View Full Version : PC Infected
Bill Moz
2010-10-23, 17:56
I am getting browser redirects and I have been unable to run Spybot or access the website. AVG scan ran last night with no alerts, tried to run trend micro housecall but it would not complete. Would appreciate any advice.
DDS (Ver_10-10-21.02) - NTFSx86
Run by Bill at 8:36:28.22 on Sat 10/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1018 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Bill\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [EPSON Artisan 800(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiema.exe /fu "c:\windows\temp\E_S82.tmp" /EF "HKCU"
uRun: [Google Update] "c:\documents and settings\bill\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch PC Probe II] "c:\program files\asus\pc probe ii\Probe2.exe" 1
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\bill\startm~1\programs\startup\checkf~1.lnk - c:\jts\WiseUpdt.exe
StartupFolder: c:\docume~1\bill\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225515211757
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225558772171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: NameServer = 93.188.162.131,93.188.160.11
TCP: {57AF70CF-362F-432B-B507-09FEAD668603} = 93.188.162.131,93.188.160.11
TCP: {C3A6FFF1-78F6-4DB3-B99B-6302D6422CF0} = 93.188.162.131,93.188.160.11
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 WLSVC;WLSVC;c:\program files\linksys wireless-g pci wireless network monitor\WLService.exe [2008-11-1 41025]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
=============== Created Last 30 ================
2010-10-23 13:14:14 388096 ----a-r- c:\docume~1\bill\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-23 13:14:13 -------- d-----w- c:\program files\Trend Micro
2010-10-13 01:16:32 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 01:16:32 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 01:16:20 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 8:38:27.52 ===============
computer ran avg scan again and removed two infections for crypt.abhm troj horse
Jack&Jill
2010-10-30, 06:34
Hello and welcome to Safer Networking.
I am currently assessing your situation and will be back with a fix for your problem as soon as possible.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.
Please be patient with me during this time.
Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.
Jack&Jill
2010-10-30, 06:52
Hello Bill Moz :),
Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.
Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.
--------------------
What do you use the computer for?
Bill Moz
2010-10-30, 15:18
Ready,thank you for your time.
Jack&Jill
2010-10-30, 17:23
Hello Bill Moz :),
Maybe you missed this.
What do you use the computer for?
Bill Moz
2010-10-30, 22:19
Sorry yes I did miss that. Main purpose is general web surfing but I do study certain financial markets from it as well, so there is data I would like to not lose if possible. The infection resulted I believe from a seldom taken search for a adult film actress. The infection seems to be a recurring Crypt. something trojan horse, I do have notes from each time AVG has caught something, and google searches now always result in somekind of redirect to unintended sites, stopzilla is one that comes up alot.
Jack&Jill
2010-10-31, 05:43
Hello Bill Moz :),
We need to disable Spybot S&D's Teatimer real-time protection temporarily as it will interfere with the fix. Please minimize going online when your security softwares are disabled or not active.
First step:
Right click the Spybot icon that looks like a blue/white calendar with a padlock symbol in the System Tray (lower right corner where the clock is situated).
For version 1.6, the steps are similar to either one of the below.
If you have version 1.5, click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked (unticked). The Spybot icon should now be colorless.
If you have Version 1.4, click on Exit Spybot S&D Resident.
Second step, for either version:
Open Spybot S&D.
Click Mode, choose Advanced Mode.
Go to the bottom of the vertical panel on the left, click Tools.
Then, also in left panel, click on Resident that shows a red/white shield.
If your firewall raises a question, say OK.
In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
OK any prompts.
Exit Spybot S&D and reboot your machine for the changes to take effect.
Remember to enable it after the fix.
--------------------
Please download Malwarebytes' Anti-Malware (MBAM)© from Malwarebytes and save it to your desktop. Click here. (http://www.malwarebytes.org/mbam-download.php)
Run MBAM
Double click on mbam-setup.exe and follow the prompts to install the program.
At the end of installation, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
MBAM will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update mirror, select one of the websites and click on Check for Updates.
Upon completion of update and loading, select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
When done, you will be prompted. Click OK, then click on Show Results.
Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.
--------------------
Please post back:
1. MBAM report
2. how is your computer now?
Bill Moz
2010-10-31, 17:05
I am unable to open Spybot to disable settings and the AntiMalware program will not open after I downloaded and installed program. No response from either the desktop icons or the start menu.
Jack&Jill
2010-10-31, 17:18
Hello Bill Moz :),
Please post a fresh DDS log.
--------------------
Please close all programs and do not run any others before and during the GMER scan. Do not use the computer for anything else until after the scan is completed.
Please download GMER and save it to your desktop. Click here. (http://www.gmer.net/download.php)
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click the .exe file. If asked to allow the gmer driver file with a sys extension to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
In the right panel, you will see several boxes that have been checked (ticked).
Uncheck IAT/EAT
Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
Uncheck Show All (don't miss this one)
Then click the Scan button and wait for it to finish.
Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
Enable back your security softwares as soon as you completed the GMER steps.
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
If you are having problems running this version of GMER, please try running GMER in Safe Mode. You can get into Safe Mode using the F8 key during the startup of your computer after a reboot.
--------------------
Please post back:
1. fresh DDS log
2. GMER result
Bill Moz
2010-11-01, 05:00
Scan results
DDS (Ver_10-10-21.02) - NTFSx86
Run by Bill at 22:52:40.39 on Sun 10/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1215 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bill\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [EPSON Artisan 800(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiema.exe /fu "c:\windows\temp\E_S82.tmp" /EF "HKCU"
uRun: [Google Update] "c:\documents and settings\bill\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch PC Probe II] "c:\program files\asus\pc probe ii\Probe2.exe" 1
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\bill\startm~1\programs\startup\checkf~1.lnk - c:\jts\WiseUpdt.exe
StartupFolder: c:\docume~1\bill\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225515211757
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225558772171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: NameServer = 93.188.164.242,93.188.160.242
TCP: {57AF70CF-362F-432B-B507-09FEAD668603} = 93.188.164.242,93.188.160.242
TCP: {C3A6FFF1-78F6-4DB3-B99B-6302D6422CF0} = 93.188.164.242,93.188.160.242
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 WLSVC;WLSVC;c:\program files\linksys wireless-g pci wireless network monitor\WLService.exe [2008-11-1 41025]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
=============== Created Last 30 ================
2010-10-31 15:42:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-31 15:42:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-31 15:42:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-31 15:42:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-23 13:14:14 388096 ----a-r- c:\docume~1\bill\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-23 13:14:13 -------- d-----w- c:\program files\Trend Micro
2010-10-13 01:16:32 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 01:16:32 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 01:16:20 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 22:54:02.14 ===============
gmer
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-31 22:50:31
Windows 5.1.2600 Service Pack 3
Running: 1gx17ml2.exe; Driver: C:\DOCUME~1\Bill\LOCALS~1\Temp\kweyifow.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB9352360, 0x32DEFD, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB6F56A80]
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextDetectionTime 2010-11-01 02:20:38
---- EOF - GMER 1.0.15 ----
Bill Moz
2010-11-01, 05:01
attach2
Jack&Jill
2010-11-01, 15:25
Hello Bill Moz :),
Go to C:\Program Files\Malwarebytes' Anti-Malware and look for the file mbam.exe. Rename it billmbam.exe.. Now, try to run MBAM by double clicking on the file.
Bill Moz
2010-11-02, 01:55
Renamed file to Billmbam as instructed, program will start but produces an error code when searching for updates.
MBAM_ERROR_UPDATING(12007,0, WinHttpSendRequest)
Jack&Jill
2010-11-02, 13:38
Hello Bill Moz :),
The renaming works for me. The connection by MBAM must have been blocked.
Please download ERUNT© by Lars Hederer from one of the links below and save it to your desktop.
Link 1 (http://aumha.org/downloads/erunt-setup.exe)
Link 2 (http://download.cnet.com/ERUNT/3000-2242_4-49213.html)
Link 3 (http://majorgeeks.com/Erunt_d1267.html)
Backup your registry with ERUNT
Double click on erunt-setup.exe and run the installation setup.
Follow the setup instructions until you reach Select Additional Tasks, uncheck (untick) Create NTREGOPT desktop icon.
Continue until you get prompted to run ERUNT at startup. Choose No.
Next, make sure Launch ERUNT is checked (ticked) and click Finish.
Click OK when ERUNT is launched, and accept all default setting. ERUNT will then backup the registry.
--------------------
Please download SystemLook© by jpshortstuff from one of the links below and save it to your desktop.
Link 1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Link 2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double click on SystemLook.exe to run it.
Copy and paste the following text into the main textfield:
:regfind
93.188.162.131,93.188.160.11
Click the Look button to start the scan. This might take a while.
When finished, a Notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your desktop as SystemLook.txt.
--------------------
Please post back:
1. the SystemLook result
Bill Moz
2010-11-03, 02:33
Backed up registry using Erunt, downloaded and ran SystemLook. Scan only lasted for 10 to 15 seconds, not sure if that was correct by your advice that it might take awhile.
SystemLook 04.09.10 by jpshortstuff
Log created at 20:27 on 02/11/2010 by Bill
Administrator - Elevation successful
========== regfind ==========
Searching for "93.188.162.131,93.188.160.11"
No data found.
-= EOF =-
Jack&Jill
2010-11-03, 02:53
Hello Bill Moz :),
The SystemLook scan was intermittently successful when I tried it. We'll proceed to the next step.
Clear TCP
Open Notepad. Copy and paste the following text into it:
@echo off
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "NameServer" /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{57AF70CF-362F-432B-B507-09FEAD668603}" /v "NameServer" /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C3A6FFF1-78F6-4DB3-B99B-6302D6422CF0}" /v "NameServer" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "NameServer" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{57AF70CF-362F-432B-B507-09FEAD668603}" /v "NameServer" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C3A6FFF1-78F6-4DB3-B99B-6302D6422CF0}" /v "NameServer" /f
ipconfig /flushdns
del %0
Save it as ClearTCP.bat on the desktop. Make sure the Save as type: is All Files (*.*).
Double click on ClearTCP.bat to run it. Allow if prompted by any security software.
Please reboot you computer.
Now, try running MBAM again and post back the result.
Bill Moz
2010-11-03, 12:18
Cleared TCP updated and ran mbam.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5026
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/3/2010 6:07:00 AM
mbam-log-2010-11-03 (06-07-00).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 362028
Time elapsed: 3 hour(s), 49 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{57af70cf-362f-432b-b507-09fead668603}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.242,93.188.160.242 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
D:\Camtasia\camtasia keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
Jack&Jill
2010-11-03, 14:54
Hello Bill Moz :),
Please download ATF (Atribune Temp File) Cleaner© by Atribune from one of the links below and save it to your desktop.
Link 1 (http://www.atribune.org/ccount/click.php?id=1)
Link 2 (http://majorgeeks.com/ATF_Cleaner_d4949.html)
Link 3 (http://download.cnet.com/ATF-Cleaner/3000-18512_4-89432.html)
Run ATF Cleaner
Double-click ATF Cleaner.exe to open it.
Click Run if prompted.
At the bottom of the list, check (tick) Select All.
Note: If you would like to keep your cookies, please uncheck this option as it will remove all cookies, including the useful ones you may want to keep.
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All. Uncheck the cookies option if you want to keep them.
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
--------------------
Your Adobe Reader is outdated. Older versions have security vulnerabilities that can be exploited.
Please update your Adobe Reader to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:
Adobe Reader 7.0
Go to the Adobe download page. Click here. (http://get.adobe.com/reader/)
If your OS is not the same as stated, click on Different language or operating system? link.
Under the Select an operating system title, click on Select an OS... box and choose the OS that you have.
Change the language if you want by clicking on English below the Select a language title.
Press Continue.
Uncheck (untick) Free McAfee Security Scan (optional).
Click the Download now button after selecting the latest version.
Allow if prompted and save the file to a convenient location.
Run the downloaded file to continue with the installation.
If your OS is the same, uncheck (untick) Free McAfee Security Scan (optional).
Click Download to proceed. Allow if prompted and save the file to a convenient location.
Run the downloaded file to continue with the installation.
--------------------
You should always keep your Java updated to the latest version too.
To set for automatic updates of Java, Go to Start > Control Panel.
Double click on the Java icon to open the Java Control Panel.
Click on the Update tab.
Make sure the option Check for Updates Automatically is ticked.
You can also update Java manually via the Update Now button, then continue accordingly.
Click on OK when you are done.
--------------------
Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
Click here (http://www.eset.com/onlinescan/) to go to ESET Online Scanner page.
Click on ESET Online Scanner. A new window will open.
For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
You will be prompted to install an ActiveX Control from ESET. Please install.
At the Computer scan settings section, uncheck (untick) Remove found threats and then check Scan archives.
Now, click on Advanced settings and make sure all these are checked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Click on Scan to proceed.
When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
Post the contents in your reply.
If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.
--------------------
Please post back:
1. the ESET online scan result
2. fresh DDS log
3. how is your computer now?
Bill Moz
2010-11-04, 03:47
Ran ATF cleaner, deleted old adobe reader, checked Java auto update. Ran Eset scan, 9 files found, no files cleaned, should I delete the files?
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d5a2f0374c2b4a499625a5c7b83d482b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-04 02:33:30
# local_time=2010-11-03 09:33:30 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 70251 70251 0 0
# compatibility_mode=1024 16777191 100 0 20309473 20309473 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=102201
# found=9
# cleaned=0
# scan_time=6506
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\20\7bb99554-2e1090b7 Java/TrojanDownloader.Agent.NBL trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\29\7adbb65d-1626c168 Java/TrojanDownloader.Agent.NBK trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\33\30feb821-5f8d8945 Java/TrojanDownloader.Agent.NBK trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\39\3f57e627-1ad38c1f a variant of Java/TrojanDownloader.OpenStream.NAU trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\45\7c599ead-497b82a1 a variant of Java/TrojanDownloader.OpenStream.NAU trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\52\31bba1f4-69b7982a Java/TrojanDownloader.Agent.NBL trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\58\1f62c23a-2f1a0ce8 Java/TrojanDownloader.Agent.NBM trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\61\6459dbfd-2538be44 a variant of Java/TrojanDownloader.OpenStream.NAU trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\9\24ea7dc9-59e1eeea a variant of Java/TrojanDownloader.OpenStream.NAU trojan 00000000000000000000000000000000 I
DDS log to follow
Bill Moz
2010-11-04, 05:10
DDS (Ver_10-10-21.02) - NTFSx86
Run by Bill at 23:00:53.40 on Wed 11/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1329 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Bill\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k netsvcs
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [EPSON Artisan 800(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiema.exe /fu "c:\windows\temp\E_S82.tmp" /EF "HKCU"
uRun: [Google Update] "c:\documents and settings\bill\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch PC Probe II] "c:\program files\asus\pc probe ii\Probe2.exe" 1
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\docume~1\bill\startm~1\programs\startup\checkf~1.lnk - c:\jts\WiseUpdt.exe
StartupFolder: c:\docume~1\bill\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225515211757
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225558772171
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 WLSVC;WLSVC;c:\program files\linksys wireless-g pci wireless network monitor\WLService.exe [2008-11-1 41025]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2003-3-31 14336]
=============== Created Last 30 ================
2010-11-04 00:36:28 -------- d-----w- c:\program files\ESET
2010-11-02 00:46:47 -------- d-----w- c:\docume~1\bill\applic~1\Malwarebytes
2010-10-31 15:42:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-31 15:42:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-31 15:42:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-31 15:42:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-23 13:14:14 388096 ----a-r- c:\docume~1\bill\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-23 13:14:13 -------- d-----w- c:\program files\Trend Micro
2010-10-13 01:16:32 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 01:16:32 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 01:16:20 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 23:03:00.20 ===============
Jack&Jill
2010-11-04, 05:36
Hello Bill Moz :),
ESET's findings are from the Java cache.
You can clear them off using ATF Cleaner's Java Cache option, or go to Start > Control Panel. Double click on Java and the Java Control Panel will open. At the General tab, click on the Settings... below the Temporary Internet Files title. Press the Delete Files... button and OK your way out.
--------------------
Your DDS log looks clean. Any more problems?
Bill Moz
2010-11-04, 06:18
Redirects appear to be gone, still cannot launch main program to update Spybot S+D, can I re install it? During the eset scan setup I did get a rogue scanner exploit warning, but I had Spybot resident shut off and AVG resident shut off, I think AVG caught it, but I don't really know for sure.
Jack&Jill
2010-11-04, 06:45
Hello Bill Moz :),
You shut off the protection programs before you started with ESET or during the installation? The rogue scanner warning, it came up before ESET start to scan? You are not sure which program prompted the warning? When the warning came up, did it ask for any action from you?
For Spybot, you can try to uninstall it first, reboot your computer, the reinstall. See if that solve your problem.
Bill Moz
2010-11-05, 01:34
I shut off real time protection before I went to Eset site. When I clicked on the button to open the scanner window is when the warning came up. No action was called for, and it was AVG that blocked the scanner. Computer still has redirect issue now that I've had a chance to try it. I've been using a flash drive so I can post logs from another computer just so you know. And it has not been plugged in during any scans, should I plug it in while performing the scans?
Jack&Jill
2010-11-05, 05:41
Hello Bill Moz :),
The warning is most likely a false positive by AVG.
Computer still has redirect issue now It could be your router or the USB. Please post a fresh DDS log, no need for Attach.txt.
The other computer you mentioned, is it using the same connection / router?
--------------------
Check USB storage devices / removable drives
Please download USBNoRisk© by bobby and save to your desktop. Click here. (http://amf.mycity.rs/personal/bobby/USBNoRisk/usbnorisk.exe)
Double click on usbnorisk.exe and wait a couple of seconds for the initial scan to finish.
Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
If there are more than one USB storage devices, please take note of the order they are connected.
When all the devices are plugged in and the scanning done, right click on any location in the white box where the results are shown and select Save log.
Click OK when prompted and a log will open. It is saved to C:\USBNoRisk\UsbNoRisk.txt.
Post the contents of that log in your reply and close the program.
--------------------
Please post back:
1. fresh DDS log
2. USBNoRisk result
Bill Moz
2010-11-06, 05:43
Yes other computer is using the same router. USB scan.
USBNoRisk 2.6 (08 September 2010) by bobby
Started at 11/5/2010 10:36:49 PM
Searching for connected USB Mass storage...
----------------------------------------
========================================
Searching for other storage...
----------------------------------------
C: {00dc6dbc-a78d-11dd-a3cc-806d6172696f}
D: {00dc6dbd-a78d-11dd-a3cc-806d6172696f}
========================================
Scanning fixed storage...
----------------------------------------
No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 00dc6dbc-a78d-11dd-a3cc-806d6172696f
No Desktop.ini files found on C:
----------------------------------------
No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 00dc6dbd-a78d-11dd-a3cc-806d6172696f
----------------------------------------
Desktop.ini found at D:\My Documents\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID2={450d8fba-ad25-11d0-98a8-0800361b1103}
InfoTip=Stores your documents, graphics, and other files.
----------------------------------------
HKCR\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22914
HKCR\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-9227
HKCR\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103}\DefaultIcon,@ = %SystemRoot%\system32\SHELL32.dll,-235
HKCR\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103}\InProcServer32,@ = %SystemRoot%\system32\SHELL32.dll
HKCR\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103}\shell\find\command,@ = %SystemRoot%\Explorer.exe
HKLM\Software\Classes\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22914
HKLM\Software\Classes\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-9227
HKLM\Software\Classes\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103}\DefaultIcon,@ = %SystemRoot%\system32\SHELL32.dll,-235
HKLM\Software\Classes\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103}\InProcServer32,@ = %SystemRoot%\system32\SHELL32.dll
HKLM\Software\Classes\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103}\shell\find\command,@ = %SystemRoot%\Explorer.exe
----------------------------------------
Desktop.ini found at D:\Program Files\ contains file:// string
----------------------------------------
[ExtShellFolderViews]
Default={5984FFE0-28D4-11CF-AE66-08002B2E1262}
{5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28D4-11CF-AE66-08002B2E1262}
[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]
PersistMoniker=file://Folder.htt
[.ShellClassInfo]
ConfirmFileOp=0
----------------------------------------
D:\Program Files\Folder.htt --ah- 11079 bytes
----------------------------------------
Desktop.ini found at D:\RECYCLED\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
========================================
Initial scan finished!
========================================
New device connected at 11/5/2010 10:37:50 PM
Scanning for connected USB mass storage...
----------------------------------------
F: {c1fea847-cf50-11de-98e8-001ee5a5870c}
Added F:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
No Autorun.inf files found on F:
Sanitized mountpoint for c1fea847-cf50-11de-98e8-001ee5a5870c
----------------------------------------
No Desktop.ini files found on F:
----------------------------------------
No mimics found on drive F:
========================================
DDS
DDS (Ver_10-10-21.02) - NTFSx86
Run by Bill at 22:39:31.84 on Fri 11/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1299 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Program Files\Bill\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bill\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\bill\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [EPSON Artisan 800(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiema.exe /fu "c:\windows\temp\E_S82.tmp" /EF "HKCU"
uRun: [Google Update] "c:\documents and settings\bill\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [SpybotSD TeaTimer] c:\program files\bill\spybot - search & destroy\TeaTimer.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch PC Probe II] "c:\program files\asus\pc probe ii\Probe2.exe" 1
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\bill\startm~1\programs\startup\checkf~1.lnk - c:\jts\WiseUpdt.exe
StartupFolder: c:\docume~1\bill\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\bill\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225515211757
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225558772171
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
=============== Created Last 30 ================
2010-11-06 03:38:31 -------- d-----w- C:\USBNoRisk
2010-11-05 03:37:10 -------- d-----w- c:\program files\Bill
2010-11-04 00:36:28 -------- d-----w- c:\program files\ESET
2010-11-02 00:46:47 -------- d-----w- c:\docume~1\bill\applic~1\Malwarebytes
2010-10-31 15:42:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-31 15:42:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-31 15:42:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-31 15:42:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-23 13:14:14 388096 ----a-r- c:\docume~1\bill\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-23 13:14:13 -------- d-----w- c:\program files\Trend Micro
2010-10-13 01:16:32 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 01:16:32 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 01:16:20 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 22:42:08.87 ===============
Jack&Jill
2010-11-06, 16:43
Hello Bill Moz :),
You should update your Java.
The USB is clean. Does the redirect happen to your other computer? Any other symptoms besides redirects?
--------------------
Please download OTL© by OldTimer from one of the links below and save it to your desktop.
Link 1 (http://oldtimer.geekstogo.com/OTL.exe)
Link 2 (http://www.itxassociates.com/OT-Tools/OTL.exe)
Scan with OTL
Double click on OTL.exe to run it.
Make sure all the Use SafeList options is checked (ticked). There are six of them.
Check Scan All Users.
At the lower right corner, check LOP Check and Purity Check.
Click on Run Scan at the top left hand corner. This might take a while.
When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. One log per reply please.
Note: These files are saved as OTL.txt and Extras.txt on the desktop.
--------------------
Please download MBRCheck© by a_d_13 from one of the links below and save it to your desktop.
Link 1 (http://ad13.geekstogo.com/MBRCheck.exe)
Link 2 (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe)
Link 3 (http://www.kernelmode.info/MBRCheck.exe)
Preliminary scan
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running MBRCheck. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click on MBRCheck.exe to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
A command prompt window will open.
When you see Enter 'Y' and hit ENTER for more options, or 'N' to exit:, enter N at the prompt and press Enter twice.
Otherwise, just press Enter.
A log file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. Please post the contents of that file.
--------------------
Please download Rootkit Unhooker and save it to your desktop. Click here. (http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE)
Double click RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Ensure the following are checked (ticked):
Drivers
Stealth Code
Files
Code Hooks
Uncheck the rest, then click OK. An initial scan will be performed.
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
Save the report somewhere you can find it. Click Close to exit.
Copy the entire contents of the report and paste it in your next reply.
You may get a warning about parasite detection. Please click OK to continue.
--------------------
Please post back:
1. the answers to my questions about your other computer and symptoms
2. the OTL logs (OTL.txt and Extras.txt)
3. MBRCheck result
4. Rookit Unhooker log
Bill Moz
2010-11-07, 15:58
Other computers are ok, no symptoms. The only other syptom was Spybot not running at all. I uninstalled and reinstalled Spybot and tried to install to a renamed folder and it still won't work. My redirects appear to only occur if click on a link from a google search, if I stay within my usual sites it seems OK. But google searches are almost useless as it may redirect two or three times after a click.
Bill Moz
2010-11-07, 15:59
OTL logfile created on: 11/6/2010 1:21:39 PM - Run 2
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Bill\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 55.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 25.36 Gb Total Space | 2.91 Gb Free Space | 11.47% Space Free | Partition Type: NTFS
Drive D: | 55.90 Gb Total Space | 7.26 Gb Free Space | 12.99% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 1.19 Gb Free Space | 15.97% Space Free | Partition Type: FAT32
Unable to calculate disk information.
Computer Name: BILL-WCG1YON6RY | User Name: Bill | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Bill\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe (Google Inc.)
PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)
PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Program Files\Bill\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSvc.exe (SEIKO EPSON CORPORATION)
PRC - C:\Program Files\ASUS\PC Probe II\Probe2.exe ()
PRC - C:\Program Files\Analog Devices\SoundMAX\SMax4.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe (GEMTEKS)
PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Bill\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msvbvm60.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\dinput.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (EpsonBidirectionalService) -- C:\Program Files\Common Files\EPSON\eEBAPI\eEBSvc.exe (SEIKO EPSON CORPORATION)
SRV - (Imapi Helper) -- C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe (Alex Feinman)
SRV - (WLSVC) -- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe (GEMTEKS)
========== Driver Services (SafeList) ==========
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (AsIO) -- C:\WINDOWS\system32\drivers\AsIO.sys ()
DRV - (RT61) Linksys Wireless-G PCI Adapter Driver(RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology Inc.)
DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (SenFiltService) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\Hdaudio.sys (Windows (R) Server 2003 DDK provider)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1454471165-1177238915-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1454471165-1177238915-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1454471165-1177238915-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1454471165-1177238915-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1454471165-1177238915-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1454471165-1177238915-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1454471165-1177238915-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2010/09/02 15:00:52 | 000,417,813 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 14419 more lines...
O2 - BHO: (HelperObject Class) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Bill\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1454471165-1177238915-839522115-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows (R) Server 2003 DDK provider)
O4 - HKLM..\Run: [Launch PC Probe II] C:\Program Files\ASUS\PC Probe II\Probe2.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKU\S-1-5-21-1454471165-1177238915-839522115-1003..\Run: [EPSON Artisan 800(Network)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEMA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-1454471165-1177238915-839522115-1003..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe (TechSmith Corporation)
O4 - HKU\S-1-5-21-1454471165-1177238915-839522115-1003..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-1454471165-1177238915-839522115-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Bill\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\S-1-5-21-1454471165-1177238915-839522115-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\Bill\Start Menu\Programs\Startup\Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe ()
O4 - Startup: C:\Documents and Settings\Bill\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1454471165-1177238915-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Bill\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225515211757 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225558772171 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/31 23:04:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/07/25 15:28:12 | 000,000,078 | -HS- | M] () - D:\AUTOEXEC.BAK -- [ NTFS ]
O32 - AutoRun File - [2005/07/31 16:42:38 | 000,000,037 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/07/23 11:30:04 | 000,000,078 | -HS- | M] () - D:\AUTOEXEC.DOS -- [ NTFS ]
O32 - AutoRun File - [2004/06/26 09:09:30 | 000,000,037 | ---- | M] () - D:\AUTOEXEC._AV -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/11/06 10:53:58 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/06 10:53:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/06 10:53:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/06 09:21:52 | 004,329,496 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Bill\Desktop\avg_free_stb_all_2011_1153_upgrade.exe
[2010/11/05 22:38:31 | 000,000,000 | ---D | C] -- C:\USBNoRisk
[2010/11/05 22:32:30 | 000,446,464 | ---- | C] (MyCity) -- C:\Documents and Settings\Bill\Desktop\usbnorisk.exe
[2010/11/04 22:37:10 | 000,000,000 | ---D | C] -- C:\Program Files\Bill
[2010/11/03 19:36:28 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/11/03 18:38:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/11/03 18:36:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2010/11/03 18:36:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/11/03 17:53:18 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Bill\Desktop\ATF-Cleaner.exe
[2010/11/01 19:46:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill\Application Data\Malwarebytes
[2010/10/31 10:42:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/10/31 10:42:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/10/31 10:42:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/10/31 10:42:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/10/31 10:36:50 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Bill\Desktop\mbam-setup-1.46.exe
[2010/10/26 08:53:51 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bill\Desktop\OTL.exe
[2010/10/25 05:56:24 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Bill\Desktop\spybotsd162a.exe
[2010/10/23 08:34:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/10/23 08:33:16 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/10/23 08:31:56 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Bill\Desktop\erunt-setup.exe
[2010/10/23 08:14:13 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/10/12 20:16:32 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2010/10/12 20:16:32 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2010/10/12 20:16:20 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2010/11/06 13:04:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/06 12:54:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1177238915-839522115-1003UA.job
[2010/11/06 09:21:57 | 004,329,496 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Bill\Desktop\avg_free_stb_all_2011_1153_upgrade.exe
[2010/11/06 02:54:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1177238915-839522115-1003Core.job
[2010/11/05 23:59:11 | 067,277,623 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/11/05 22:32:32 | 000,446,464 | ---- | M] (MyCity) -- C:\Documents and Settings\Bill\Desktop\usbnorisk.exe
[2010/11/05 18:04:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/05 17:06:28 | 000,191,909 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/11/05 17:06:17 | 000,013,726 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/05 17:06:01 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/11/05 17:05:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/04 22:47:43 | 000,001,028 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/11/04 22:47:43 | 000,001,010 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\Spybot - Search & Destroy.lnk
[2010/11/04 16:55:43 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\Google Chrome.lnk
[2010/11/04 16:55:43 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/11/03 23:07:03 | 000,003,632 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\Attach3.zip
[2010/11/03 18:40:51 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/11/03 17:53:18 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Bill\Desktop\ATF-Cleaner.exe
[2010/11/02 20:22:45 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\SystemLook.exe
[2010/10/31 23:09:21 | 000,112,640 | ---- | M] () -- C:\Documents and Settings\Bill\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/31 22:55:42 | 000,003,295 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\Attach2.zip
[2010/10/31 21:12:11 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\1gx17ml2.exe
[2010/10/31 10:42:05 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/31 10:34:26 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Bill\Desktop\mbam-setup-1.46.exe
[2010/10/26 08:53:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill\Desktop\OTL.exe
[2010/10/25 05:56:24 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Bill\Desktop\spybotsd162a.exe
[2010/10/23 09:34:10 | 000,003,048 | ---- | M] () -- C:\Documents and Settings\Bill\My Documents\Attach.zip
[2010/10/23 09:34:10 | 000,003,048 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\Attach.zip
[2010/10/23 08:36:09 | 000,545,280 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\dds.scr
[2010/10/23 08:33:39 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Bill\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/10/23 08:33:18 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\ERUNT.lnk
[2010/10/23 08:31:58 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Bill\Desktop\erunt-setup.exe
[2010/10/23 08:14:29 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\HiJackThis.lnk
[2010/10/23 08:13:40 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\HiJackThis.msi
[2010/10/23 08:06:26 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Bill\Local Settings\Application Data\housecall.guid.cache
[2010/10/22 07:10:10 | 000,002,359 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\NinjaTrader 6.5.lnk
[2010/10/21 22:52:36 | 007,993,878 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\auto5_mag_2up_s.pdf
[2010/10/21 22:05:49 | 006,562,200 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\auto5_light_om_s.pdf
[2010/10/21 21:26:39 | 000,556,544 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\JHM%20Basics%20Review%20by%20MKTr%20vers1[1].doc
[2010/10/18 22:17:09 | 006,562,200 | ---- | M] () -- C:\Documents and Settings\Bill\My Documents\auto5_light_om_s.pdf
[2010/10/13 04:26:17 | 000,132,480 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/13 04:09:11 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/10/12 21:58:43 | 000,097,914 | ---- | M] () -- C:\Documents and Settings\Bill\My Documents\worldFederationOfExchanges.pdf
[2010/10/08 04:05:50 | 000,432,686 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/08 04:05:50 | 000,067,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/11/04 22:47:43 | 000,001,028 | ---- | C] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/11/04 22:47:43 | 000,001,010 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\Spybot - Search & Destroy.lnk
[2010/11/03 23:07:03 | 000,003,632 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\Attach3.zip
[2010/11/03 18:40:51 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/11/02 20:22:45 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\SystemLook.exe
[2010/10/31 22:55:42 | 000,003,295 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\Attach2.zip
[2010/10/31 21:12:11 | 000,294,912 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\1gx17ml2.exe
[2010/10/31 10:42:05 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/23 10:54:55 | 000,003,048 | ---- | C] () -- C:\Documents and Settings\Bill\My Documents\Attach.zip
[2010/10/23 09:34:10 | 000,003,048 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\Attach.zip
[2010/10/23 08:36:09 | 000,545,280 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\dds.scr
[2010/10/23 08:33:39 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Bill\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/10/23 08:33:18 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\ERUNT.lnk
[2010/10/23 08:14:13 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\HiJackThis.lnk
[2010/10/23 08:13:39 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\HiJackThis.msi
[2010/10/23 08:06:26 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Bill\Local Settings\Application Data\housecall.guid.cache
[2010/10/21 22:52:36 | 007,993,878 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\auto5_mag_2up_s.pdf
[2010/10/21 22:05:49 | 006,562,200 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\auto5_light_om_s.pdf
[2010/10/21 21:26:39 | 000,556,544 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\JHM%20Basics%20Review%20by%20MKTr%20vers1[1].doc
[2010/10/18 22:17:09 | 006,562,200 | ---- | C] () -- C:\Documents and Settings\Bill\My Documents\auto5_light_om_s.pdf
[2010/10/12 21:58:43 | 000,097,914 | ---- | C] () -- C:\Documents and Settings\Bill\My Documents\worldFederationOfExchanges.pdf
[2010/06/24 04:24:16 | 000,208,648 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/05/29 21:31:56 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2009/02/19 19:31:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2009/02/14 14:10:02 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/02/14 14:06:54 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPART800.ini
[2008/11/16 11:01:06 | 000,004,360 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/11/16 10:59:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\AutoRun.INI
[2008/11/09 11:39:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/02 21:59:12 | 000,245,760 | ---- | C] () -- C:\WINDOWS\ddedll.dll
[2008/11/02 21:56:53 | 000,000,042 | ---- | C] () -- C:\WINDOWS\ib.ini
[2008/11/02 21:56:48 | 000,026,624 | ---- | C] () -- C:\WINDOWS\GetIe.dll
[2008/11/01 00:42:50 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2008/11/01 00:42:29 | 000,000,920 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2008/10/31 23:29:11 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2008/10/31 23:16:12 | 000,112,640 | ---- | C] () -- C:\Documents and Settings\Bill\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/31 23:13:00 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2008/10/31 23:13:00 | 000,005,685 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2008/10/31 23:12:58 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2008/10/31 23:12:58 | 000,003,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2008/10/31 23:12:30 | 000,016,671 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/10/31 23:12:30 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/10/31 23:12:25 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/10/31 15:54:01 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/10/26 12:13:26 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\NtDirect.dll
[2007/06/28 23:43:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/06/28 23:43:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/06/28 23:43:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/06/28 23:43:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/06/28 23:43:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
========== LOP Check ==========
[2010/10/26 07:48:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/02/14 14:09:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2009/02/14 14:36:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Epson
[2010/11/05 17:06:01 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
========== Purity Check ==========
< End of report >
Bill Moz
2010-11-07, 16:00
OTL Extras logfile created on: 11/6/2010 1:21:39 PM - Run 2
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Bill\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 55.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 25.36 Gb Total Space | 2.91 Gb Free Space | 11.47% Space Free | Partition Type: NTFS
Drive D: | 55.90 Gb Total Space | 7.26 Gb Free Space | 12.99% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 1.19 Gb Free Space | 15.97% Space Free | Partition Type: FAT32
Unable to calculate disk information.
Computer Name: BILL-WCG1YON6RY | User Name: Bill | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"4764:UDP" = 4764:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4765:UDP" = 4765:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4780:UDP" = 4780:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4781:UDP" = 4781:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4783:UDP" = 4783:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4785:UDP" = 4785:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4782:UDP" = 4782:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4784:UDP" = 4784:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4791:UDP" = 4791:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4790:UDP" = 4790:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4795:UDP" = 4795:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4797:UDP" = 4797:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4794:UDP" = 4794:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4796:UDP" = 4796:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4801:UDP" = 4801:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4803:UDP" = 4803:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4800:UDP" = 4800:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4802:UDP" = 4802:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4807:UDP" = 4807:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4806:UDP" = 4806:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4811:UDP" = 4811:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4810:UDP" = 4810:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4812:UDP" = 4812:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4813:UDP" = 4813:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4816:UDP" = 4816:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4819:UDP" = 4819:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4817:UDP" = 4817:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
"4818:UDP" = 4818:UDP:*:Enabled:Windows Media Format SDK (iexplore.exe)
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe" = C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe:*:Enabled:NinjaTrader application -- (NinjaTrader)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"E:\Common\EasyInstall\EasyInstall.exe" = E:\Common\EasyInstall\EasyInstall.exe:*:Enabled:EasyInstall -- File not found
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Documents and Settings\Bill\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = C:\Documents and Settings\Bill\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player -- (Octoshape ApS)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05B68931-AD1D-4879-AF0E-D2BFF9750C58}" = CrossHair
"{1733360D-6EE0-42F9-9B03-1072D5CD8179}" = ArcSoft Print Creations
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}" = Cool & Quiet
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 22
"{2AD738DC-FC24-4342-A2DA-BB6DCCF6B048}" = Jing
"{2B0CDD4D-5C1A-47F7-89E2-9BF604670ABC}" = EpsonNet Config V3
"{30D20E0C-95AE-4B67-BD69-B7865B311047}" = NinjaTrader 6.5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
"{4360BB46-507E-4361-8DCB-4FF9BDC9907B}" = SnagIt 7
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard
"{95F875CC-1B85-43E6-B3E0-13EA04F3D995}" = ArcSoft Print Creations - Photo Prints
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D16A31F9-276D-4968-A753-FFEAC56995D0}" = Epson Print CD
"{DFC6573E-124D-4026-BFA4-B433C9D3FF21}" = ISO Recorder
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ASUS_Ai_Proactive_Screensaver (E)" = ASUS_Ai_Proactive_Screensaver (E)
"AVG9Uninstall" = AVG Free 9.0
"EPSON Artisan 800 Series" = EPSON Artisan 800 Series Printer Uninstall
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"FLV Player" = FLV Player 2.0 (build 25)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"QuoteTracker_is1" = QuoteTracker
"Trader Workstation 4.0" = Trader Workstation 4.0
"TWS Interoperability Components" = TWS Interoperability Components
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-1454471165-1177238915-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 1/17/2010 1:50:13 PM | Computer Name = BILL-WCG1YON6RY | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 1/19/2010 9:18:09 AM | Computer Name = BILL-WCG1YON6RY | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 1/20/2010 11:23:12 AM | Computer Name = BILL-WCG1YON6RY | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 11.0.5721.5145, faulting
module quartz.dll, version 6.5.2600.5822, fault address 0x000aeef4.
Error - 1/30/2010 12:58:07 AM | Computer Name = BILL-WCG1YON6RY | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 1/30/2010 7:57:09 PM | Computer Name = BILL-WCG1YON6RY | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 3/28/2010 12:03:02 PM | Computer Name = BILL-WCG1YON6RY | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 3/28/2010 12:03:53 PM | Computer Name = BILL-WCG1YON6RY | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 3/28/2010 12:04:16 PM | Computer Name = BILL-WCG1YON6RY | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 4/19/2010 12:21:50 AM | Computer Name = BILL-WCG1YON6RY | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 11.0.5721.5145, faulting
module quartz.dll, version 6.5.2600.5908, fault address 0x00096146.
Error - 4/20/2010 12:18:11 AM | Computer Name = BILL-WCG1YON6RY | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 11/5/2010 6:06:04 PM | Computer Name = BILL-WCG1YON6RY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.
Error - 11/5/2010 8:57:17 PM | Computer Name = BILL-WCG1YON6RY | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
LORI-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{C3A6FFF1-78F6-4DB3-B. The master browser is stopping or an election
is being forced.
Error - 11/5/2010 11:40:05 PM | Computer Name = BILL-WCG1YON6RY | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the WLSVC service.
Error - 11/6/2010 12:58:24 AM | Computer Name = BILL-WCG1YON6RY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.
Error - 11/6/2010 12:58:36 AM | Computer Name = BILL-WCG1YON6RY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.
Error - 11/6/2010 12:58:48 AM | Computer Name = BILL-WCG1YON6RY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.
Error - 11/6/2010 12:59:38 AM | Computer Name = BILL-WCG1YON6RY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.
Error - 11/6/2010 2:13:28 AM | Computer Name = BILL-WCG1YON6RY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.
Error - 11/6/2010 11:53:39 AM | Computer Name = BILL-WCG1YON6RY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.
Error - 11/6/2010 11:53:49 AM | Computer Name = BILL-WCG1YON6RY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.
< End of report >
Bill Moz
2010-11-07, 16:01
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0200003d
Kernel Drivers (total 125):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 viaide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AE000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xBA338000 viaagp1.sys
0xB9DEE000 Mup.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB9277000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xB9263000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xBA308000 \SystemRoot\System32\DRIVERS\imapi.sys
0xBA318000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA118000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB9240000 \SystemRoot\System32\DRIVERS\ks.sys
0xBA418000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB921C000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xBA420000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xBA128000 \SystemRoot\System32\DRIVERS\fetnd5bv.sys
0xB91F7000 \SystemRoot\System32\DRIVERS\HDAudBus.sys
0xB91A0000 \SystemRoot\System32\DRIVERS\RT61.sys
0xBA5DC000 \SystemRoot\System32\DRIVERS\ASACPI.sys
0xBA428000 \SystemRoot\System32\DRIVERS\fdc.sys
0xBA138000 \SystemRoot\System32\DRIVERS\serial.sys
0xB9DBA000 \SystemRoot\System32\DRIVERS\serenum.sys
0xB918C000 \SystemRoot\System32\DRIVERS\parport.sys
0xBA780000 \SystemRoot\system32\drivers\msmpu401.sys
0xB9168000 \SystemRoot\system32\drivers\portcls.sys
0xBA148000 \SystemRoot\system32\drivers\drmk.sys
0xB9DB6000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xBA781000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA158000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xB9DB2000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB9151000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA168000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA178000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xBA430000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB9140000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA188000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xBA438000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xBA440000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB9110000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xBA198000 \SystemRoot\System32\DRIVERS\termdd.sys
0xBA448000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xBA450000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xBA5DE000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB90B2000 \SystemRoot\System32\DRIVERS\update.sys
0xBA548000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xBA1A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA1B8000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xBA5E8000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xB6EA3000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xB6E83000 \SystemRoot\system32\drivers\AEAudio.sys
0xB6E23000 \SystemRoot\system32\drivers\Senfilt.sys
0xBA470000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xBA5EC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7F4000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5EE000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA488000 \SystemRoot\System32\drivers\vga.sys
0xBA5F0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5F2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA490000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA498000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA570000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xB6DC8000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xB6D6F000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xB6D35000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB6D0F000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xBA1E8000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xBA4A0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB6CE7000 \SystemRoot\System32\DRIVERS\netbt.sys
0xBA588000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA590000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA594000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xB6CC5000 \SystemRoot\System32\drivers\afd.sys
0xBA208000 \SystemRoot\System32\DRIVERS\netbios.sys
0xB6C9A000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xB6C2A000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xBA288000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA3E0000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB6BF6000 \SystemRoot\System32\Drivers\avgldx86.sys
0xBA664000 \SystemRoot\system32\drivers\AsIO.sys
0xB6F29000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB6F85000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA460000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA71A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB6987000 \SystemRoot\System32\DRIVERS\AegisP.sys
0xB6463000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xB5E51000 \SystemRoot\system32\drivers\wdmaud.sys
0xB6056000 \SystemRoot\system32\drivers\sysaudio.sys
0xB5DD6000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xBA64A000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB5AAE000 \SystemRoot\System32\DRIVERS\srv.sys
0xB5A8A000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB54F9000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA408000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB52CE000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xBA3D0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB45EE000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 43):
0 System Idle Process
4 System
656 C:\WINDOWS\system32\smss.exe
704 csrss.exe
728 C:\WINDOWS\system32\winlogon.exe
772 C:\WINDOWS\system32\services.exe
784 C:\WINDOWS\system32\lsass.exe
952 C:\WINDOWS\system32\svchost.exe
1000 svchost.exe
1092 C:\WINDOWS\system32\svchost.exe
1164 C:\Program Files\AVG\AVG9\avgchsvx.exe
1192 C:\Program Files\AVG\AVG9\avgrsx.exe
1256 svchost.exe
1428 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1456 svchost.exe
1888 C:\WINDOWS\system32\spoolsv.exe
252 svchost.exe
324 C:\Program Files\Common Files\EPSON\eEBAPI\eEBSvc.exe
496 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
504 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1076 C:\WINDOWS\system32\nvsvc32.exe
1484 C:\WINDOWS\explorer.exe
1976 C:\Program Files\AVG\AVG9\avgnsx.exe
2164 C:\WINDOWS\system32\svchost.exe
2336 C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
3380 alg.exe
3472 C:\Program Files\Analog Devices\Core\smax4pnp.exe
3480 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
3504 C:\Program Files\ASUS\PC Probe II\Probe2.exe
3512 C:\WINDOWS\system32\rundll32.exe
3520 C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
3528 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
3536 C:\Program Files\AVG\AVG9\avgtray.exe
3620 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3628 C:\WINDOWS\system32\ctfmon.exe
3684 C:\Program Files\Bill\Spybot - Search & Destroy\TeaTimer.exe
3696 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
132 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
2412 C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
3808 PresentationFontCache.exe
3272 C:\Program Files\Java\jre6\bin\jqs.exe
3864 C:\WINDOWS\system32\wscntfy.exe
276 C:\Documents and Settings\Bill\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
PhysicalDrive0 Model Number: Maxtor92720U8, Rev: MA540RR0
PhysicalDrive1 Model Number: ST360021A, Rev: 7.73
Size Device Name MBR Status
--------------------------------------------
25 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
55 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
Done!
Bill Moz
2010-11-07, 16:09
Root kit unhook took a very long time to complete, 4-5 hours, but it checked all drives instead of just c:. The scan result report did not specifically save as a text file but it will open in note pad.
Bill Moz
2010-11-07, 16:12
Another try at attachment
Bill Moz
2010-11-07, 16:19
First Unhook report would not attach and was too long to paste in post because I scanned more than just drive c:, this report is from drive C: only, hope it is enough, I will redo it if you need all drives scanned.
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB9277000 C:\WINDOWS\System32\DRIVERS\nv4_mini.sys 6135808 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 178.13 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 6057984 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 178.13 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9E35000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB6C2A000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB6E23000 C:\WINDOWS\system32\drivers\Senfilt.sys 393216 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xB90B2000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB6D6F000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB5AAE000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB91A0000 C:\WINDOWS\System32\DRIVERS\RT61.sys 356352 bytes (Ralink Technology Inc., Ralink 802.11 Wireless Adapter Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB54F9000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB6D35000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xB6BF6000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB9110000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB5DD6000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E08000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB6C9A000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB6CE7000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB6EA3000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 155648 bytes (Analog Devices, Inc., High Definition Audio Function Driver(Release Candidate 1))
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB6D0F000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB91F7000 C:\WINDOWS\System32\DRIVERS\HDAudBus.sys 151552 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB5A8A000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB9168000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB921C000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9240000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB52CE000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xB6CC5000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB6E83000 C:\WINDOWS\system32\drivers\AEAudio.sys 131072 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)
0xB9EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9DEE000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9151000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB5E51000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB918C000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9263000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB6DC8000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9140000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB6F29000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA318000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA138000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA148000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA118000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB6056000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA1B8000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
0xBA0E8000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA158000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA178000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA128000 C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys 45056 bytes (VIA Technologies, Inc. , NDIS 5.0 miniport driver)
0xBA288000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA308000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA168000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1A8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA198000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA188000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA208000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB5682000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA1E8000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA498000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA4A0000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA420000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA428000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA480000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA338000 viaagp1.sys 28672 bytes (VIA Technologies, Inc., VIA NT AGP Filter)
0xBA3E0000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xBA448000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA450000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA408000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xBA418000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA488000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB6987000 C:\WINDOWS\System32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xBA470000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xBA490000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA438000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA440000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA430000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA460000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA590000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA548000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB6463000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9DBA000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB6F85000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9DB6000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xBA588000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA594000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9DB2000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA570000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5DC000 C:\WINDOWS\System32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility)
0xBA664000 C:\WINDOWS\system32\drivers\AsIO.sys 8192 bytes
0xBA5EE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AE000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5EC000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5F0000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA64A000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xBA5F2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5DE000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5E8000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AC000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA5AA000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA781000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA71A000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA780000 C:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)
0xBA7F4000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x89EBAAEA ?_empty_? 1302 bytes
0x89EBAEC5 unknown_irp_handler 315 bytes
!!!!!!!!!!!Hidden driver: 0x89DD3CA8 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xB9F0B000 WARNING: suspicious driver modification [atapi.sys::0x89EBAAEA]
0xB6CE7000 WARNING: Virus alike driver modification [netbt.sys], 163840 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE-->80545CC5 [ntkrnlpa.exe]
[132]ArcCon.ac-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[1428]avgcsrvx.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[1484]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1484]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1484]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1484]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[1484]explorer.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[1484]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1484]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1484]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[1484]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[2412]GoogleCrashHandler.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[252]svchost.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3472]smax4pnp.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3480]SMax4.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3504]Probe2.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3512]rundll32.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3520]EEventManager.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3528]ACDaemon.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3628]ctfmon.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3684]TeaTimer.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3696]hpotdd01.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[3808]PresentationFontCache.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[728]winlogon.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[772]services.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
Bill Moz
2010-11-07, 17:22
Also updated Java as suggested.
Jack&Jill
2010-11-07, 17:30
Hello Bill Moz :),
Please download ComboFix© by sUBs from one of the links below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/sUBs/ComboFix.exe)
Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.
Install Recovery Console and run ComboFix
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click on ComboFix.exe and follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.
A detailed step by step tutorial to run ComboFix can be found here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) if you need help.
--------------------
Please post back:
1. the ComboFix log
Bill Moz
2010-11-07, 18:00
combofix is asking me to uninstall AVG Antivirus, should I do that?
Bill Moz
2010-11-07, 18:02
AVG just released updated program so uninstall of old is fine with me.
Jack&Jill
2010-11-07, 18:03
Hello Bill Moz :),
Yes, please do. I miss out to highlight this point.
Bill Moz
2010-11-07, 20:26
It appears I am unable to remove AVG, not sure why, I try to figure out something.
Bill Moz
2010-11-08, 03:34
I found an uninstaller to get rid AVG, now I am having trouble running Combofix, any suggestions?
Jack&Jill
2010-11-08, 04:52
Hello Bill Moz :),
What uninstaller did you use? AVG fully removed? Could you please describe what problems are you facing when running ComboFix?
Bill Moz
2010-11-08, 05:27
This is the uninstaller I found
http://forums.avg.com/us-en/avg-free-forum?sec=thread&act=show&id=110317
I cllick on combofix.exe icon on the desktop and get no response.
Jack&Jill
2010-11-08, 06:34
Hello Bill Moz :),
Please delete the ComboFix copy you have and download a fresh copy. This time, save it to the root of your drive, C:\ and run it from there.
Bill Moz
2010-11-09, 02:11
Downloaded a fresh copy of Combofix to c:, deleted previous download, still no reaction when trying to start combofix. When I click on the icon a box comes up with run or cancel option, I click run and nothing happens. If I click on your first download link, LINK 1, and choose run instead of save, the program will get to the user agreement box, I click yes and the program produces this error.
You cannot rename Combofix as Combofix[1]
Please use another name, preferably one made up of alphnumeric characters.
So if I click on link1 it seems the program does start to load but then stops.
Jack&Jill
2010-11-09, 02:42
Hello Bill Moz :),
If I click on your first download link, LINK 1, and choose run instead of save, the program will get to the user agreement box, I click yes and the program produces this error.
Running from the browser is not recommended.
Delete the ComboFix copy you have and download a fresh copy, save it as BMCF.exe to the desktop. See if this works.
Bill Moz
2010-11-09, 03:31
Combofix scan complete.
ComboFix 10-11-07.A2 - Bill 11/08/2010 20:11:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1725 [GMT -6:00]
Running from: c:\documents and settings\Bill\Desktop\BMCF.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\AutoRun.ini
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.
2010-11-08 01:01 . 2010-11-08 01:01 -------- d-----w- C:\AVGTemp
2010-11-06 03:38 . 2010-11-06 03:38 -------- d-----w- C:\USBNoRisk
2010-11-05 03:37 . 2010-11-05 03:47 -------- d-----w- c:\program files\Bill
2010-11-04 00:36 . 2010-11-04 00:36 -------- d-----w- c:\program files\ESET
2010-11-03 23:38 . 2010-11-03 23:40 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-03 23:36 . 2010-11-03 23:36 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-11-02 00:46 . 2010-11-02 00:46 -------- d-----w- c:\documents and settings\Bill\Application Data\Malwarebytes
2010-10-31 15:42 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-31 15:42 . 2010-10-31 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-31 15:42 . 2010-11-02 00:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-31 15:42 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-23 13:33 . 2010-10-23 13:33 -------- d-----w- c:\program files\ERUNT
2010-10-23 13:14 . 2010-10-23 13:14 388096 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-23 13:14 . 2010-10-23 13:14 -------- d-----w- c:\program files\Trend Micro
2010-10-22 04:11 . 2010-10-22 04:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-13 01:16 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 01:16 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 01:16 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 09:50 . 2010-05-25 03:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29 . 2009-03-22 23:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2003-03-31 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-03-31 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-03-31 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-03-31 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 23:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-03-31 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-01 39408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120]
"Google Update"="c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-10 133104]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"SpybotSD TeaTimer"="c:\program files\Bill\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"Launch PC Probe II"="c:\program files\ASUS\PC Probe II\Probe2.exe" [2006-01-05 1915392]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
c:\documents and settings\Bill\Start Menu\Programs\Startup\
Check for TWS Updates.lnk - c:\jts\WiseUpdt.exe [2008-11-2 194775]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NinjaTrader 6.5\\bin\\NinjaTrader.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Bill\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"4764:UDP"= 4764:UDP:Windows Media Format SDK (iexplore.exe)
"4765:UDP"= 4765:UDP:Windows Media Format SDK (iexplore.exe)
"4780:UDP"= 4780:UDP:Windows Media Format SDK (iexplore.exe)
"4781:UDP"= 4781:UDP:Windows Media Format SDK (iexplore.exe)
"4783:UDP"= 4783:UDP:Windows Media Format SDK (iexplore.exe)
"4785:UDP"= 4785:UDP:Windows Media Format SDK (iexplore.exe)
"4782:UDP"= 4782:UDP:Windows Media Format SDK (iexplore.exe)
"4784:UDP"= 4784:UDP:Windows Media Format SDK (iexplore.exe)
"4791:UDP"= 4791:UDP:Windows Media Format SDK (iexplore.exe)
"4790:UDP"= 4790:UDP:Windows Media Format SDK (iexplore.exe)
"4795:UDP"= 4795:UDP:Windows Media Format SDK (iexplore.exe)
"4797:UDP"= 4797:UDP:Windows Media Format SDK (iexplore.exe)
"4794:UDP"= 4794:UDP:Windows Media Format SDK (iexplore.exe)
"4796:UDP"= 4796:UDP:Windows Media Format SDK (iexplore.exe)
"4801:UDP"= 4801:UDP:Windows Media Format SDK (iexplore.exe)
"4803:UDP"= 4803:UDP:Windows Media Format SDK (iexplore.exe)
"4800:UDP"= 4800:UDP:Windows Media Format SDK (iexplore.exe)
"4802:UDP"= 4802:UDP:Windows Media Format SDK (iexplore.exe)
"4807:UDP"= 4807:UDP:Windows Media Format SDK (iexplore.exe)
"4806:UDP"= 4806:UDP:Windows Media Format SDK (iexplore.exe)
"4811:UDP"= 4811:UDP:Windows Media Format SDK (iexplore.exe)
"4810:UDP"= 4810:UDP:Windows Media Format SDK (iexplore.exe)
"4812:UDP"= 4812:UDP:Windows Media Format SDK (iexplore.exe)
"4813:UDP"= 4813:UDP:Windows Media Format SDK (iexplore.exe)
"4816:UDP"= 4816:UDP:Windows Media Format SDK (iexplore.exe)
"4819:UDP"= 4819:UDP:Windows Media Format SDK (iexplore.exe)
"4817:UDP"= 4817:UDP:Windows Media Format SDK (iexplore.exe)
"4818:UDP"= 4818:UDP:Windows Media Format SDK (iexplore.exe)
R2 WLSVC;WLSVC;c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe [10/31/2008 11:42 PM 41025]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 9:44 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 03:44]
2010-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 03:44]
2010-11-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1177238915-839522115-1003Core.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-10 15:52]
2010-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1177238915-839522115-1003UA.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-10 15:52]
2010-11-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
Notify-avgrsstarter - avgrsstx.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-08 20:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-11-08 20:22:38
ComboFix-quarantined-files.txt 2010-11-09 02:22
Pre-Run: 3,121,127,424 bytes free
Post-Run: 3,239,862,272 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
- - End Of File - - 3BB1E14DA06DC2189C37EAEC51F5F274
Jack&Jill
2010-11-09, 04:53
Hello Bill Moz :),
Everything looks good. Any more problems?
Please run another ESET online scan, just to be sure.
Bill Moz
2010-11-09, 04:56
I was waiting for you to look at the before I tried anything. Should I try to reinstall AVG now? And do you have suggestions for better Anti Virus software, AVG is fine with me just thought something else might be better.
Bill Moz
2010-11-09, 05:10
eset scan has already found Java/trojandownloader.agent.nbm
Bill Moz
2010-11-09, 05:12
log to follow at scan conclusion
Jack&Jill
2010-11-09, 06:36
Hello Bill Moz :),
For Antivirus, these are some that I prefer. You should choose one of them.
Avast (http://www.avast.com/eng/download-avast-home.html)
Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914)
Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
Please keep only one AV installed.
I will wait for the ESET scan result before giving you the All Clear and some recommendations.
Bill Moz
2010-11-09, 06:50
I had eset scan set to not remove infected files as per instructions on page 2.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d5a2f0374c2b4a499625a5c7b83d482b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-04 02:33:30
# local_time=2010-11-03 09:33:30 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 70251 70251 0 0
# compatibility_mode=1024 16777191 100 0 20309473 20309473 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=102201
# found=9
# cleaned=0
# scan_time=6506
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\20\7bb99554-2e1090b7 Java/TrojanDownloader.Agent.NBL trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\29\7adbb65d-1626c168 Java/TrojanDownloader.Agent.NBK trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\33\30feb821-5f8d8945 Java/TrojanDownloader.Agent.NBK trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\39\3f57e627-1ad38c1f a variant of Java/TrojanDownloader.OpenStream.NAU trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\45\7c599ead-497b82a1 a variant of Java/TrojanDownloader.OpenStream.NAU trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\52\31bba1f4-69b7982a Java/TrojanDownloader.Agent.NBL trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\58\1f62c23a-2f1a0ce8 Java/TrojanDownloader.Agent.NBM trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\61\6459dbfd-2538be44 a variant of Java/TrojanDownloader.OpenStream.NAU trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\9\24ea7dc9-59e1eeea a variant of Java/TrojanDownloader.OpenStream.NAU trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d5a2f0374c2b4a499625a5c7b83d482b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-09 05:46:06
# local_time=2010-11-08 11:46:06 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 514120 514120 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=104303
# found=7
# cleaned=0
# scan_time=6192
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\20\7bb99554-2e1090b7 Java/TrojanDownloader.Agent.NBL trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\29\7adbb65d-1626c168 Java/TrojanDownloader.Agent.NBK trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\33\30feb821-5f8d8945 Java/TrojanDownloader.Agent.NBK trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\52\31bba1f4-69b7982a Java/TrojanDownloader.Agent.NBL trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Bill\Application Data\Sun\Java\Deployment\cache\6.0\58\1f62c23a-2f1a0ce8 Java/TrojanDownloader.Agent.NBM trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AB656524-4E00-42EC-ACF7-BD8F40C1A4AC}\RP941\A0054186.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
Jack&Jill
2010-11-09, 07:23
Hello Bill Moz :),
You did not clear off the Java cache. Please do so.
You can clear them off using ATF Cleaner's Java Cache option, or go to Start > Control Panel. Double click on Java and the Java Control Panel will open. At the General tab, click on the Settings... below the Temporary Internet Files title. Press the Delete Files... button and OK your way out.
The remainder of the online scan's findings include backups that were created during the course of this fix, and items located in C:\System Volume Information\ where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore.
Nevertheless, we shall be taking care of both in a while.
--------------------
If you have no more issues, we can close the case.
Congratulations, you are All Clear to go. Glad to hear everything is good and running :). If you have any more problems, please let me know.
Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.
Go to Start > Run.... Copy and paste the following text into the white box:
ComboFix /uninstall
Click OK.
Run OTL by double clicking on OTL.exe. Click on CleanUp, proceed to reboot if prompted.
Delete the GMER file (1gx17ml2.exe), SystemLook, USBNoRisk, MBRCheck and Rookit Unhooker files on your desktop .
Delete any logs on the desktop.
Some tips to help you stay clean and safe:
1. Keep your Windows up to date. Enable Automatic Updates for Windows XP (http://www.bleepingcomputer.com/tutorials/tutorial35.html), Windows Vista (https://www.microsoft.com/windows/downloads/windowsupdate/learn/windowsvista.mspx) or Windows 7 (http://windows.microsoft.com/en-us/windows7/Turn-automatic-updating-on-or-off) to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.
2. Purge System Restore, for this one time only. A recovery feature will only be useful if it is clean from malwares. See Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html) for some detail explanations.
3. Update your Antivirus program regularly, it is a must for constant protection against viruses. If you do not have one, Microsoft Security Essentials (http://www.microsoft.com/security_essentials/), Avast (http://www.avast.com/eng/download-avast-home.html) and Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914) are some great and free antivirus programs that you can try. For paid versions, Avast, ESET NOD32 (http://www.eset.com/products/nod32.php) and Kaspersky (http://www.kaspersky.com/kaspersky_anti-virus) are some good options. Please keep only one AV installed.
4. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool (http://www.malwarebytes.org/mbam.php), totally free but for real-time protection you will have to pay a small one-time fee.
5. Install WinPatrol, a great protection program (http://www.winpatrol.com/) that helps you monitor for unwanted files or applications.
6. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts (http://www.mvps.org/winhelp2002/hosts.htm) for this purpose.
7. Install Web of Trust (WOT). WOT (http://www.mywot.com/) keeps you from dangerous websites with warnings and blockings.
8. Protect your computer from removable or USB drive infections with Panda USB Vaccine (http://www.pandasecurity.com/homeusers/downloads/usbvaccine/), an effective method to prevent malware from spreading.
9. Keep all your softwares updated. Visit Secunia Software Inspector (http://secunia.com/software_inspector/) to find out if any updates required.
10. Install a third party firewall if you do not have one for additional defense against internet dangers. Built-in Windows firewall can only keep nasties from breaking in, but unable to protect against any malwares from sending information out. Some recommended firewalls are Online Armor (http://www.tallemu.com/free-firewall-protection-software.html), Outpost (http://www.agnitum.com/products/outpostfree/index.php) and PC Tools (http://www.pctools.com/firewall/download/). More information on firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html). Please keep only one FW installed.
11. If you have been a victim of malware before, Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
12. Also look up How to prevent malware: By miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) and So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279).
Stay safe.
Bill Moz
2010-11-10, 04:57
Thank you very much for all the help, computer seems to be running very well now. Thanks for all the time and effort, very much appreciated. Well Done.
Jack&Jill
2010-11-13, 06:33
As your problems appear to have been resolved, this topic is now closed.
We are glad to be of help. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)