Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: XP firewall virus infection

  1. #1
    Member
    Join Date
    Oct 2010
    Posts
    32

    Default XP firewall virus infection

    DDS data is at end of post and attached. First is a description of what happened.

    Yesterday while I was looking for pictures of an actress I like, I was infected with the XP firewall virus (It seems those sites with pictures of stars are very dangerous) It took over my system and I could not run anything I booted into safe mode admin account (Other accounts could not be accessed as the virus ran in those) I ran spybot and it claimed to remove it along with 2 other things that were probably related. I then ran avira which also found a few things. I cannot find a report in spybot that details what was found and removed. I did find a report inAvira as to what was found and removed. Here is a copy of the pertinent section of that report.

    Begin scan in 'C:\'
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam.zip
    [DETECTION] Contains suspicious code GEN/PwdZIP

    --> Object
    [DETECTION] Is the TR/Dropper.Gen Trojan
    --> [PluginsDir]/ic1.exe
    [DETECTION] Is the TR/Dldr.MSIL.Agent.TJ.1 Trojan

    Beginning disinfection:
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam.zip
    [DETECTION] Contains suspicious code GEN/PwdZIP
    [NOTE] The detection was classified as suspicious.
    [NOTE] The file was moved to the quarantine directory under the name '564133c8.qua'.

    I am concerned that it found two objects that it did not seem to do anything about.

    After running Spybot and Avira I ran malwarebytes which found a registry key involving the windows security and something about disableNotify. Unfortunately Malwarebytes made no log of the session.

    All of the above was done in safe mode. When I went back to my regular account the XP firewall virus was still there and prevented use of the system. I then booted back to safe mode and restored the system to a restore point 1 day prior to when the problem started. The restoration worked and I am now able to use the system but am afraid this thing may not be gone. It evaded three different and well recommended anti malware/virus tools. So I think I really need to make sure this thing is gone and do something to prevent it from happening again.

    Also, I know we are not supposed to run anti virus fixes before coming here. However, I had to do all the above just to get my system back to be able to come here:(

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by User at 20:20:12.17 on Mon 03/21/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1352 [GMT -5:00]
    .
    AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Replay Media Catcher\FLVSrvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Dell\QuickSet\Quickset.exe
    C:\Program Files\TrueCrypt\TrueCrypt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\User\My Documents\Downloads\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
    uInternet Settings,ProxyOverride = <local>
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: NXIECatcher Class: {83b80a9c-d91a-4f22-8dcf-ea7204039f79} - c:\program files\xi\netxfer\NXIEHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
    TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll
    uRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferences /a logon
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /run
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Clearwire Connection Manager] "c:\program files\clearwire\connection manager\ClearwireCM.exe" -a
    mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
    IE: Download all by NetXfer - c:\program files\xi\netxfer\NXAddList.html
    IE: Download by NetXfer - c:\program files\xi\netxfer\NXAddLink.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\rv51vow5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 52323
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-30 64288]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-26 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-26 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-26 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-26 61960]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-7-15 35088]
    R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
    R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\clearwire\connection manager\DeviceLaunchSvc.exe [2009-11-9 107856]
    R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-11 135664]
    S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
    S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2009-10-1 282112]
    S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2009-10-1 51712]
    S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\clearwire\connection manager\RcAppSvc.exe [2009-11-9 120144]
    S3 GSService;GSService;c:\windows\system32\GSService.exe [2011-3-15 122880]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
    .
    =============== File Associations ===============
    .
    regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
    .
    =============== Created Last 30 ================
    .
    2011-03-22 00:35:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-03-22 00:35:10 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-03-21 11:29:50 0 ----a-w- c:\documents and settings\user\ntuser.tmp
    2011-03-19 11:01:37 -------- d-----w- c:\docume~1\user\applic~1\Xi
    2011-03-19 11:00:58 -------- d-----w- c:\program files\Xi
    2011-03-19 05:47:36 49664 ----a-w- c:\windows\system32\CamCodec.dll
    2011-03-19 05:47:36 -------- d-----w- c:\program files\CamStudio 2.6b
    2011-03-15 06:24:05 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Jaksta_Technologies_Pty_L
    2011-03-15 06:22:52 -------- d-----w- c:\docume~1\user\applic~1\Replay Media Catcher 4
    2011-03-15 06:22:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applian
    2011-03-15 06:22:44 -------- d-----w- c:\program files\Applian Technologies
    2011-03-15 05:51:33 -------- d-----w- c:\windows\SxsCaPendDel
    2011-03-15 05:50:35 -------- d-----w- c:\program files\AnyMedia Player
    2011-03-15 05:49:09 -------- d-----w- c:\program files\FLVCodec
    2011-03-15 05:49:07 7680 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-03-15 05:49:06 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
    2011-03-15 05:49:05 -------- d-----w- c:\program files\ffdshow
    2011-03-15 05:48:58 -------- d-----w- c:\program files\WinPcap
    2011-03-15 05:48:52 122880 ----a-w- c:\windows\system32\GSService.exe
    2011-03-15 05:48:51 -------- d-----w- c:\program files\RipTiger
    2011-03-15 05:38:02 -------- d-----w- c:\docume~1\user\applic~1\Foxreal
    2011-03-09 11:27:54 -------- d-----w- c:\program files\Fox
    .
    ==================== Find3M ====================
    .
    2011-03-15 06:19:19 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
    2011-03-15 06:19:18 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2006-05-03 17:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
    2007-02-21 18:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
    2008-03-16 20:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
    .
    ============= FINISH: 20:21:20.54 ===============

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.



    Lets do a few things

    Please download ATF Cleaner by Atribune to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
    Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.


    When you run Malwarebytes, remove everything thats checked and if Whitesmoke is not checked, check it for removal also

    Please download Malwarebytes from Here or Here

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report please


    There is more to do but dont want to overwhelm you
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Member
    Join Date
    Oct 2010
    Posts
    32

    Default

    Thanks the MalwareBytes Log is atached in a zip file. It was too large to post.
    It looks like it got rid of white smoke tool bar. Which I did not want and tried to disable and delete. I got it when I downloaded Super 2011 a well recommended multimedia conversion software. I was immediately suspicious when I saw the layout of the web page. It had a style to it that reeked of scam. (Yes you can sometimes tell something is wrong just by the way they laid out the web page). Then the text went on WAY TOO MUCH about how there was no malware or spyware. When someone goes on too much about a quality they or their work possess or does no possess they are almost always lying to themselves and others. (i.e. If you ever hire people and get one that goes on and on about how they are always on time. If you hire them I guarantee they will have a chronic tardiness problem)

    After checking around a second time. I downloaded SUPER 2011. It offered to install the well known spyware program real media. I declined the installation and it was not installed. Howerever the annoying toolar whitesmoke was installed. I uninstalled it but it obviously did not go away completely.

    There is also some confusion as whitesmoke is also the name of a virus. I am not sure but I think the two are different things. One is a virus the other just another annoying useless toolbar (I hate toolbars!!!!)

    SUPER 2011 turned out to be a very useful file conversion program. It is regrettable that the author chooses to distribute it bundled with such questionable products

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    Real Media is spyware also, Whitesmoke is a real nuisance. I saw some things in your DDS log that need to be fixed so lets run this program .


    Run ATF Cleaner again to get rid of any things that may be leftover from Whitesmoke that could be in a temp file



    OTL by OldTimer
    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Click the "Scan All Users" checkbox.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
        Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Member
    Join Date
    Oct 2010
    Posts
    32

    Default

    I ran OTL 2 times and it only gives the OTL.txt and it does not make the extras.txt.

    OTL logfile created on: 3/24/2011 10:23:09 AM - Run 3
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\My Documents\Downloads\02
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.53 Gb Total Space | 27.81 Gb Free Space | 37.32% Space Free | Partition Type: NTFS
    Drive E: | 3.81 Gb Total Space | 0.18 Gb Free Space | 4.74% Space Free | Partition Type: FAT32

    Computer Name: USER-8E19CF174C | User Name: User | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
    PRC - C:\Documents and Settings\User\My Documents\Downloads\02\OTL.exe (OldTimer Tools)
    PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
    PRC - C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
    PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
    PRC - C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
    PRC - C:\Program Files\Replay Media Catcher\FLVSrvc.exe (Applian Technologies, Inc.)
    PRC - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
    PRC - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
    PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
    PRC - C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
    PRC - C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd.)
    PRC - C:\Program Files\Apoint\hidfind.exe (Alps Electric Co., Ltd.)


    ========== Modules (SafeList) ==========

    MOD - C:\Documents and Settings\User\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll (Applian Technologies, Inc.)
    MOD - C:\Documents and Settings\User\My Documents\Downloads\02\OTL.exe (OldTimer Tools)
    MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


    ========== Win32 Services (SafeList) ==========

    SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
    SRV - (DataSvr2) -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe File not found
    SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
    SRV - (GSService) -- C:\WINDOWS\System32\GSService.exe ()
    SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
    SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
    SRV - (CLEARWIRERcAppSvc) -- C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe (SmithMicro Inc.)
    SRV - (SMSI Device Launch Service) -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
    SRV - (Nero BackItUp Scheduler 4.0) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
    SRV - (NICCONFIGSVC) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
    SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)


    ========== Driver Services (SafeList) ==========

    DRV - (UIUSys) -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS File not found
    DRV - (OMCI) -- C:\WINDOWS\System32\DRIVERS\OMCI.SYS File not found
    DRV - (NETw5x32) Intel(R) -- C:\WINDOWS\System32\DRIVERS\NETw5x32.sys File not found
    DRV - (catchme) -- C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys File not found
    DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
    DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
    DRV - (truecrypt) -- C:\WINDOWS\System32\drivers\truecrypt.sys (TrueCrypt Foundation)
    DRV - (npf) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
    DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
    DRV - (appliandMP) -- C:\WINDOWS\system32\drivers\appliand.sys (Applian Technologies Inc.)
    DRV - (appliand) -- C:\WINDOWS\system32\drivers\appliand.sys (Applian Technologies Inc.)
    DRV - (PCTINDIS5) -- C:\WINDOWS\system32\PCTINDIS5.sys (Smith Micro Inc.)
    DRV - (bcmbusctr) -- C:\WINDOWS\system32\drivers\BcmBusCtr.sys (Beceem communications pvt ltd.)
    DRV - (bcm) -- C:\WINDOWS\system32\drivers\drxvi314.sys (Beceem communications pvt ltd.)
    DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
    DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
    DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
    DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
    DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
    DRV - (guardian2) -- C:\WINDOWS\system32\drivers\oz776.sys (O2Micro)
    DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
    DRV - (regi) -- C:\WINDOWS\system32\drivers\regi.sys (InterVideo)
    DRV - (TcUsb) -- C:\WINDOWS\system32\drivers\tcusb.sys (UPEK Inc.)
    DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
    DRV - (DSproct) -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys (GTek Technologies Ltd.)
    DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
    DRV - (HSXHWAZL) -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
    DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
    DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
    DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
    DRV - (Iviaspi) -- C:\WINDOWS\system32\drivers\iviaspi.sys (InterVideo, Inc.)
    DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
    DRV - (ULCDRHlp) -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys (Ulead Systems, Inc.)
    DRV - (NSNDIS5) -- C:\WINDOWS\system32\nsndis5.sys (Printing Communications Assoc., Inc. (PCAUSA))


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
    IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9C D5 24 59 F5 03 CA 01 [binary data]
    IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/
    IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

    ========== FireFox ==========

    FF - prefs.js..browser.search.update: false
    FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
    FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 52323
    FF - prefs.js..network.proxy.type: 0

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/15 00:37:45 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/15 00:37:45 | 000,000,000 | ---D | M]

    [2010/03/24 17:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
    [2011/03/23 19:49:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions
    [2010/07/08 20:05:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/02/06 07:24:26 | 000,000,000 | ---D | M] (WhiteSmoke Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}
    [2010/08/04 22:20:34 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    [2011/03/23 05:19:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/09/17 14:14:58 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    [2010/05/04 15:38:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

    O1 HOSTS File: ([2011/03/16 06:25:57 | 000,430,388 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.0scan.com
    O1 - Hosts: 127.0.0.1 0scan.com
    O1 - Hosts: 127.0.0.1 1000gratisproben.com
    O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
    O1 - Hosts: 127.0.0.1 1001namen.com
    O1 - Hosts: 127.0.0.1 www.1001namen.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 www.1-2005-search.com
    O1 - Hosts: 127.0.0.1 1-2005-search.com
    O1 - Hosts: 127.0.0.1 123fporn.info
    O1 - Hosts: 14840 more lines...
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (NXIECatcher Class) - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll (Xi)
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (NetXfer) - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll (Xi)
    O3 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
    O4 - HKLM..\Run: [Ask and Record FLV Service] C:\Program Files\Replay Media Catcher\FLVSrvc.exe (Applian Technologies, Inc.)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
    O4 - HKLM..\Run: [Clearwire Connection Manager] C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe (ClearwireCM)
    O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
    O4 - HKU\S-1-5-21-1844237615-764733703-682003330-1003..\Run: [TrueCrypt] C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
    O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = False
    O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html ()
    O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html ()
    O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/S.../bin/cabsa.cab (Symantec RuFSI Utility Class)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/05/03 12:17:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/03/24 03:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2011/03/24 01:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Zombie RoadKill
    [2011/03/21 23:19:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\MSDN
    [2011/03/21 20:18:00 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
    [2011/03/19 06:05:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\NetXfer
    [2011/03/19 06:01:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Xi
    [2011/03/19 06:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\Xi
    [2011/03/19 00:47:36 | 000,049,664 | ---- | C] (CamStudio Group) -- C:\WINDOWS\System32\CamCodec.dll
    [2011/03/19 00:47:36 | 000,000,000 | ---D | C] -- C:\Program Files\CamStudio 2.6b
    [2011/03/15 01:24:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Jaksta_Technologies_Pty_L
    [2011/03/15 01:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Replay Media Catcher 4
    [2011/03/15 01:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applian
    [2011/03/15 01:22:44 | 000,000,000 | ---D | C] -- C:\Program Files\Applian Technologies
    [2011/03/15 00:51:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
    [2011/03/15 00:50:35 | 000,000,000 | ---D | C] -- C:\Program Files\AnyMedia Player
    [2011/03/15 00:49:09 | 000,000,000 | ---D | C] -- C:\Program Files\FLVCodec
    [2011/03/15 00:49:06 | 000,060,273 | ---- | C] (Open Source Software community project) -- C:\WINDOWS\System32\pthreadGC2.dll
    [2011/03/15 00:49:05 | 000,000,000 | ---D | C] -- C:\Program Files\ffdshow
    [2011/03/15 00:48:58 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
    [2011/03/15 00:48:51 | 000,000,000 | ---D | C] -- C:\Program Files\RipTiger
    [2011/03/15 00:40:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Foxreal
    [2011/03/15 00:38:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxreal
    [2011/03/09 06:27:54 | 000,000,000 | ---D | C] -- C:\Program Files\Fox
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/03/24 10:20:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2D4D1D3B-05AD-4C66-8484-B628F282445D}.job
    [2011/03/24 07:13:32 | 000,169,453 | ---- | M] () -- C:\Documents and Settings\User\My Documents\CartridgeComparison.jpg
    [2011/03/23 20:25:46 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\cbyethk.sys
    [2011/03/23 19:52:17 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/03/23 19:52:17 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/03/23 19:47:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/03/22 02:41:37 | 000,078,292 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Icon-Browser-Firefox-Alt2.png
    [2011/03/21 23:32:16 | 000,001,035 | ---- | M] () -- C:\Documents and Settings\User\Desktop\FireFox Limited User.lnk
    [2011/03/21 20:43:36 | 000,004,372 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Attach.zip
    [2011/03/21 20:18:01 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\User\Desktop\NTREGOPT.lnk
    [2011/03/21 20:18:01 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ERUNT.lnk
    [2011/03/21 19:37:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/03/21 19:28:24 | 000,015,780 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
    [2011/03/21 19:28:24 | 000,015,780 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
    [2011/03/21 06:26:29 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\User\Application Data\902E.36B
    [2011/03/21 00:36:55 | 000,107,103 | ---- | M] () -- C:\Documents and Settings\User\My Documents\296021045onLQMT_ph.jpg
    [2011/03/21 00:36:07 | 000,164,429 | ---- | M] () -- C:\Documents and Settings\User\My Documents\HunterBagent.jpg
    [2011/03/21 00:34:39 | 000,194,508 | ---- | M] () -- C:\Documents and Settings\User\My Documents\shawn_johnson_camp_woodward_09.jpg
    [2011/03/21 00:34:07 | 000,051,610 | ---- | M] () -- C:\Documents and Settings\User\My Documents\4-4.jpg
    [2011/03/21 00:33:52 | 000,066,039 | ---- | M] () -- C:\Documents and Settings\User\My Documents\CampWoodward.jpg
    [2011/03/21 00:33:39 | 000,007,381 | ---- | M] () -- C:\Documents and Settings\User\My Documents\images.jpeg
    [2011/03/21 00:32:53 | 000,152,656 | ---- | M] () -- C:\Documents and Settings\User\My Documents\13.jpg
    [2011/03/21 00:32:09 | 000,163,825 | ---- | M] () -- C:\Documents and Settings\User\My Documents\11.jpg
    [2011/03/20 07:58:21 | 000,221,727 | ---- | M] () -- C:\Documents and Settings\User\My Documents\LWpepperspray.pdf
    [2011/03/20 06:25:28 | 000,547,407 | ---- | M] () -- C:\Documents and Settings\User\My Documents\wallpaper_1600x1280_04.jpg
    [2011/03/20 04:34:55 | 000,756,214 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Archer - What What Pirate Virus.flv
    [2011/03/20 04:32:15 | 000,510,790 | ---- | M] () -- C:\Documents and Settings\User\My Documents\archer-pirate-virus.gif
    [2011/03/19 06:01:08 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Net Transport.lnk
    [2011/03/19 06:01:08 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FTP Transport.lnk
    [2011/03/17 22:11:51 | 000,137,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2011/03/16 06:25:57 | 000,430,388 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/03/16 03:01:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/03/15 12:36:34 | 000,188,416 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/03/15 02:26:04 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch Gravity 2.9.lnk
    [2011/03/15 01:22:48 | 000,001,956 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
    [2011/03/15 01:19:19 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
    [2011/03/15 01:19:18 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
    [2011/03/04 08:27:41 | 000,429,882 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110316-062557.backup
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/03/24 07:13:32 | 000,169,453 | ---- | C] () -- C:\Documents and Settings\User\My Documents\CartridgeComparison.jpg
    [2011/03/23 20:25:46 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\cbyethk.sys
    [2011/03/22 02:41:36 | 000,078,292 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Icon-Browser-Firefox-Alt2.png
    [2011/03/21 23:23:02 | 000,001,035 | ---- | C] () -- C:\Documents and Settings\User\Desktop\FireFox Limited User.lnk
    [2011/03/21 20:43:36 | 000,004,372 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Attach.zip
    [2011/03/21 20:18:01 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\User\Desktop\NTREGOPT.lnk
    [2011/03/21 20:18:01 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ERUNT.lnk
    [2011/03/21 06:26:24 | 000,015,780 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
    [2011/03/21 06:26:24 | 000,015,780 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
    [2011/03/21 06:25:55 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\User\Application Data\902E.36B
    [2011/03/21 00:36:55 | 000,107,103 | ---- | C] () -- C:\Documents and Settings\User\My Documents\296021045onLQMT_ph.jpg
    [2011/03/21 00:36:06 | 000,164,429 | ---- | C] () -- C:\Documents and Settings\User\My Documents\HunterBagent.jpg
    [2011/03/21 00:34:38 | 000,194,508 | ---- | C] () -- C:\Documents and Settings\User\My Documents\shawn_johnson_camp_woodward_09.jpg
    [2011/03/21 00:34:07 | 000,051,610 | ---- | C] () -- C:\Documents and Settings\User\My Documents\4-4.jpg
    [2011/03/21 00:33:52 | 000,066,039 | ---- | C] () -- C:\Documents and Settings\User\My Documents\CampWoodward.jpg
    [2011/03/21 00:33:39 | 000,007,381 | ---- | C] () -- C:\Documents and Settings\User\My Documents\images.jpeg
    [2011/03/21 00:32:53 | 000,152,656 | ---- | C] () -- C:\Documents and Settings\User\My Documents\13.jpg
    [2011/03/21 00:32:09 | 000,163,825 | ---- | C] () -- C:\Documents and Settings\User\My Documents\11.jpg
    [2011/03/20 07:58:21 | 000,221,727 | ---- | C] () -- C:\Documents and Settings\User\My Documents\LWpepperspray.pdf
    [2011/03/20 06:25:28 | 000,547,407 | ---- | C] () -- C:\Documents and Settings\User\My Documents\wallpaper_1600x1280_04.jpg
    [2011/03/20 04:34:53 | 000,756,214 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Archer - What What Pirate Virus.flv
    [2011/03/20 04:32:15 | 000,510,790 | ---- | C] () -- C:\Documents and Settings\User\My Documents\archer-pirate-virus.gif
    [2011/03/19 06:01:08 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Net Transport.lnk
    [2011/03/19 06:01:08 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FTP Transport.lnk
    [2011/03/15 01:22:48 | 000,001,956 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
    [2011/03/15 00:49:07 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2011/03/15 00:48:52 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\GSService.exe
    [2011/02/06 07:37:22 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
    [2010/07/27 00:58:38 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
    [2010/07/15 19:45:44 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
    [2010/07/13 01:51:24 | 000,002,432 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/05/10 16:55:39 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
    [2010/05/07 00:02:14 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\User\Application Data\default.rss
    [2010/05/07 00:02:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\Application Data\downloads.m3u
    [2010/05/06 23:58:32 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2010/04/12 13:13:25 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
    [2010/04/04 20:56:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\syscheck.INI
    [2010/03/31 21:41:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PCFriend.INI
    [2010/03/19 14:51:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
    [2009/11/06 10:54:46 | 000,188,416 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/05/03 12:58:02 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
    [2009/05/03 12:17:42 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\fusioncache.dat
    [2009/05/03 10:50:31 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
    [2009/05/03 10:50:31 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
    [2009/05/03 10:50:30 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
    [2009/05/03 10:50:29 | 001,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
    [2009/05/03 10:45:25 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
    [2009/05/03 05:08:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006/09/08 10:30:44 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
    [1998/07/24 00:54:06 | 000,083,968 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll
    [1998/07/15 22:44:30 | 000,134,656 | ---- | C] () -- C:\WINDOWS\System32\itijpg2.dll

    ========== LOP Check ==========

    [2011/03/15 01:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applian
    [2010/10/03 17:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Clearwire
    [2010/09/30 14:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TrueCrypt
    [2009/05/04 09:21:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB
    [2010/03/18 17:53:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
    [2009/05/03 12:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
    [2010/06/12 22:23:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
    [2010/04/30 17:38:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    [2010/10/02 04:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fudge Muffin\Application Data\Clearwire
    [2010/09/29 14:31:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Clearwire
    [2011/03/15 00:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Foxreal
    [2011/03/24 06:52:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\GrabIt
    [2010/06/10 21:25:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Gravity
    [2011/02/06 01:57:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Gui4Cli
    [2010/03/18 21:54:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\InterVideo
    [2011/03/15 01:24:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Replay Media Catcher 4
    [2010/09/30 16:18:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\TrueCrypt
    [2010/03/18 17:53:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Ulead Systems
    [2009/05/03 12:26:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Wave Systems Corp
    [2011/03/19 06:01:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Xi
    [2011/03/24 10:20:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{2D4D1D3B-05AD-4C66-8484-B628F282445D}.job

    ========== Purity Check ==========



    < End of report >

  6. #6
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    OTL logs need some time to look over, in the meantime do this please

    ESET Online Scanner
    I'd like us to scan your machine with ESET OnlineScan

    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Make sure that the option "Remove found threats" is Unchecked
    9. Push the Start button.
    10. ESET will then download updates for itself, install itself, and begin
      scanning your computer. Please be patient as this can take some time.
    11. When the scan completes, push
    12. Push , and save the file to your desktop using a unique name, such as
      ESETScan. Include the contents of this report in your next reply.
    13. Push the button.
    14. Push
    Please make sure you include the following items in your next post:
    The log that was produced after running ESET Online Scanner.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #7
    Member
    Join Date
    Oct 2010
    Posts
    32

    Default

    Here is the ESET log.

    C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\54\300d4776-2138de16 Win32/Cycbot.AF trojan

  8. #8
    Member
    Join Date
    Oct 2010
    Posts
    32

    Default

    I do not know if this information is of any use to you but here it is.

    The file mentioned in the ESET log was last updated at the date and time of the attack I initially described.

    I looked up Win32/Cycbot.AF trojan and found some info here:
    http://www.eset.eu/encyclopaedia/win...or-gbot-origin

    Some registry keys are mentioned. I looked at (but did NOT change) the system registry and the keys mentioned that are used to start the backdoor bot are not present. I am hoping that one of the virus programs I ran to try and get access back to my system or one of the things you had me do deleted these keys and the backdoor was never really opened.

  9. #9
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    Go to your Control Panel and open up Java, you will see an option to clear the Java Cache, do that
    http://www.java.com/en/download/help/plugin_cache.xml





    You need to enable windows to show all files and folders, instructions Here

    Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

    c:\windows\system32\GSService.exe
    C:\WINDOWS\System32\itijpg2.dll


    If the site is busy you can try this one
    http://virusscan.jotti.org/en







    Backup Your Registry with ERUNT:
    • Download erunt.zip to your Desktop from here:
      http://aumha.org/downloads/erunt.zip
    • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
    • Inside the new folder, double-click ERUNT.exe to start the program
    • OK all the prompts to back up your registry to the default location.
    Note: to restore your registry, go to the backup folder and start ERDNT.exe







    Open OTL.exe
    • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

      Code:
      :processes
      killallprocesses
      
      :OTL
      
      [2011/02/06 07:24:26 | 000,000,000 | ---D | M] (WhiteSmoke Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}
      [2011/03/04 08:27:41 | 000,429,882 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110316-062557.backup
      
      
      :Services
      
      :Reg
      
      :Files
      
      
      
      :Commands
      [purity]
      [resethosts]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Then click the Run Fix button at the top. <--Not run Scan
    • Let the program run unhindered, reboot when it is done
    • Then post the results of the log it produces.
    • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  10. #10
    Member
    Join Date
    Oct 2010
    Posts
    32

    Default

    VirusTotal logs

    File name:
    GSService.exe
    Submission date:
    2011-03-25 11:28:34 (UTC)
    Current status:
    queued queued analysing finished
    Result:
    0/ 43 (0.0%)


    Antivirus Version Last Update Result
    AhnLab-V3 2011.03.25.01 2011.03.25 -
    AntiVir 7.11.5.70 2011.03.25 -
    Antiy-AVL 2.0.3.7 2011.03.25 -
    Avast 4.8.1351.0 2011.03.25 -
    Avast5 5.0.677.0 2011.03.25 -
    AVG 10.0.0.1190 2011.03.25 -
    BitDefender 7.2 2011.03.25 -
    CAT-QuickHeal 11.00 2011.03.25 -
    ClamAV 0.96.4.0 2011.03.25 -
    Commtouch 5.2.11.5 2011.03.24 -
    Comodo 8098 2011.03.25 -
    DrWeb 5.0.2.03300 2011.03.25 -
    Emsisoft 5.1.0.4 2011.03.25 -
    eSafe 7.0.17.0 2011.03.24 -
    eTrust-Vet 36.1.8235 2011.03.25 -
    F-Prot 4.6.2.117 2011.03.24 -
    F-Secure 9.0.16440.0 2011.03.23 -
    Fortinet 4.2.254.0 2011.03.25 -
    GData 21 2011.03.25 -
    Ikarus T3.1.1.97.0 2011.03.25 -
    Jiangmin 13.0.900 2011.03.25 -
    K7AntiVirus 9.94.4211 2011.03.25 -
    Kaspersky 7.0.0.125 2011.03.25 -
    McAfee 5.400.0.1158 2011.03.25 -
    McAfee-GW-Edition 2010.1C 2011.03.25 -
    Microsoft 1.6702 2011.03.25 -
    NOD32 5984 2011.03.25 -
    Norman 6.07.03 2011.03.24 -
    nProtect 2011-02-10.01 2011.02.15 -
    Panda 10.0.3.5 2011.03.24 -
    PCTools 7.0.3.5 2011.03.25 -
    Prevx 3.0 2011.03.25 -
    Rising 23.50.04.05 2011.03.25 -
    Sophos 4.64.0 2011.03.25 -
    SUPERAntiSpyware 4.40.0.1006 2011.03.25 -
    Symantec 20101.3.0.103 2011.03.25 -
    TheHacker 6.7.0.1.156 2011.03.24 -
    TrendMicro 9.200.0.1012 2011.03.25 -
    TrendMicro-HouseCall 9.200.0.1012 2011.03.25 -
    VBA32 3.12.14.3 2011.03.24 -
    VIPRE 8813 2011.03.25 -
    ViRobot 2011.3.25.4376 2011.03.25 -
    VirusBuster 13.6.268.0 2011.03.24 -
    Additional information
    Show all
    MD5 : f5527be60d0f7e0b3e12abdac3262b5d
    SHA1 : 75c4ca70bec9bc44f87b42527e363f8814f49abc
    SHA256: f70726dff55d4745ef0bb3a981aebe2bd2a471d6d3f444f92a3781fbcb32d4a8
    ssdeep: 1536:4PnkM9gy6EcWou7jpNCW+BhecI6jCAksPC8ZAKwxqsbA5nNS8jiO1khu0Woc2SYY:4kM6y
    6EbxgjCAkv8ZAKwzA5NSJOU8ocJ

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •