10.0 log created on 08222010_155250

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




And here's the next one:
OTL logfile created on: 8/22/2010 4:00:11 PM - Run 2
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Pozydaev\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 456.00 Mb Available Physical Memory | 45.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 137.00 Gb Total Space | 122.98 Gb Free Space | 89.76% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.21 Gb Free Space | 62.14% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 483.23 Mb Total Space | 381.48 Mb Free Space | 78.94% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: P-LAPTOP
Current User Name: Pozydaev
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========


< C:\Documents and Settings\All Users\ Application Data\Update\*.* >
< End of report >



And here's the ComboFix log:
ComboFix 10-08-21.06 - Pozydaev 08/22/2010 16:40:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.677 [GMT -4:00]
Running from: c:\documents and settings\Pozydaev\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Pozydaev\Recent\Thumbs.db
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\jestertb.dll

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack :)
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.

2010-08-22 20:44 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-08-22 19:52 . 2010-08-22 19:52 -------- d-----w- C:\_OTL
2010-08-17 01:57 . 2010-08-17 01:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-08-17 01:52 . 2010-08-17 01:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2010-08-11 23:06 . 2010-08-11 23:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2010-08-10 21:23 . 2010-08-10 21:23 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-08-09 13:34 . 2010-08-17 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-30 17:17 . 2010-07-30 17:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-28 17:04 . 2010-08-08 04:23 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 21:30 . 2009-06-23 02:00 -------- d-----w- c:\documents and settings\Pozydaev\Application Data\HPAppData
2010-07-31 02:30 . 2009-05-02 13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 14:31 . 2007-03-15 23:58 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-12 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-12-05 73728]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Schwab\\Velocity Velocity\\lib\\jre\\bin\\java.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Pozydaev\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Pozydaev\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


--- Other Services/Drivers In Memory ---

*Deregistered* - ehzzl

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003Core.job
- c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-12 18:35]

2010-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003UA.job
- c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-12 18:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netscape.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=
FF - plugin: c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-\\FAMILY-ROOM\EPSON Stylus C88 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
MSConfigStartUp-CTSVolFE - c:\program files\Creative\Mixer\CTSVolFE.exe
AddRemove-XPv3.8.252 - c:\windows\Radeon Omega Drivers v3.8.252



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-22 16:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\zwfuhslde3.sys 82944 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zwfuhslde3]
"ImagePath"="system32\drivers\zwfuhslde3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ehzzl]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\MsgSys.EXE
c:\windows\stsystra.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-08-22 16:51:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-22 20:51

Pre-Run: 131,954,302,976 bytes free
Post-Run: 131,846,254,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 164940AEE2922C576F2E173E42680C63
  • 0

#6
Charlemagne_920
Posted 22 August 2010 - 03:06 PM

Charlemagne_920

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hmmm...looking at that second OTL report it looks like I had a space where there shouldn't have been one in the Custom Scan line. Did I mess that up?
  • 0

#7
Aaron
Posted 23 August 2010 - 05:06 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=

Driver::
zwfuhslde3
ehzzl

Rootkit::
c:\windows\system32\drivers\zwfuhslde3.sys
C:\WINDOWS\System32\drivers\ehzzl.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Hmmm...looking at that second OTL report it looks like I had a space where there shouldn't have been one in the Custom Scan line. Did I mess that up?

Yes :) Please do that step again.
  • 0

#8
Charlemagne_920
Posted 23 August 2010 - 04:41 PM

Charlemagne_920

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here's the OTL step that I screwed up:
OTL logfile created on: 8/23/2010 5:27:30 PM - Run 3
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Pozydaev\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 446.00 Mb Available Physical Memory | 44.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 137.00 Gb Total Space | 122.79 Gb Free Space | 89.63% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.21 Gb Free Space | 62.14% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 483.23 Mb Total Space | 381.45 Mb Free Space | 78.94% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: P-LAPTOP
Current User Name: Pozydaev
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========


< C:\Documents and Settings\All Users\Application Data\Update\*.* >
< End of report >




And the ComboFix after running the script:

ComboFix 10-08-21.06 - Pozydaev 08/23/2010 17:30:41.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.448 [GMT -4:00]
Running from: c:\documents and settings\Pozydaev\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pozydaev\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EHZZL
-------\Service_ehzzl


((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-22 20:44 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-08-22 20:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-08-22 19:52 . 2010-08-22 19:52 -------- d-----w- C:\_OTL
2010-08-17 01:57 . 2010-08-17 01:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-08-17 01:52 . 2010-08-17 01:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2010-08-11 23:06 . 2010-08-11 23:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2010-08-10 21:23 . 2010-08-10 21:23 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-08-09 13:34 . 2010-08-17 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-30 17:17 . 2010-07-30 17:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-28 17:04 . 2010-08-08 04:23 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 21:30 . 2009-06-23 02:00 -------- d-----w- c:\documents and settings\Pozydaev\Application Data\HPAppData
2010-07-31 02:30 . 2009-05-02 13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 14:31 . 2007-03-15 23:58 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-12 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-12-05 73728]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Schwab\\Velocity Velocity\\lib\\jre\\bin\\java.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Pozydaev\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Pozydaev\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S1 zwfuhslde3;zwfuhslde3.sys;c:\windows\system32\drivers\zwfuhslde3.sys --> c:\windows\system32\drivers\zwfuhslde3.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003Core.job
- c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-12 18:35]

2010-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003UA.job
- c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-12 18:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netscape.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=
FF - plugin: c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 17:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\MsgSys.EXE
c:\windows\stsystra.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-08-23 17:42:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-23 21:42
ComboFix2.txt 2010-08-22 20:51

Pre-Run: 131,827,752,960 bytes free
Post-Run: 131,776,143,360 bytes free

- - End Of File - - E20E6AF64D8060BC10DA510B9674045A




Thanks again!!
  • 0

#9
Aaron
Posted 24 August 2010 - 04:31 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
You're welcome :) Let's check if there is still malware in these following logs.

Please follow these steps:
============ Step one ============

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\system32\drivers\zwfuhslde3.sys

Folder::

Registry::

Driver::
zwfuhslde3


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.Run OTL again:

============ Step two ============

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

============ Step three ============

Download OTL to your Desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Select Scan all users
Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your next reply.

Are you still experiencing any problems now?

Edited by maser00, 24 August 2010 - 04:36 AM.

  • 0

#10
Charlemagne_920
Posted 26 August 2010 - 05:54 PM

Charlemagne_920

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I had some problems getting GMER to run. It would freeze up, or when it did run all the way through, there was no log created. It was weird.
Also, Norton has popped up a couple times saying it found a virus named Backdoor.Tidserv!inf

Here's the ComboFix Log:

ComboFix 10-08-21.06 - Pozydaev 08/25/2010 17:18:00.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.342 [GMT -4:00]
Running from: c:\documents and settings\Pozydaev\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pozydaev\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\zwfuhslde3.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZWFUHSLDE3
-------\Service_zwfuhslde3


((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))
.

2010-08-25 21:16 . 2010-08-25 21:17 -------- d-----w- C:\8be4beba3156b27715f28b0d
2010-08-23 21:41 . 2010-08-25 21:18 -------- d-----w- c:\windows\LastGood.Tmp
2010-08-22 20:44 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-08-22 20:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-08-22 19:52 . 2010-08-22 19:52 -------- d-----w- C:\_OTL
2010-08-17 01:57 . 2010-08-17 01:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-08-17 01:52 . 2010-08-17 01:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2010-08-11 23:06 . 2010-08-11 23:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2010-08-10 21:23 . 2010-08-10 21:23 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-08-09 13:34 . 2010-08-17 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-30 17:17 . 2010-07-30 17:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-28 17:04 . 2010-08-08 04:23 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 21:30 . 2009-06-23 02:00 -------- d-----w- c:\documents and settings\Pozydaev\Application Data\HPAppData
2010-07-31 02:30 . 2009-05-02 13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2007-03-15 23:58 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-12 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-12-05 73728]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Schwab\\Velocity Velocity\\lib\\jre\\bin\\java.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Pozydaev\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Pozydaev\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003Core.job
- c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-12 18:35]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003UA.job
- c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-12 18:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netscape.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=
FF - plugin: c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Pozydaev\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Pozydaev\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 17:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\MsgSys.EXE
c:\windows\stsystra.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2010-08-25 17:29:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-25 21:29
ComboFix2.txt 2010-08-23 21:42
ComboFix3.txt 2010-08-22 20:51

Pre-Run: 131,548,758,016 bytes free
Post-Run: 131,557,990,400 bytes free

- - End Of File - - 4B1A6717C432933CF2D39D174209A985




And the OTL:
OTL logfile created on: 8/26/2010 3:19:42 PM - Run 4
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Pozydaev\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 473.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 137.00 Gb Total Space | 122.43 Gb Free Space | 89.36% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.22 Gb Free Space | 62.18% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: P-LAPTOP
Current User Name: Pozydaev
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/25 16:37:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
PRC - [2010/07/20 16:30:10 | 011,660,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SoftwareDistribution\Download\Install\NDP20SP2-KB983583-x86.exe
PRC - [2010/05/19 13:08:56 | 000,321,888 | ---- | M] (Microsoft Corporation) -- c:\3f07fb866953a584dae17b3f60a7ee07\HotFixInstaller.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/03/24 18:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2001/12/05 11:53:54 | 000,073,728 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\vptray.exe
PRC - [2001/12/05 11:45:38 | 000,471,040 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\rtvscan.exe
PRC - [2001/12/05 11:37:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\defwatch.exe
PRC - [2000/09/18 17:12:40 | 000,014,336 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\MSGSYS.EXE


========== Modules (SafeList) ==========

MOD - [2010/08/25 16:37:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2001/12/05 11:45:38 | 000,471,040 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\NavNT\rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2001/12/05 11:37:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\NavNT\defwatch.exe -- (DefWatch)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\s24trans.sys -- (s24trans)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/06 16:37:26 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2006/11/15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 20:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/01 13:48:10 | 000,033,664 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\BCMWLNPF.SYS -- (BCMWLNPF)
DRV - [2006/10/12 16:28:42 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/05/03 12:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/03/24 18:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/03/08 13:35:10 | 000,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/12/01 02:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 02:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 02:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/08/05 12:32:16 | 000,045,312 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2004/07/14 12:54:42 | 000,676,864 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2001/12/04 20:30:46 | 000,008,464 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\NavNT\Navapel.sys -- (NAVAPEL)
DRV - [2001/10/16 14:19:00 | 000,058,032 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..keyword.URL: "http://search.search...10101052100&s="

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/11 19:06:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/11 21:11:24 | 000,000,000 | ---D | M]

[2008/09/03 08:12:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Extensions
[2010/08/13 12:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions
[2010/08/02 07:41:19 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/08/02 07:41:23 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/07/18 06:52:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions\[email protected]
[2008/06/20 07:49:56 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\searchplugins\wikipedia-en.xml
[2010/08/16 21:57:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/25 17:23:47 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AtiPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\NavNT\vptray.exe (Symantec Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1174008100046 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://activex.micro...jects/ocget.dll (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.11.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/03/15 20:01:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/08/26 15:18:32 | 000,000,000 | ---D | C] -- C:\3f07fb866953a584dae17b3f60a7ee07
[2010/08/26 15:15:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/08/25 17:38:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/08/25 17:16:14 | 000,000,000 | ---D | C] -- C:\8be4beba3156b27715f28b0d
[2010/08/25 17:16:12 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/08/25 17:15:18 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
[2010/08/22 16:08:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/22 16:05:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/22 16:05:15 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/22 16:05:15 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/22 16:05:15 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/22 16:02:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/22 16:02:05 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/22 15:52:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/08/16 21:43:08 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe
[2010/08/12 19:01:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/11 19:06:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2010/08/11 19:06:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2010/08/09 09:34:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/08/02 21:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/30 22:22:00 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup-1.46.exe
[2010/07/30 13:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/30 13:17:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/28 13:04:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/28 11:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[1996/11/18 01:00:00 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\Implode.dll
[16 C:\Documents and Settings\Pozydaev\My Documents\*.tmp files -> C:\Documents and Settings\Pozydaev\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/26 15:23:21 | 001,050,134 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/26 15:23:21 | 000,417,256 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/26 15:23:21 | 000,004,832 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/26 15:18:21 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/26 15:14:09 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/26 15:14:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/26 15:14:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/26 15:14:01 | 1072,103,424 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/25 21:13:26 | 000,000,990 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003UA.job
[2010/08/25 19:13:01 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003Core.job
[2010/08/25 17:23:58 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/25 17:23:47 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/25 17:22:33 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Pozydaev\ntuser.ini
[2010/08/25 17:22:32 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Pozydaev\NTUSER.DAT
[2010/08/25 16:37:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
[2010/08/25 16:37:46 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.zip
[2010/08/22 16:08:40 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/22 16:04:04 | 003,820,698 | R--- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\ComboFix.exe
[2010/08/12 13:47:53 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\The Art of Thank You Note Writing.doc
[2010/08/12 13:40:27 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\Microsoft Word.lnk
[2010/08/08 00:23:17 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/04 14:18:00 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe
[2010/08/04 12:15:08 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\dds.scr
[2010/07/30 22:29:33 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup-1.46.exe
[2010/07/28 17:22:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/07/27 22:23:53 | 000,242,176 | ---- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\digi - carrollers.doc
[2010/07/27 22:23:53 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\~$gi - carrollers.doc
[2010/07/26 16:29:36 | 002,531,687 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\awhiholger.zip
[2010/07/20 21:26:41 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\Mary Jane Pozydaev Resume.doc
[2010/06/30 12:25:39 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\brunch invitation 2010.doc
[2010/06/16 16:20:56 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\budget.xls
[2010/06/15 11:02:45 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\AmericorpsStatement.doc
[2010/06/11 10:08:08 | 000,196,160 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[16 C:\Documents and Settings\Pozydaev\My Documents\*.tmp files -> C:\Documents and Settings\Pozydaev\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/25 17:33:51 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.exe
[2010/08/25 17:15:20 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.zip
[2010/08/22 16:08:39 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/22 16:08:36 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/22 16:05:15 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/22 16:05:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/22 16:05:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/22 16:05:15 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/22 16:05:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/22 16:04:19 | 003,820,698 | R--- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\ComboFix.exe
[2010/08/19 15:35:25 | 1072,103,424 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/16 21:43:15 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\dds.scr
[2010/08/12 13:47:53 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\The Art of Thank You Note Writing.doc
[2010/07/28 13:04:50 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/27 22:23:53 | 000,242,176 | ---- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\digi - carrollers.doc
[2010/07/27 22:23:53 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\~$gi - carrollers.doc
[2010/07/26 16:29:14 | 002,531,687 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\awhiholger.zip
[2010/07/20 21:26:41 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\Mary Jane Pozydaev Resume.doc
[2010/06/30 08:23:42 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\brunch invitation 2010.doc
[2010/06/16 16:20:56 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\budget.xls
[2010/06/09 16:03:32 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\AmericorpsStatement.doc
[2010/02/24 21:14:36 | 000,000,176 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/06/20 12:07:19 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/04/06 16:37:27 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2008/01/20 19:12:53 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2007/07/29 05:02:01 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/03/16 22:33:04 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/03/16 18:04:57 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/03/15 23:09:49 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/03/15 21:53:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2007/03/15 21:47:09 | 000,000,592 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/03/15 21:43:35 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/03/15 21:43:34 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/03/15 21:28:30 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Local Settings\Application Data\fusioncache.dat
[2007/03/15 21:06:19 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/02/23 00:29:56 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/12/12 12:24:42 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/03/31 16:00:35 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.ini
[2005/08/10 11:56:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ESxUtil.dll
[2004/06/24 02:20:02 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2001/12/05 11:52:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2000/09/18 17:12:40 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\CSSMS_IN.DLL
[1996/11/18 01:00:00 | 000,748,160 | ---- | C] () -- C:\WINDOWS\System32\Co2c40en.dll
[1996/11/18 01:00:00 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\P2sodbc.dll
[1996/11/18 01:00:00 | 000,054,272 | ---- | C] () -- C:\WINDOWS\System32\P2irdao.dll
[1996/11/18 01:00:00 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\P2ctdao.dll
[1996/11/18 01:00:00 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\P2bbnd.dll
[1996/05/25 17:00:00 | 000,107,008 | ---- | C] () -- C:\WINDOWS\System32\fxtls432.dll

========== LOP Check ==========

[2008/07/31 14:25:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Examsoft
[2010/08/16 22:56:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update
[2008/02/23 14:43:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Opera
[2007/03/20 13:02:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Thunderbird

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2007/03/15 20:01:33 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2007/03/15 21:17:46 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/22 16:08:40 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/08/25 17:29:07 | 000,009,416 | ---- | M] () -- C:\ComboFix.txt
[2007/03/15 20:01:33 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/08/26 15:14:01 | 1072,103,424 | -HS- | M] () -- C:\hiberfil.sys
[2007/03/15 20:01:33 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/03/15 20:01:33 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/10/10 21:55:08 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/26 15:14:00 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2007/03/15 21:48:10 | 000,003,395 | -H-- | M] () -- C:\_NavCClt.Log

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2007/03/15 20:01:06 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/12/03 18:55:24 | 000,278,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2007/03/15 14:20:05 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/03/15 14:20:05 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/03/15 14:20:05 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >
[2008/07/31 12:17:11 | 000,000,000 | ---D | M] -- C:\Program Files\ExamSoft\SofTest\bak

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/10/10 22:13:42 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009/10/11 09:59:18 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Pozydaev\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2007/03/15 21:01:31 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/08/22 16:04:04 | 003,820,698 | R--- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\ComboFix.exe
[2009/12/15 11:24:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.exe
[2010/03/12 14:34:49 | 000,569,520 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\GoogleVoiceAndVideoSetup.exe
[2010/08/04 14:18:00 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe
[2008/09/22 15:44:06 | 001,495,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Pozydaev\Desktop\install_flash_player(2).exe
[2008/09/22 15:38:30 | 001,495,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Pozydaev\Desktop\install_flash_player.exe
[2010/07/30 22:29:33 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup-1.46.exe
[2009/05/02 09:38:10 | 002,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup.exe
[2010/08/25 16:37:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
[2009/09/15 18:13:30 | 009,775,465 | ---- | M] (Digital Smoke ) -- C:\Documents and Settings\Pozydaev\Desktop\SolCity.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-08-26 19:26:41
< End of report >
PRC - [2010/08/25 16:37:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/03/24 18:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2001/12/05 11:53:54 | 000,073,728 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\vptray.exe
PRC - [2001/12/05 11:45:38 | 000,471,040 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\rtvscan.exe
PRC - [2001/12/05 11:37:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\defwatch.exe
PRC - [2000/09/18 17:12:40 | 000,014,336 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\MSGSYS.EXE


========== Modules (SafeList) ==========

MOD - [2010/08/25 16:37:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2001/12/05 11:45:38 | 000,471,040 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\NavNT\rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2001/12/05 11:37:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\NavNT\defwatch.exe -- (DefWatch)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\s24trans.sys -- (s24trans)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/06 16:37:26 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2006/11/15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 20:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/01 13:48:10 | 000,033,664 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\BCMWLNPF.SYS -- (BCMWLNPF)
DRV - [2006/10/12 16:28:42 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/05/03 12:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/03/24 18:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/03/08 13:35:10 | 000,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/12/01 02:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 02:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 02:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/08/05 12:32:16 | 000,045,312 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2004/07/14 12:54:42 | 000,676,864 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2001/12/04 20:30:46 | 000,008,464 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\NavNT\Navapel.sys -- (NAVAPEL)
DRV - [2001/10/16 14:19:00 | 000,058,032 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..keyword.URL: "http://search.search...10101052100&s="

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/11 19:06:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/11 21:11:24 | 000,000,000 | ---D | M]

[2008/09/03 08:12:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Extensions
[2010/08/13 12:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions
[2010/08/02 07:41:19 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/08/02 07:41:23 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/07/18 06:52:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\extensions\[email protected]
[2008/06/20 07:49:56 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Application Data\Mozilla\Firefox\Profiles\6qizzd76.default\searchplugins\wikipedia-en.xml
[2010/08/16 21:57:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/25 17:23:47 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AtiPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\NavNT\vptray.exe (Symantec Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1174008100046 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://activex.micro...jects/ocget.dll (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.11.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Pozydaev\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/03/15 20:01:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/08/26 15:15:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/08/25 17:38:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/08/25 17:16:14 | 000,000,000 | ---D | C] -- C:\8be4beba3156b27715f28b0d
[2010/08/25 17:16:12 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/08/25 17:15:18 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
[2010/08/22 16:44:07 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\proquota.exe
[2010/08/22 16:44:07 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\proquota.exe
[2010/08/22 16:08:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/22 16:05:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/22 16:05:15 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/22 16:05:15 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/22 16:05:15 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/22 16:02:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/22 16:02:05 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/22 15:52:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/08/16 21:43:08 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe
[2010/08/12 19:01:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/11 19:06:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2010/08/11 19:06:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2010/08/09 09:34:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/08/02 21:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/30 22:22:00 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup-1.46.exe
[2010/07/30 13:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/30 13:17:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/28 13:04:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/28 11:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[1996/11/18 01:00:00 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\Implode.dll
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[16 C:\Documents and Settings\Pozydaev\My Documents\*.tmp files -> C:\Documents and Settings\Pozydaev\My Documents\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/26 15:25:52 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/26 15:23:21 | 001,050,134 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/26 15:23:21 | 000,417,256 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/26 15:23:21 | 000,004,832 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/26 15:14:09 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/26 15:14:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/26 15:14:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/26 15:14:01 | 1072,103,424 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/25 21:13:26 | 000,000,990 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003UA.job
[2010/08/25 19:13:01 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1220945662-725345543-1003Core.job
[2010/08/25 17:23:58 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/25 17:23:47 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/25 17:22:33 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Pozydaev\ntuser.ini
[2010/08/25 17:22:32 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Pozydaev\NTUSER.DAT
[2010/08/25 16:37:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
[2010/08/25 16:37:46 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.zip
[2010/08/22 16:08:40 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/22 16:04:04 | 003,820,698 | R--- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\ComboFix.exe
[2010/08/12 13:47:53 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\The Art of Thank You Note Writing.doc
[2010/08/12 13:40:27 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\Microsoft Word.lnk
[2010/08/08 00:23:17 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/04 14:18:00 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe
[2010/08/04 12:15:08 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\dds.scr
[2010/07/30 22:29:33 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup-1.46.exe
[2010/07/28 17:22:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/07/27 22:23:53 | 000,242,176 | ---- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\digi - carrollers.doc
[2010/07/27 22:23:53 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Pozydaev\My Documents\~$gi - carrollers.doc
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[16 C:\Documents and Settings\Pozydaev\My Documents\*.tmp files -> C:\Documents and Settings\Pozydaev\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/25 17:33:51 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.exe
[2010/08/25 17:15:20 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.zip
[2010/08/22 16:08:39 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/22 16:08:36 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/22 16:05:15 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/22 16:05:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/22 16:05:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/22 16:05:15 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/22 16:05:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/22 16:04:19 | 003,820,698 | R--- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\ComboFix.exe
[2010/08/19 15:35:25 | 1072,103,424 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/16 21:43:15 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Desktop\dds.scr
[2010/08/12 13:47:53 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\The Art of Thank You Note Writing.doc
[2010/07/28 13:04:50 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/27 22:23:53 | 000,242,176 | ---- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\digi - carrollers.doc
[2010/07/27 22:23:53 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Pozydaev\My Documents\~$gi - carrollers.doc
[2010/02/24 21:14:36 | 000,000,176 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/06/20 12:07:19 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/04/06 16:37:27 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2008/01/20 19:12:53 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2007/07/29 05:02:01 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/03/16 22:33:04 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/03/16 18:04:57 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/03/15 23:09:49 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/03/15 21:53:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2007/03/15 21:47:09 | 000,000,592 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/03/15 21:43:35 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/03/15 21:43:34 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/03/15 21:28:30 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Pozydaev\Local Settings\Application Data\fusioncache.dat
[2007/03/15 21:06:19 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/02/23 00:29:56 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/12/12 12:24:42 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/03/31 16:00:35 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.ini
[2005/08/10 11:56:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ESxUtil.dll
[2004/06/24 02:20:02 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2001/12/05 11:52:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2000/09/18 17:12:40 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\CSSMS_IN.DLL
[1996/11/18 01:00:00 | 000,748,160 | ---- | C] () -- C:\WINDOWS\System32\Co2c40en.dll
[1996/11/18 01:00:00 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\P2sodbc.dll
[1996/11/18 01:00:00 | 000,054,272 | ---- | C] () -- C:\WINDOWS\System32\P2irdao.dll
[1996/11/18 01:00:00 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\P2ctdao.dll
[1996/11/18 01:00:00 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\P2bbnd.dll
[1996/05/25 17:00:00 | 000,107,008 | ---- | C] () -- C:\WINDOWS\System32\fxtls432.dll

========== LOP Check ==========

[2008/07/31 14:25:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Examsoft
[2010/08/16 22:56:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update
[2008/02/23 14:43:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Opera
[2007/03/20 13:02:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pozydaev\Application Data\Thunderbird

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2007/03/15 20:01:33 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2007/03/15 21:17:46 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/22 16:08:40 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/08/25 17:29:07 | 000,009,416 | ---- | M] () -- C:\ComboFix.txt
[2007/03/15 20:01:33 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/08/26 15:14:01 | 1072,103,424 | -HS- | M] () -- C:\hiberfil.sys
[2007/03/15 20:01:33 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/03/15 20:01:33 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/10/10 21:55:08 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/26 15:14:00 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2007/03/15 21:48:10 | 000,003,395 | -H-- | M] () -- C:\_NavCClt.Log

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2007/03/15 20:01:06 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/12/03 18:55:24 | 000,278,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2007/03/15 14:20:05 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/03/15 14:20:05 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/03/15 14:20:05 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >
[2008/07/31 12:17:11 | 000,000,000 | ---D | M] -- C:\Program Files\ExamSoft\SofTest\bak

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/10/10 22:13:42 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009/10/11 09:59:18 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Pozydaev\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2007/03/15 21:01:31 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/08/22 16:04:04 | 003,820,698 | R--- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\ComboFix.exe
[2009/12/15 11:24:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Pozydaev\Desktop\gmer.exe
[2010/03/12 14:34:49 | 000,569,520 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\GoogleVoiceAndVideoSetup.exe
[2010/08/04 14:18:00 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Pozydaev\Desktop\HijackThis.exe
[2008/09/22 15:44:06 | 001,495,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Pozydaev\Desktop\install_flash_player(2).exe
[2008/09/22 15:38:30 | 001,495,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Pozydaev\Desktop\install_flash_player.exe
[2010/07/30 22:29:33 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup-1.46.exe
[2009/05/02 09:38:10 | 002,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Pozydaev\Desktop\mbam-setup.exe
[2010/08/25 16:37:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pozydaev\Desktop\OTL.exe
[2009/09/15 18:13:30 | 009,775,465 | ---- | M] (Digital Smoke ) -- C:\Documents and Settings\Pozydaev\Desktop\SolCity.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-08-26 19:26:41

< End of report >
  • 0

#11
Aaron
Posted 27 August 2010 - 03:04 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Hi, I think we're almost here. Are you still getting redirected or having other problems?

============ Step one ============

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\All Users\Application Data\Update

Firefox::
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

============ Step two ============

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

============ Step three ============

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

  • 0

#12
Aaron
Posted 27 August 2010 - 03:06 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Sorry, connection problem - triple post.

Edited by maser00, 27 August 2010 - 03:11 AM.

  • 0

#13
Aaron
Posted 27 August 2010 - 03:08 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Sorry, connection problem - triple post.

Edited by maser00, 27 August 2010 - 03:13 AM.

  • 0

#14
Aaron
Posted 03 September 2010 - 11:05 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP