TechSpot

[Active] Iexplore.exe running in background

By UTfan
Jul 23, 2010
  1. Hi,

    I believe I still have some sort of virus / trojan on my computer. I originally had the volume changing / iexplore virus, but was able to stop that from happening. However, iexplore does pop up on occasion in my task manager and stops itself a few seconds afterward. I have attached all logs and my zonealarm log. I have used zonealarm to block all activity from internet explorer and am using firefox. Please let me know the next steps.

    Thanks for any help you guys can provide!
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you set to get automatic updates for Windows?

    I'd like to check this for a security issue:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  3. UTfan

    UTfan TS Rookie Topic Starter

    I am set to use automatic updates, but my last update (KB979906) will not install for some reason.

    I have attached the log for Eset. It said that I didn't deactivate my Avira, but I disabled it. Anyway, here's the log (with no issues)

    Thanks again for your help.
     

    Attached Files:

    • log.txt
      File size:
      779 bytes
      Views:
      2
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this:


    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Credits to Broni
    ================================
    Follow with download of ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.

    Please paste the logs in your next reply.
     
  5. UTfan

    UTfan TS Rookie Topic Starter

    I have completed the tasks mentioned below. I did want to mention that I uninstalled Avira because Combofix kept telling me that it was open when it wasn't. After uninstalling, I noticed in the log that it's still listed twice in the log. It warned me that I still had two versions, but I ran Combofix anyway. Not sure if that's an issue. Also, I used to have Norton, but uninstalled it after my registration expired, but I noticed it's still listed in the combofix report. How can I get that removed? Anyway, here are the pasted logs:

    Bootkit remover:
    *****************

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000
    Boot sector MD5 is: b19ee33a0168d5f0bb9afbe12e2bc035

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
    *******************************

    Combofix:
    ***************************

    ComboFix 10-07-26.04 - William 07/27/2010 20:09:48.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1616 [GMT -5:00]
    Running from: c:\documents and settings\William\Desktop\ComboFix.exe
    AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
    AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00DA-0D24-347CA8A3377C}
    FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Process.exe
    c:\windows\system32\SHELLLNK.TLB
    c:\windows\system32\SrchSTS.exe

    .
    MBR is infected with the Whistler Bootkit !!

    ((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
    .

    2010-07-26 02:10 . 2010-07-26 02:10 -------- d-----w- c:\program files\7-Zip
    2010-07-21 16:46 . 2010-07-21 16:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-07-21 16:43 . 2010-07-21 16:43 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-07-20 23:53 . 2010-07-22 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-20 16:00 . 2010-07-20 16:00 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-07-19 16:22 . 2010-07-19 16:22 63488 ----a-w- c:\documents and settings\William\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-19 16:22 . 2010-07-19 16:22 52224 ----a-w- c:\documents and settings\William\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-19 16:22 . 2010-07-19 16:22 117760 ----a-w- c:\documents and settings\William\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-19 16:21 . 2010-07-19 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-07-19 16:21 . 2010-07-19 16:21 -------- d-----w- c:\documents and settings\William\Application Data\SUPERAntiSpyware.com
    2010-07-19 16:20 . 2010-07-22 06:31 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-19 16:12 . 2010-06-23 18:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
    2010-07-19 16:12 . 2010-06-23 18:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
    2010-07-19 16:11 . 2010-06-23 18:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-07-19 16:11 . 2010-07-19 16:12 -------- d-----w- c:\windows\system32\ZoneLabs
    2010-07-19 16:10 . 2010-07-19 16:10 -------- d-----w- c:\program files\Zone Labs
    2010-07-19 16:10 . 2010-07-28 01:15 -------- d-----w- c:\windows\Internet Logs
    2010-07-13 03:53 . 2010-07-13 03:53 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-07-13 03:22 . 2010-07-13 03:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2010-07-13 03:22 . 2010-07-13 03:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-07-08 00:27 . 2010-07-01 18:51 43008 ----a-w- c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    2010-07-08 00:27 . 2010-07-01 18:51 338944 ----a-w- c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    2010-07-08 00:27 . 2010-07-01 18:51 346112 ----a-w- c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    2010-07-08 00:27 . 2010-07-01 18:52 1496064 ----a-w- c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-28 01:05 . 2007-01-12 05:36 4212 -c-ha-w- c:\windows\system32\zllictbl.dat
    2010-07-25 22:29 . 2006-12-24 15:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-07-23 14:05 . 2010-07-23 14:05 1069100 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
    2010-07-21 16:53 . 2005-07-30 14:49 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-19 20:22 . 2009-01-17 14:49 -------- d-----w- c:\program files\Common Files\SWF Studio
    2010-07-19 17:20 . 2006-11-23 04:34 -------- d-----w- c:\program files\CCleaner
    2010-07-19 16:52 . 2005-07-20 23:20 -------- d-----w- c:\program files\Java
    2010-07-19 14:19 . 2009-03-31 03:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-11 22:45 . 2006-11-23 04:25 -------- d-----w- c:\documents and settings\William\Application Data\Uniblue
    2010-06-21 02:03 . 2008-02-25 03:43 -------- d-----w- c:\program files\Full Tilt Poker
    2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 20:39 . 2009-03-31 03:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 20:39 . 2009-03-31 03:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2006-02-01 03:51 . 2005-10-17 04:15 56 -csh--r- c:\windows\system32\05BB89C205.sys
    2006-02-01 03:51 . 2006-02-01 03:51 1890 -csha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-22 2403568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-13 344064]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
    backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
    2005-03-04 16:26 606208 -c--a-w- c:\program files\Dell\QuickSet\quickset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    2005-02-23 21:19 53248 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-07-27 21:50 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-02-15 23:07 141608 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
    2004-11-11 15:26 26112 -c--a-w- c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-02-15 23:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SSScsiSV"=3 (0x3)
    "Fax"=2 (0x2)
    "WebrootSpySweeperService"=2 (0x2)
    "LiveUpdate Notice Service"=2 (0x2)
    "LiveUpdate Notice Ex"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "Automatic LiveUpdate Scheduler"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
    S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\drivers\semwl5.SYS [1/2/2005 11:49 PM 368896]
    S3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\drivers\uts_bus.sys [5/18/2009 11:42 PM 84352]
    S3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\drivers\uts_mdfl.sys [5/18/2009 11:42 PM 14976]
    S3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\drivers\uts_mdm.sys [5/18/2009 11:42 PM 110848]
    S3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\uts_serd.sys [5/18/2009 11:42 PM 90880]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig?hl=en
    uInternet Connection Wizard,ShellNext = iexplore
    FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - component: c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-QuickenScheduledUpdates - c:\program files\Quicken\bagent.exe
    MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
    MSConfigStartUp-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
    MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    AddRemove-HijackThis - c:\documents and settings\William\Desktop\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-27 20:15
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,37,16,05,d5,ea,4a,46,af,08,03,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,37,16,05,d5,ea,4a,46,af,08,03,\

    [HKEY_USERS\S-1-5-21-1767296536-2153450301-1424934000-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(976)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\documents and settings\William\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    c:\documents and settings\William\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    c:\documents and settings\William\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Intel\Wireless\Bin\LgNotify.dll
    .
    Completion time: 2010-07-27 20:19:22
    ComboFix-quarantined-files.txt 2010-07-28 01:19

    Pre-Run: 6,371,696,640 bytes free
    Post-Run: 6,615,474,176 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - F30B882273B16204050A2997069BB47D
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Go ahead and run this now- I'll be back for Combofix and can move any of those left-over entries for you:




    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
      Code:
      
      @ECHO OFF
      START 
      remover.exe fix \\.\PhysicalDrive0
      EXIT
      
    • Go File > Save As
    • Save as Type choose All Files
    • For File Name type fix.bat
    • Save In> choose Desktop
    • Save
    • Double click to Run fix.bat
    (You may see a black box appear; this is normal.)

    Run remover.exe again and post its output.

    Do NOT reboot computer!
     
  7. UTfan

    UTfan TS Rookie Topic Starter

    Did as requested: Here is the output:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Hmmm, that worked but it's puzzling with the Combofix info. Let's run the following to check:

    Please download MBR Rootkit Detector and save it on your desktop.
    • Pause/Stop all antivirus/spyware active protection.
    • Then double click on mbr.exe to run it.
    • Select Run when you receive a Security Warning
    • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
    • A log file will the be created on your desktop where you ran mbr.exe
    • Copy and paste the contents of mbr.log on your next reply.
    ============================
     
  9. UTfan

    UTfan TS Rookie Topic Starter

    not sure what's wrong, but here's the log:

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: error reading MBR
    kernel: MBR read successfully
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, back to Combofix. First, I want to remind you to disable security programs before running Combofix. Not doing so can affect the scans:
    AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled*
    AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
    FW: ZoneAlarm Firewall *enabled*


    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\05BB89C205.sys
    c:\windows\system32\drivers\kl1.sys
    
    Folder::
    
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    BHO: Disabled:{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    Driver::
    kl1
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please PASTE the log into your next reply.
    ====================
    NOTE: IF you are set to get automatic update for the Windows Updates, you will need to give permission to Internet Explorer for internet access. Otherwise an error will be generated everytime a check is made.
     
  11. UTfan

    UTfan TS Rookie Topic Starter

    Bobbye,

    That's the confusing thing. I have completely uninstalled Avira, which I commented on in my earlier post. I don't understand why it's still showing up. I can deactivate zonealarm, but the Avira antivirus will be a problem.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If it's been uninstalled, I can remove it in the script I have you run. Here is a new script with the 2 entries included. So ignore it if it appears in this Combofix heading- it shouldn't be there in the next log.

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\05BB89C205.sys
    c:\windows\system32\drivers\kl1.sys
    Folder::
    
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    BHO: Disabled:{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    SecCenter::
    {804FD0EC-FFA4-00DA-0D24-347CA8A3377C}
    {00000000-0000-0000-0000-000000000000}
    
    Driver::
    kl1
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please PASTE the log into your next reply.
    ====================
    If you already ran the script, go ahead and run this one again.
     
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Message from Bobbye:

    =====================================================================

    You're all mine now :)
     
  14. UTfan

    UTfan TS Rookie Topic Starter

    Thanks for stepping in Broni....I have had some issues with atl.dll being deleted, but I think I got that fixed.

    Anyway, here's the combofix log:

    ******
    ComboFix 10-08-11.05 - William 08/12/2010 8:05.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1669 [GMT -5:00]
    Running from: c:\documents and settings\William\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\William\Desktop\cfscript.txt
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    FILE ::
    "c:\windows\system32\05BB89C205.sys"
    "c:\windows\system32\drivers\kl1.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_kl1


    ((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))
    .

    2010-08-12 21:08 . 2010-08-12 21:08 -------- d-----w- c:\windows\LastGood
    2010-08-12 12:47 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\dllcache\atl.dll
    2010-08-12 12:47 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
    2010-08-06 04:19 . 2010-08-06 04:19 -------- d-----w- C:\found.003
    2010-08-01 17:19 . 2010-08-01 17:19 -------- d--h--w- c:\windows\system32\WLANProfiles
    2010-08-01 17:19 . 2010-08-01 17:19 -------- d-----w- C:\Settings
    2010-07-31 12:52 . 2010-07-23 22:22 1496064 ----a-w- c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    2010-07-31 12:52 . 2010-07-23 22:22 43008 ----a-w- c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    2010-07-31 12:52 . 2010-07-23 22:22 338944 ----a-w- c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    2010-07-31 12:52 . 2010-07-23 22:22 346112 ----a-w- c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    2010-07-26 02:10 . 2010-07-26 02:10 -------- d-----w- c:\program files\7-Zip
    2010-07-21 16:46 . 2010-07-21 16:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-07-21 16:43 . 2010-07-21 16:43 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-07-20 23:53 . 2010-07-22 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-20 16:00 . 2010-07-20 16:00 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-07-19 16:22 . 2010-07-19 16:22 63488 ----a-w- c:\documents and settings\William\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-19 16:22 . 2010-07-19 16:22 52224 ----a-w- c:\documents and settings\William\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-19 16:22 . 2010-07-19 16:22 117760 ----a-w- c:\documents and settings\William\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-19 16:21 . 2010-07-19 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-07-19 16:21 . 2010-07-19 16:21 -------- d-----w- c:\documents and settings\William\Application Data\SUPERAntiSpyware.com
    2010-07-19 16:20 . 2010-08-07 03:40 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-19 16:12 . 2010-06-23 18:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
    2010-07-19 16:12 . 2010-06-23 18:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
    2010-07-19 16:11 . 2010-06-23 18:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-07-19 16:11 . 2010-07-19 16:12 -------- d-----w- c:\windows\system32\ZoneLabs
    2010-07-19 16:10 . 2010-07-19 16:10 -------- d-----w- c:\program files\Zone Labs
    2010-07-19 16:10 . 2010-08-13 00:26 -------- d-----w- c:\windows\Internet Logs

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-12 12:52 . 2007-01-12 05:36 4212 -c-ha-w- c:\windows\system32\zllictbl.dat
    2010-08-07 04:50 . 2005-07-20 23:22 -------- d-----w- c:\program files\Intel
    2010-08-07 04:47 . 2005-07-27 00:40 -------- d-----w- c:\documents and settings\William\Application Data\Intel
    2010-08-07 04:30 . 2010-07-23 14:05 3578281 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
    2010-08-03 04:35 . 2008-02-25 03:43 -------- d-----w- c:\program files\Full Tilt Poker
    2010-08-01 17:26 . 2010-08-01 17:26 12749706 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_59_full.dmp.zip
    2010-08-01 17:26 . 2010-08-01 17:26 39211 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_55_small.dmp.zip
    2010-08-01 17:26 . 2010-08-01 17:26 38731 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_56_small.dmp.zip
    2010-08-01 17:26 . 2010-08-01 17:26 38729 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_58_small.dmp.zip
    2010-08-01 17:26 . 2010-08-01 17:26 38737 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_53_small.dmp.zip
    2010-08-01 17:26 . 2010-08-01 17:26 38750 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_51_small.dmp.zip
    2010-08-01 17:26 . 2010-08-01 17:26 38703 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_52_small.dmp.zip
    2010-08-01 17:26 . 2010-08-01 17:26 38784 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_49_small.dmp.zip
    2010-08-01 17:26 . 2010-08-01 17:26 38909 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_48_small.dmp.zip
    2010-08-01 17:26 . 2010-08-01 17:26 38833 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_08_01_12_17_44_small.dmp.zip
    2010-08-01 17:14 . 2010-08-01 17:20 1890816 ----a-w- c:\windows\Internet Logs\xDB2.tmp
    2010-08-01 17:14 . 2010-08-01 17:20 1004544 ----a-w- c:\windows\Internet Logs\xDB1.tmp
    2010-07-25 22:29 . 2006-12-24 15:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-07-21 16:53 . 2005-07-30 14:49 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-19 20:22 . 2009-01-17 14:49 -------- d-----w- c:\program files\Common Files\SWF Studio
    2010-07-19 17:20 . 2006-11-23 04:34 -------- d-----w- c:\program files\CCleaner
    2010-07-19 16:52 . 2005-07-20 23:20 -------- d-----w- c:\program files\Java
    2010-07-19 14:19 . 2009-03-31 03:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-11 22:45 . 2006-11-23 04:25 -------- d-----w- c:\documents and settings\William\Application Data\Uniblue
    2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2006-02-01 03:51 . 2006-02-01 03:51 1890 -csha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-13 344064]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
    "bacstray"="c:\program files\Broadcom\BACS\\BacsTray.exe" [2004-08-18 118784]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
    backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SSScsiSV"=3 (0x3)
    "Fax"=2 (0x2)
    "WebrootSpySweeperService"=2 (0x2)
    "LiveUpdate Notice Service"=2 (0x2)
    "LiveUpdate Notice Ex"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "Automatic LiveUpdate Scheduler"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

    S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
    S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\drivers\semwl5.SYS [1/2/2005 11:49 PM 368896]
    S3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\drivers\uts_bus.sys [5/18/2009 11:42 PM 84352]
    S3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\drivers\uts_mdfl.sys [5/18/2009 11:42 PM 14976]
    S3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\drivers\uts_mdm.sys [5/18/2009 11:42 PM 110848]
    S3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\uts_serd.sys [5/18/2009 11:42 PM 90880]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig?hl=en
    FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - component: c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-QBReminderFlash - c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - c:\program files\SUPERAntiSpyware\Uninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-12 19:24
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,37,16,05,d5,ea,4a,46,af,08,03,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,37,16,05,d5,ea,4a,46,af,08,03,\

    [HKEY_USERS\S-1-5-21-1767296536-2153450301-1424934000-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(808)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(3456)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Broadcom\BACS\BacsTray.exe
    c:\program files\Apoint\Apntex.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-12 19:31:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-13 00:31
    ComboFix2.txt 2010-08-03 03:15
    ComboFix3.txt 2010-07-28 01:19

    Pre-Run: 21,959,839,744 bytes free
    Post-Run: 21,712,957,440 bytes free

    - - End Of File - - AC85D713B9001EA84DF913AA083F102B
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    How is computer doing at the moment?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  16. UTfan

    UTfan TS Rookie Topic Starter

    It seems to be running ok, so I think most if not all the malware is gone.

    Here is Part 1 of the OTL log:
    ***************
    OTL logfile created on: 8/13/2010 12:18:54 AM - Run 1
    OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\William\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
    4.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2 500 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 33.60 Gb Total Space | 20.99 Gb Free Space | 62.47% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: WILLIAMC
    Current User Name: William
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/08/13 00:17:41 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\William\Desktop\OTL.exe
    PRC - [2010/07/23 23:54:44 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    PRC - [2010/06/23 13:51:30 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2004/09/13 16:33:20 | 000,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
    PRC - [2004/08/19 14:40:08 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
    PRC - [2004/07/27 16:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/08/13 00:17:41 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\William\Desktop\OTL.exe
    MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- (WLANKEEPER)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
    SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
    SRV - [2006/04/27 17:35:16 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
    SRV - [2006/04/27 17:27:06 | 000,049,241 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
    SRV - [2006/04/27 17:16:28 | 000,069,718 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIMMP)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIM)
    DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\s24trans.sys -- (s24trans)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\PCTINDIS5.SYS -- (PCTINDIS5)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
    DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
    DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
    DRV - [2007/12/05 14:53:44 | 000,110,848 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\uts_mdm.sys -- (uts_mdm)
    DRV - [2007/12/05 14:53:44 | 000,090,880 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\uts_serd.sys -- (uts_serd) UTStarcom USB Diagnostic Serial Port (WDM)
    DRV - [2007/12/05 14:53:44 | 000,084,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\uts_bus.sys -- (uts_bus) UTStarcom USB Composite Device driver (WDM)
    DRV - [2007/12/05 14:53:44 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\uts_mdfl.sys -- (uts_mdfl)
    DRV - [2006/07/04 13:17:30 | 000,012,464 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CdaD10BA.SYS -- (CdaD10BA)
    DRV - [2005/05/13 02:46:20 | 001,132,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2005/03/10 22:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
    DRV - [2005/01/17 13:13:28 | 000,098,304 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfbd.sys -- (Tosrfbd)
    DRV - [2005/01/08 18:15:40 | 000,051,582 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosporte.sys -- (tosporte)
    DRV - [2005/01/07 06:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
    DRV - [2005/01/02 23:49:40 | 000,368,896 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\semwl5.SYS -- (SEM43XX)
    DRV - [2004/12/22 04:38:12 | 000,034,816 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
    DRV - [2004/12/16 10:30:14 | 000,050,048 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfSnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
    DRV - [2004/12/06 01:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
    DRV - [2004/12/06 01:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
    DRV - [2004/12/06 01:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
    DRV - [2004/12/06 01:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
    DRV - [2004/12/06 01:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
    DRV - [2004/12/06 01:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
    DRV - [2004/12/06 01:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
    DRV - [2004/12/06 01:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
    DRV - [2004/12/06 01:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
    DRV - [2004/12/01 03:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
    DRV - [2004/11/23 02:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
    DRV - [2004/11/16 16:03:52 | 000,108,791 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2004/11/16 15:51:54 | 000,050,048 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfhid.sys -- (Tosrfhid)
    DRV - [2004/10/21 20:56:04 | 003,210,496 | ---- | M] (IntelĀ® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
    DRV - [2004/10/05 03:33:02 | 000,062,799 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
    DRV - [2004/08/18 14:53:54 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
    DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2004/07/14 11:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
    DRV - [2004/07/14 11:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
    DRV - [2004/07/09 10:07:34 | 000,036,531 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
    DRV - [2004/06/17 20:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
    DRV - [2004/06/17 20:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2004/06/17 20:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
    DRV - [2004/05/26 20:18:18 | 000,044,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
    DRV - [2004/02/13 16:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
    DRV - [2002/10/17 06:55:48 | 000,002,851 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Toshidpt.sys -- (toshidpt)
    DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
    DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
    DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
    DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
    DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
    DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
    DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
    DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
    DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
    DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
    DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
    DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
    DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
    DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
    DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
     
  17. UTfan

    UTfan TS Rookie Topic Starter

    Part 2:
    ***********

    ========== FireFox ==========


    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/23 23:55:12 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/23 23:55:12 | 000,000,000 | ---D | M]

    [2010/03/20 01:42:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Mozilla\Extensions
    [2010/08/12 19:52:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions
    [2010/07/31 07:52:28 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    [2010/07/10 13:20:08 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\t0gnvmu1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    [2009/10/07 00:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\vw7wwmpi.default\extensions
    [2009/10/07 00:30:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\vw7wwmpi.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2009/10/07 00:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Mozilla\Firefox\Profiles\vw7wwmpi.default\extensions\staged-xpis
    [2008/07/06 23:10:16 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2006/05/08 02:16:10 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
    [2006/05/03 11:52:01 | 000,319,488 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll

    O1 HOSTS File: ([2010/08/12 19:24:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - Disabled:{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
    O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
    O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
    O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab (Windows Live Safety Center Base Module)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.11.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\William\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\William\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
    NetSvcs: WmdmPmSp - File not found

    Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: midi1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
    Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: mixer1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
    Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
    Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
    Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
    Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
    Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
    Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
    Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
    Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
    Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
    Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
    Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
    Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
    Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: wave1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/08/13 00:17:39 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\William\Desktop\OTL.exe
    [2010/08/12 08:11:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010/08/05 23:19:03 | 000,000,000 | ---D | C] -- C:\found.003
    [2010/08/01 12:19:07 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\WLANProfiles
    [2010/08/01 12:19:07 | 000,000,000 | ---D | C] -- C:\Settings
    [2010/07/27 20:08:11 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/07/27 20:04:46 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/07/27 20:03:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/07/25 21:10:44 | 000,081,920 | ---- | C] (eSage Lab) -- C:\Documents and Settings\William\Desktop\remover.exe
    [2010/07/25 21:10:09 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
    [2010/07/23 00:09:10 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\William\Desktop\TFC.exe
    [2010/07/21 21:42:36 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\William\Recent
    [2010/07/21 11:47:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
    [2010/07/21 11:46:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
    [2010/07/20 18:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
    [2010/07/19 11:21:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    [2010/07/19 11:21:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\William\Application Data\SUPERAntiSpyware.com
    [2010/07/19 11:20:08 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
    [2010/07/19 11:11:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
    [2010/07/19 11:10:52 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
    [2010/07/19 11:10:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
    [2010/07/19 08:42:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/07/12 22:53:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/06/12 00:03:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\William\Local Settings\Application Data\PCHealth
    [2010/05/30 22:25:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\William\Local Settings\Application Data\cache
    [2010/05/15 10:03:37 | 000,000,000 | ---D | C] -- C:\tmp

    ========== Files - Modified Within 90 Days ==========

    [2010/08/13 00:17:41 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\William\Desktop\OTL.exe
    [2010/08/13 00:08:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/08/12 22:31:15 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/08/12 22:31:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/08/12 22:29:01 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\William\ntuser.ini
    [2010/08/12 22:29:00 | 005,767,168 | ---- | M] () -- C:\Documents and Settings\William\ntuser.dat
    [2010/08/12 22:28:48 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
    [2010/08/12 19:24:56 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/08/12 19:24:12 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/08/05 23:37:36 | 000,000,150 | ---- | M] () -- C:\WINDOWS\wwwbatch.ini
    [2010/08/01 12:19:07 | 000,000,516 | ---- | M] () -- C:\Settings.ini
    [2010/07/30 08:02:08 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/07/30 08:02:08 | 000,000,281 | -HS- | M] () -- C:\boot.ini
    [2010/07/29 23:06:06 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\William\Desktop\mbr.exe
    [2010/07/28 19:45:54 | 000,000,059 | ---- | M] () -- C:\Documents and Settings\William\Desktop\fix.bat
    [2010/07/25 21:09:53 | 001,081,057 | ---- | M] () -- C:\Documents and Settings\William\Desktop\7z915.exe
    [2010/07/25 21:02:33 | 000,036,833 | ---- | M] () -- C:\Documents and Settings\William\Desktop\bootkit_remover.rar
    [2010/07/24 12:36:23 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
    [2010/07/23 09:00:53 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\William\Desktop\esetsmartinstaller_enu.exe
    [2010/07/23 00:30:45 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\William\Desktop\o9zf1bj2.exe
    [2010/07/23 00:09:11 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\William\Desktop\TFC.exe
    [2010/07/22 01:49:02 | 000,000,215 | ---- | M] () -- C:\WINDOWS\wininit.ini
    [2010/07/21 19:50:20 | 000,081,920 | ---- | M] (eSage Lab) -- C:\Documents and Settings\William\Desktop\remover.exe
    [2010/07/20 09:48:41 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/07/19 12:28:57 | 000,098,582 | ---- | M] () -- C:\Documents and Settings\William\My Documents\7-19-10 Backup Computer.reg
    [2010/07/19 11:14:15 | 000,420,800 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
    [2010/07/04 23:46:39 | 005,362,796 | -H-- | M] () -- C:\Documents and Settings\William\Local Settings\Application Data\IconCache.db
    [2010/06/25 04:06:26 | 000,504,142 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/06/25 04:06:26 | 000,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/06/25 04:06:26 | 000,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/06/11 23:57:45 | 000,127,704 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/05/15 15:30:41 | 000,000,057 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
    [2010/05/15 01:20:22 | 000,022,744 | ---- | M] () -- C:\Documents and Settings\William\Application Data\GDIPFONTCACHEV1.DAT
    [2010/05/15 00:50:54 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\William\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== Files Created - No Company Name ==========

    [2010/08/05 23:34:04 | 000,000,150 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
    [2010/08/01 12:19:07 | 000,000,516 | ---- | C] () -- C:\Settings.ini
    [2010/07/29 23:06:05 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\William\Desktop\mbr.exe
    [2010/07/28 19:45:54 | 000,000,059 | ---- | C] () -- C:\Documents and Settings\William\Desktop\fix.bat
    [2010/07/27 20:08:23 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/07/27 20:08:18 | 000,260,272 | ---- | C] () -- C:\cmldr
    [2010/07/25 21:09:52 | 001,081,057 | ---- | C] () -- C:\Documents and Settings\William\Desktop\7z915.exe
    [2010/07/25 21:02:32 | 000,036,833 | ---- | C] () -- C:\Documents and Settings\William\Desktop\bootkit_remover.rar
    [2010/07/23 09:00:52 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\William\Desktop\esetsmartinstaller_enu.exe
    [2010/07/23 00:30:43 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\William\Desktop\o9zf1bj2.exe
    [2010/07/19 12:28:45 | 000,098,582 | ---- | C] () -- C:\Documents and Settings\William\My Documents\7-19-10 Backup Computer.reg
    [2010/07/19 11:10:56 | 000,420,800 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
    [2009/08/08 11:07:45 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
    [2008/12/28 23:15:20 | 000,000,141 | ---- | C] () -- C:\WINDOWS\System32\09wutili.sys
    [2008/08/27 21:29:41 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
    [2008/03/04 19:52:34 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
    [2007/10/31 10:39:54 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
    [2007/06/17 14:04:41 | 000,000,000 | R--- | C] () -- C:\WINDOWS\System32\RCCustomSetup.ini
    [2007/05/17 14:58:10 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
    [2006/08/05 23:23:55 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
    [2006/07/16 17:21:59 | 000,000,098 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI
    [2006/06/30 20:22:36 | 000,000,427 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
    [2006/01/31 22:51:50 | 000,001,890 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2006/01/18 21:14:23 | 000,000,017 | ---- | C] () -- C:\WINDOWS\crwbc.ini
    [2006/01/18 21:14:06 | 000,667,648 | ---- | C] () -- C:\WINDOWS\System32\jabbercom.dll
    [2005/12/24 23:31:56 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
    [2005/12/09 18:58:09 | 000,000,076 | ---- | C] () -- C:\WINDOWS\Quicken.ini
    [2005/12/07 21:44:33 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
    [2005/11/12 20:51:05 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2005/08/12 16:57:09 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
    [2005/08/05 11:11:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
    [2005/07/20 18:47:39 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2005/07/20 18:37:31 | 000,000,215 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2005/07/20 18:01:50 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
    [2005/07/20 18:00:28 | 000,000,372 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2005/04/09 17:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2004/12/03 08:20:12 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
    [2004/09/23 03:09:06 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
    [2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2004/07/21 10:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
    [2004/01/16 07:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
    [2003/07/30 08:33:26 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\TosHidAPI.dll
    [1997/06/13 20:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
     
  18. UTfan

    UTfan TS Rookie Topic Starter

    Part 3:

    **************
    ========== LOP Check ==========

    [2010/07/25 17:29:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/04/13 21:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
    [2007/01/13 21:37:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
    [2009/10/26 21:59:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    [2008/10/28 07:46:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Aim
    [2010/03/18 01:59:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\JAM Software
    [2005/12/27 21:07:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Keynote Systems
    [2005/07/30 21:03:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Leadertech
    [2007/04/24 08:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\MSNInstaller
    [2006/04/26 22:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Simple Star
    [2006/07/16 17:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Smith Micro
    [2006/05/03 11:52:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Snapfish
    [2009/01/17 10:13:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Stamps.com Internet Postage
    [2007/05/26 12:23:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\T-Mobile
    [2005/08/05 11:09:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Toshiba
    [2010/07/11 17:45:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Uniblue
    [2008/01/27 18:24:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\William\Application Data\Wal-Mart Digital Photo Viewer

    ========== Purity Check ==========
    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/07/20 09:48:41 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/07/30 08:02:08 | 000,000,281 | -HS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
    [2010/08/12 19:31:58 | 000,017,052 | ---- | M] () -- C:\ComboFix.txt
    [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2008/12/28 12:34:05 | 000,216,028 | ---- | M] () -- C:\coreuninstall.log
    [2007/07/01 18:58:39 | 000,000,216 | ---- | M] () -- C:\DebugTrace-RockallDLL.log
    [2005/07/20 18:04:52 | 000,005,377 | RH-- | M] () -- C:\dell.sdr
    [2009/08/04 21:26:22 | 000,000,016 | ---- | M] () -- C:\h.txt
    [2005/10/12 00:57:41 | 000,004,312 | ---- | M] () -- C:\INFCACHE.1
    [2008/12/13 09:49:59 | 000,000,164 | ---- | M] () -- C:\install.dat
    [2004/08/10 13:04:08 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
    [2005/07/20 18:35:22 | 000,000,828 | -H-- | M] () -- C:\IPH.PH
    [2010/07/11 17:09:39 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
    [2004/08/10 13:04:08 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
    [2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/08/21 22:51:46 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/08/12 22:30:21 | 2146,824,192 | -HS- | M] () -- C:\pagefile.sys
    [2008/10/24 22:40:52 | 000,000,443 | ---- | M] () -- C:\rapport.txt
    [2007/02/18 23:48:16 | 000,000,956 | ---- | M] () -- C:\rollback.ini
    [2007/02/25 17:12:27 | 000,000,512 | ---- | M] () -- C:\ScanSectorLog.dat
    [2010/08/01 12:19:07 | 000,000,516 | ---- | M] () -- C:\Settings.ini
    [2005/07/20 18:35:36 | 000,000,071 | ---- | M] () -- C:\SystemInfo.ini
    [2009/04/18 00:16:35 | 000,000,000 | ---- | M] () -- C:\taskList.txt
    [2008/11/19 23:00:55 | 000,000,150 | ---- | M] () -- C:\YServer.txt

    < %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

    < %systemroot%\system32\*.wt >

    < %systemroot%\system32\*.ruy >

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

    < %systemroot%\*. /mp /s >


    < %systemroot%\system32\*.dll /lockedfiles >

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\System32\config\*.sav >
    [2004/08/10 12:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2004/08/10 12:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2004/08/10 12:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %systemroot%\system32\user32.dll /md5 >
    [2008/04/13 19:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

    < %systemroot%\system32\ws2_32.dll /md5 >
    [2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll

    < %systemroot%\system32\ws2help.dll /md5 >
    [2008/04/13 19:12:10 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9789E95E1D88EEB4B922BF3EA7779C28 -- C:\WINDOWS\system32\ws2help.dll

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7A36BD6D
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:741D415F
    < End of report >
    ****************************************************
     
  19. UTfan

    UTfan TS Rookie Topic Starter

    Extras log:

    **************************************************
    OTL Extras logfile created on: 8/13/2010 12:18:55 AM - Run 1
    OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\William\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
    4.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2 500 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 33.60 Gb Total Space | 20.99 Gb Free Space | 62.47% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: WILLIAMC
    Current User Name: William
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
    "C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon -- (Check Point Software Technologies LTD)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
    "{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
    "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
    "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
    "{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
    "{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
    "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
    "{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
    "{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
    "{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
    "{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
    "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
    "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
    "{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
    "{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
    "{64A77F14-0E08-4A97-A859-E93CFF428756}" = Broadcom Management Programs 2
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
    "{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
    "{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
    "{8B7917E0-AF55-4E8A-9473-017F0AA03AC8}" = QuickTime
    "{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
    "{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
    "{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
    "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
    "{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
    "{BAA265AB-73D9-4C6F-852B-52D369647733}" = Becker's CPA Exam Review and PassMaster - 2010 Edition
    "{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
    "{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
    "{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
    "{EB5F211D-85D5-44C4-BB15-1207C77EF430}" = Visual C++ 8.0 Runtime Setup Package
    "7-Zip" = 7-Zip 9.15 beta
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "ATI Display Driver" = ATI Display Driver
    "CCleaner" = CCleaner
    "CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.9x Modem
    "CutePDF Writer Installation" = CutePDF Writer 2.7
    "HijackThis" = HijackThis 2.0.2
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00
    "InstallShield_{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01
    "InstallShield_{64A77F14-0E08-4A97-A859-E93CFF428756}" = Broadcom Management Programs 2
    "InstallShield_{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "OpenMG HotFix4.5-06-05-10-01" = OpenMG Limited Patch 4.5-06-05-12-01
    "PDFZilla_is1" = PDFZilla V1.0.7
    "TreeSize Free_is1" = TreeSize Free V2.4
    "Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "ZoneAlarm" = ZoneAlarm

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 7/22/2010 2:48:53 AM | Computer Name = WILLIAMC | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 7/22/2010 2:48:53 AM | Computer Name = WILLIAMC | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 7/23/2010 5:01:58 AM | Computer Name = WILLIAMC | Source = MsiInstaller | ID = 11706
    Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
    could be found for product Microsoft .NET Framework 1.1. The Windows installer
    cannot continue.

    Error - 7/23/2010 5:01:59 AM | Computer Name = WILLIAMC | Source = MsiInstaller | ID = 1023
    Description = Product: Microsoft .NET Framework 1.1 - Update '{2A3320D6-C805-4280-B423-B665BDE33D8F}'
    could not be installed. Error code 1603. Additional information is available in
    the log file C:\WINDOWS\TEMP\NDP1.1sp1-KB979906-X86\NDP1.1sp1-KB979906-X86-msi.0.log.

    Error - 7/23/2010 5:02:03 AM | Computer Name = WILLIAMC | Source = NativeWrapper | ID = 5000
    Description =

    Error - 7/30/2010 5:01:56 AM | Computer Name = WILLIAMC | Source = MsiInstaller | ID = 11706
    Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
    could be found for product Microsoft .NET Framework 1.1. The Windows installer
    cannot continue.

    Error - 7/30/2010 5:01:58 AM | Computer Name = WILLIAMC | Source = MsiInstaller | ID = 1023
    Description = Product: Microsoft .NET Framework 1.1 - Update '{2A3320D6-C805-4280-B423-B665BDE33D8F}'
    could not be installed. Error code 1603. Additional information is available in
    the log file C:\WINDOWS\TEMP\NDP1.1sp1-KB979906-X86\NDP1.1sp1-KB979906-X86-msi.0.log.

    Error - 7/30/2010 5:02:01 AM | Computer Name = WILLIAMC | Source = NativeWrapper | ID = 5000
    Description =

    Error - 8/6/2010 12:06:37 AM | Computer Name = WILLIAMC | Source = ESENT | ID = 474
    Description = wuauclt (1688) The database page read from the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb"
    at offset 5382144 (0x0000000000522000) for 4096 (0x00001000) bytes failed verification
    due to a page checksum mismatch. The expected checksum was 2851752566 (0xa9fa4a76)
    and the actual checksum was 2851760758 (0xa9fa6a76). The read operation will fail
    with error -1018 (0xfffffc06). If this condition persists then please restore
    the database from a previous backup.

    Error - 8/6/2010 12:07:03 AM | Computer Name = WILLIAMC | Source = Application Error | ID = 1000
    Description = Faulting application dvdlauncher.exe, version 3.0.0.0, faulting module
    mfc42.dll, version 6.2.4131.0, fault address 0x00020006.

    [ System Events ]
    Error - 8/12/2010 11:31:27 PM | Computer Name = WILLIAMC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SASDIFSV SASKUTIL

    Error - 8/12/2010 11:50:47 PM | Computer Name = WILLIAMC | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 8/12/2010 11:50:47 PM | Computer Name = WILLIAMC | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 8/12/2010 11:54:15 PM | Computer Name = WILLIAMC | Source = Dhcp | ID = 1001
    Description = Your computer was not assigned an address from the network (by the
    DHCP Server) for the Network Card with network address 0012F0A33991. The following
    error occurred: %%1223. Your computer will continue to try and obtain an address
    on its own from the network address (DHCP) server.

    Error - 8/12/2010 11:55:25 PM | Computer Name = WILLIAMC | Source = Dhcp | ID = 1001
    Description = Your computer was not assigned an address from the network (by the
    DHCP Server) for the Network Card with network address 0012F0A33991. The following
    error occurred: %%1223. Your computer will continue to try and obtain an address
    on its own from the network address (DHCP) server.

    Error - 8/12/2010 11:56:35 PM | Computer Name = WILLIAMC | Source = Dhcp | ID = 1001
    Description = Your computer was not assigned an address from the network (by the
    DHCP Server) for the Network Card with network address 0012F0A33991. The following
    error occurred: %%1223. Your computer will continue to try and obtain an address
    on its own from the network address (DHCP) server.

    Error - 8/13/2010 12:00:22 AM | Computer Name = WILLIAMC | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 8/13/2010 12:00:22 AM | Computer Name = WILLIAMC | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 8/13/2010 12:00:32 AM | Computer Name = WILLIAMC | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetBT_Tcpip_{AF7F7A0B-698F-4AF0-90F6-B51A2ACD0261}
    because another computer on the network has the same name. The server could not
    start.

    Error - 8/13/2010 12:28:08 AM | Computer Name = WILLIAMC | Source = Dhcp | ID = 1001
    Description = Your computer was not assigned an address from the network (by the
    DHCP Server) for the Network Card with network address 0012F0A33991. The following
    error occurred: %%121. Your computer will continue to try and obtain an address on
    its own from the network address (DHCP) server.


    < End of report >
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Very good :)

    What happened to Avira and ZoneAlarm?
    I don't see them running.

    =======================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - Disabled:{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7A36BD6D
      @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:741D415F
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
      "DisableMonitoring" =-
      
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  21. UTfan

    UTfan TS Rookie Topic Starter

    Broni,

    Here's the log from the fix:

    *******
    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\Disabled:{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:7A36BD6D deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:741D415F deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\\DisableMonitoring deleted successfully.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 0 bytes

    User: William
    ->Temp folder emptied: 12963500 bytes
    ->Temporary Internet Files folder emptied: 124111 bytes
    ->Java cache emptied: 9949 bytes
    ->FireFox cache emptied: 94112954 bytes
    ->Flash cache emptied: 2756 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 2433777 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 12794284 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 117.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: William
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.9.1 log created on 08132010_213319

    Files\Folders moved on Reboot...
    C:\Documents and Settings\William\Local Settings\Temp\~DFB885.tmp moved successfully.
    File\Folder C:\WINDOWS\temp\ZLT02c60.TMP not found!

    Registry entries deleted on Reboot...
    ****************************
     
  22. UTfan

    UTfan TS Rookie Topic Starter

    Log file is too big so I've attached it here.

    Thanks again.

    By the way, I uninstalled Avira and Zonealarm was disabled per Bobbye's instructions. I plan on installing it again once all this is cleaned up.
     

    Attached Files:

    • OTL.Txt
      File size:
      63.4 KB
      Views:
      1
  23. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please, always answer all my questions:
    Then...
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I didn't see your previous reply :)
     
  25. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You can reinstall both now.
    You don't want to be without any protection.

    When done....last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...