TechSpot

Browser constantly being redirected and infected with 'TR/Spy.502272.10 [trojan]

By Jun23
Oct 13, 2010
  1. Hi,

    small introduction, my name is Jun and I'm not very good with computers.

    My browser has been redirecting me to poor reputated sites for past two days. I've

    scanned with Malware bytes anti malware but it was unable to detect anything. Using

    Hitman pro 3 the programme found a malicious software called winlogon.exe in

    C:\WINDOWS\system32\ in order to delete this I need the original file on Windows XP

    installation disk to replace this one. Unfortunately I've lost managed to lose

    this. I followed the 8-step Viruses/Spyware/Malware Preliminary Removal

    Instructions however when using TFC my computer restarted itself automatically

    and I've lost the taskbar at the bottom of the screen as well as the icons on the

    desktop. Now my computer is beeping everything 1- 2 minutes. Avira AntiVir

    Personal is also detecting a lot of malware at the moment.

    Virus or unwanted program 'TR/Spy.502272.10 [trojan]'

    detected in file 'C:\WINDOWS\system32\winlogon.exe. keeps appearing in the

    reports.

    MBAM log
    Malwarebytes' Anti-Malware 1.40
    Database version: 2574
    Windows 5.1.2600 Service Pack 2

    13/10/2010 21:51:43
    mbam-log-2010-10-13 (21-51-43).txt

    Scan type: Quick Scan
    Objects scanned: 93775
    Time elapsed: 6 minute(s), 7 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER log
    GMER 1.0.15.15315 - http://www.gmer.net
    Rootkit scan 2010-10-13 21:25:16
    Windows 5.1.2600 Service Pack 2
    Running: fgju2nqd.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\kwtciaob.sys


    ---- System - GMER 1.0.15 ----

    SSDT F8C981C6 ZwCreateKey
    SSDT F8C981BC ZwCreateThread
    SSDT F8C981CB ZwDeleteKey
    SSDT F8C981D5 ZwDeleteValueKey
    SSDT F8C981DA ZwLoadKey
    SSDT F8C981A8 ZwOpenProcess
    SSDT F8C981AD ZwOpenThread
    SSDT F8C981E4 ZwReplaceKey
    SSDT F8C981DF ZwRestoreKey
    SSDT F8C981D0 ZwSetValueKey

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\crypt32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\crypt32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\crypt32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\crypt32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\netapi32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\netapi32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\netapi32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1868] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs EF6E6400

    ---- EOF - GMER 1.0.15 ----
     
  2. Jun23

    Jun23 TS Rookie Topic Starter

    DDS.txt

    DDS (Ver_10-10-10.03) - NTFSx86
    Run by HP_Owner at 21:32:45.21 on 13/10/2010
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.99 [GMT 1:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\HP_Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [AOL Dialer] c:\program files\common files\aol\acs\AOlDial.exe
    uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
    uRun: [{B2C3A697-10AE-771D-B0EC-5F196B0E88F6}] "c:\documents and settings\hp_owner\application data\etan\neot.exe"
    uRun: [SUPERAntiSpyware] c:\documents and settings\hp_owner\desktop\SUPERAntiSpyware.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    mRun: [PS2] c:\windows\system32\ps2.exe
    mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    mRun: [KBD] c:\hp\kbd\KBD.EXE
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
    mRun: [HostManager] c:\program files\common files\aol\1229762181\ee\AOLSoftware.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
    mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0a\aoltray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aolcom~1.lnk - c:\program files\aol companion\companion.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: !SASWinLogon - c:\documents and settings\hp_owner\desktop\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\documents and settings\hp_owner\desktop\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\17ibpqgm.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.explosm.net/comics/new/
    FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_UK&q=
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-13 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-13 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-13 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-13 60936]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
    R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [2005-1-1 24544]
    S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\hp_owner\desktop\sasdifsv.sys --> c:\documents and settings\hp_owner\desktop\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\hp_owner\desktop\saskutil.sys --> c:\documents and settings\hp_owner\desktop\SASKUTIL.SYS [?]
    S3 jgameenp;jgameenp;\??\c:\docume~1\hp_owner\locals~1\temp\jgameenp.sys --> c:\docume~1\hp_owner\locals~1\temp\jgameenp.sys [?]

    =============== Created Last 30 ================

    2010-10-13 17:41:53 -------- d-----w- c:\windows\system32\NtmsData
    2010-10-13 17:35:59 -------- d-----w- c:\docume~1\hp_owner\applic~1\Avira
    2010-10-13 17:34:02 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-10-13 17:33:57 -------- d-----w- c:\program files\Avira
    2010-10-13 17:33:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-10-13 16:33:46 -------- d-----w- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
    2010-10-13 16:33:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-10-13 16:23:04 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-10-13 16:19:57 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-10-13 16:16:51 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-10-13 16:16:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-10-09 11:26:38 14808 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2010-10-09 11:26:34 718296 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2010-09-25 11:08:38 -------- d-s---r- C:\assembly

    ==================== Find3M ====================

    2010-10-13 17:46:48 73728 ----a-w- c:\windows\ALCFDRTM.VER
    2010-10-01 17:40:05 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

    ============= FINISH: 21:33:50.98 ===============
     
  3. Jun23

    Jun23 TS Rookie Topic Starter

    Attach.text


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-10.03)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 18/12/2008 20:41:46
    System Uptime: 13/10/2010 21:26:05 (0 hours ago)

    Motherboard: ASUSTeK Computer INC. | | Puffer
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3201/200mhz
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3201/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 182 GiB total, 142.432 GiB free.
    D: is FIXED (FAT32) - 5 GiB total, 0.96 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 10/10/2010 16:21:58 - System Checkpoint
    RP2: 11/10/2010 22:05:10 - Removed Dawn of War - Soulstorm
    RP3: 11/10/2010 22:07:31 - Removed Dawn Of War
    RP4: 13/10/2010 19:13:22 - Removed YouTube Downloader Toolbar v1.0.

    ==== Installed Programs ======================


    µTorrent
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0
    Agere Systems PCI Soft Modem
    AiO_Scan
    AiOSoftware
    AOL Coach Version 1.0(Build:20040229.1 uk)
    AOL Spyware Protection
    AOL Toolbar
    AOL UK (Choose which version to remove)
    AOL Uninstaller
    AOL You've Got Pictures Screensaver
    Ask Toolbar
    ATI Control Panel
    ATI Display Driver
    Avira AntiVir Personal - Free Antivirus
    BT Voyager Modem AOL Test
    BufferChm
    CameraDrivers
    Combined Community Codec Pack 2008-09-21 16:18
    Copy
    CreativeProjects
    CreativeProjectsTemplates
    CueTour
    Destinations
    Director
    DocProc
    DocumentViewer
    Easy Internet Sign-up
    EPSON CardMonitor
    EPSON Copy Utility 3
    EPSON PhotoQuicker3.5
    EPSON PhotoStarter3.1
    EPSON PRINT Image Framer Tool2.1
    EPSON Printer Software
    EPSON Scan
    EPSON Smart Panel
    EPSON Web-To-Page
    ERUNT 1.1j
    ESCX6600 Reference Guide
    ESCX6600 Software Guide
    ESET Online Scanner v3
    Fax
    Help and Support Additions
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hitman Pro 3.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Deskjet Preloaded Printer Drivers
    HP Diagnostic Assistant
    HP Image Zone 4.2.3
    HP Image Zone Plus 4.2.3
    HP Photosmart Cameras 4.0
    HP PSC & OfficeJet 4.0
    HP Software Update
    HPIZ423
    HpSdpAppCoreApp
    InstantShare
    InterVideo DiscLabel
    Java(TM) 6 Update 15
    Junk Mail filter update
    KBD
    Learn2 Player (Uninstall Only)
    LG USB Modem Driver
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Visio 2007 Service Pack 2 (SP2)
    Microsoft Office Visio MUI (English) 2007
    Microsoft Office Visio Professional 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack 1.5
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft WinUsb 1.0
    Mozilla Firefox (3.6.10)
    MP3 Player Utilities 4.17
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    PC-Doctor for Windows
    PhotoGallery
    Photosmart 320,370,7400,8100,8400 Series
    PIF DESIGNER2.1
    PrintScreen
    PS2
    PSPrinters06
    Puzzle Bobble (Remove only, requires CD)
    Python 2.2 combined Win32 extensions
    Python 2.2.1
    QFolder
    QuickProjects
    QuickTime
    Readme
    RealPlayer Basic
    Scan
    ScanToWeb
    Security Update for 2007 Microsoft Office System (KB2277947)
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio 2007 (KB982127)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2251419)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    Segoe UI
    SiS VGA Utilities
    SkinsHP1
    Spybot - Search & Destroy
    SpywareGuard v2.2
    SUPERAntiSpyware
    TomTom HOME 2.7.5.2014
    TomTom HOME Visual Studio Merge Modules
    TrayApp
    Unload
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (kb2291599)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    VC 9.0 Runtime
    Viewpoint Media Player
    WebFldrs XP
    WebReg
    Windows Imaging Component
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Movie Maker 2.0
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB885295
    WinRAR
    WinRAR archiver
    Xvid 1.1.3 final uninstall

    ==== Event Viewer Messages From Past Week ========

    13/10/2010 19:51:27, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    13/10/2010 19:51:26, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    13/10/2010 19:51:26, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
    13/10/2010 19:51:22, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    13/10/2010 19:14:10, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    13/10/2010 18:58:44, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    13/10/2010 18:58:39, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    13/10/2010 18:57:07, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    13/10/2010 18:57:07, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    13/10/2010 18:56:37, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
    13/10/2010 18:56:37, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
    13/10/2010 18:46:46, information: Windows File Protection [64021] - The system file c:\windows\explorer.exe could not be copied into the DLL cache. The specific error code is 0x800b0100 [No signature was present in the subject. ]. This file is necessary to maintain system stability.
    13/10/2010 18:46:06, information: Windows File Protection [64004] - The protected system file winlogon.exe could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.2180 The specific error code is 0x00000000 [The operation completed successfully. ].
    13/10/2010 18:46:06, information: Windows File Protection [64001] - File replacement was attempted on the protected system file winlogon.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.2180, the version of the system file is 5.1.2600.2180.
    13/10/2010 18:46:00, information: Windows File Protection [64004] - The protected system file explorer.exe could not be restored to its original, valid version. The file version of the bad file is 6.0.2900.2180 The specific error code is 0x00000000 [The operation completed successfully. ].
    13/10/2010 18:46:00, information: Windows File Protection [64002] - File replacement was attempted on the protected system file winlogon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
    13/10/2010 18:46:00, information: Windows File Protection [64001] - File replacement was attempted on the protected system file explorer.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.2180, the version of the system file is 6.0.2900.2180.
    13/10/2010 18:42:44, information: Windows File Protection [64002] - File replacement was attempted on the protected system file explorer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.2180.
    13/10/2010 18:32:25, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    13/10/2010 18:32:25, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    13/10/2010 18:32:25, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    10/10/2010 09:23:58, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AOL Connectivity Service service to connect.
    10/10/2010 09:23:58, error: Service Control Manager [7000] - The AOL Connectivity Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    07/10/2010 06:20:37, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 0011D858243C has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

    ==== End Of File ===========================

    Please help!
     
  4. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Welcome aboard [​IMG]

    I can see some Norton's leftovers.
    Please, run Norton Removal Tool: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

    =======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Jun23

    Jun23 TS Rookie Topic Starter

    Hi,

    Here is the MBR report

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x000003fc

    Kernel Drivers (total 129):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E2000 \WINDOWS\system32\hal.dll
    0xF8AE5000 \WINDOWS\system32\KDCOM.DLL
    0xF89F5000 \WINDOWS\system32\BOOTVID.dll
    0xF84B6000 ACPI.sys
    0xF8AE7000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF84A5000 pci.sys
    0xF85E5000 isapnp.sys
    0xF8AE9000 intelide.sys
    0xF8865000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF85F5000 MountMgr.sys
    0xF8486000 ftdisk.sys
    0xF886D000 PartMgr.sys
    0xF8605000 VolSnap.sys
    0xF846E000 atapi.sys
    0xF8615000 disk.sys
    0xF8625000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF844F000 fltMgr.sys
    0xF843D000 sr.sys
    0xF8875000 PxHelp20.sys
    0xF8426000 KSecDD.sys
    0xF8413000 WudfPf.sys
    0xF8386000 Ntfs.sys
    0xF8359000 NDIS.sys
    0xF887D000 viaagp1.sys
    0xF8635000 SISAGPX.sys
    0xF8645000 ohci1394.sys
    0xF8655000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF833E000 Mup.sys
    0xF86E5000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF8AC9000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0xF7DAE000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF7CC0000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF7CAC000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7C88000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF8945000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF7C65000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF894D000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7D9E000 \SystemRoot\system32\DRIVERS\R8139n51.SYS
    0xF7C13000 \SystemRoot\system32\DRIVERS\Cap7134.sys
    0xF86B5000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0xF7BF0000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7ABA000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF8955000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF7AA6000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF86C5000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF895D000 \SystemRoot\system32\drivers\iviaspi.sys
    0xF86D5000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF86F5000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF8BEA000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF8705000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF8ADD000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF7A8F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF8715000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF8725000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF8965000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF7A7E000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF8735000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF896D000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF8975000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF897D000 \SystemRoot\system32\DRIVERS\wanatw4.sys
    0xF8745000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF8985000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF898D000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF8B15000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF7A22000 \SystemRoot\system32\DRIVERS\update.sys
    0xF830E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF8765000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xEF778000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xEF757000 \SystemRoot\system32\drivers\portcls.sys
    0xF87A5000 \SystemRoot\system32\drivers\drmk.sys
    0xF87B5000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF8B19000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF8995000 \SystemRoot\system32\DRIVERS\PhTVTune.sys
    0xF8B1F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xEF6F2000 \SystemRoot\System32\Drivers\Null.SYS
    0xF8B21000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF89A5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF89AD000 \SystemRoot\System32\drivers\vga.sys
    0xF8B23000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF8B25000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF89B5000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF89BD000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF8A99000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xEE922000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xEE8CA000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xEE8A2000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEE881000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF87D5000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xEE849000 \SystemRoot\system32\DRIVERS\tcpip6.sys
    0xEE827000 \SystemRoot\System32\drivers\afd.sys
    0xF89C5000 \SystemRoot\system32\DRIVERS\Ip6Fw.sys
    0xF87E5000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF8805000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xF89CD000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF89D5000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xF8AB9000 \SystemRoot\system32\DRIVERS\srvkp.sys
    0xEE7D3000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xEE764000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF8835000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF8ABD000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF8845000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF89DD000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF8AC1000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xEE627000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF8B29000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF7A7A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xEE604000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xEE5EC000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF8B2F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF7A56000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF888D000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF8CFA000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF04B000 \SystemRoot\System32\ati2cqag.dll
    0xBF087000 \SystemRoot\System32\ati3duag.dll
    0xBF2AE000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xED497000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xED47F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xED14A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xED10D000 \SystemRoot\system32\drivers\wdmaud.sys
    0xED2F7000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF8B91000 \SystemRoot\System32\Drivers\ASCTRM.SYS
    0xECF29000 \SystemRoot\system32\DRIVERS\srv.sys
    0xEC95F000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 31):
    0 System Idle Process
    4 System
    544 C:\WINDOWS\system32\smss.exe
    592 csrss.exe
    616 C:\WINDOWS\system32\winlogon.exe
    672 C:\WINDOWS\system32\services.exe
    684 C:\WINDOWS\system32\lsass.exe
    872 C:\WINDOWS\system32\ati2evxx.exe
    888 C:\WINDOWS\system32\svchost.exe
    944 svchost.exe
    1016 C:\WINDOWS\system32\svchost.exe
    1056 C:\WINDOWS\system32\svchost.exe
    1108 svchost.exe
    1196 svchost.exe
    1384 C:\WINDOWS\system32\spoolsv.exe
    1448 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1512 svchost.exe
    1712 C:\WINDOWS\system32\ati2evxx.exe
    1864 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1880 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    1936 C:\Program Files\Java\jre6\bin\jqs.exe
    2020 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    168 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    252 C:\WINDOWS\system32\tcpsvcs.exe
    340 C:\WINDOWS\system32\svchost.exe
    360 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    1828 alg.exe
    2400 C:\WINDOWS\system32\taskmgr.exe
    2488 C:\Program Files\Mozilla Firefox\firefox.exe
    2660 C:\WINDOWS\system32\wscntfy.exe
    1332 C:\Documents and Settings\HP_Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`25eda000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: ST3200822AS, Rev: 3.02

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: EC5B6F4B08268D5344F30BFF61C8B587F034795B


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!

    This is the ComboFix report

    ComboFix 10-10-12.03 - HP_Owner 14/10/2010 18:01:20.5.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.273 [GMT 1:00]
    Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\HP_Owner\Application Data\Etan\neot.exe
    .
    ---- Previous Run -------
    .
    c:\documents and settings\All Users\Documents\Server\admin.txt
    c:\documents and settings\All Users\Documents\Server\server.dat
    c:\documents and settings\HP_Owner\Application Data\Etan\neot.exe
    c:\windows\system32\ps2.bat

    -- Previous Run --

    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\system32\dllcache\cache\winlogon.exe

    --------

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
    .

    2010-10-13 17:41 . 2010-10-13 18:18 -------- d-----w- c:\windows\system32\NtmsData
    2010-10-13 17:35 . 2010-10-13 17:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Avira
    2010-10-13 17:34 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-10-13 17:34 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-10-13 17:34 . 2009-05-11 11:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-10-13 17:34 . 2009-05-11 11:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-10-13 17:33 . 2010-10-13 17:33 -------- d-----w- c:\program files\Avira
    2010-10-13 17:33 . 2010-10-13 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-10-13 16:33 . 2010-10-13 16:33 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com
    2010-10-13 16:33 . 2010-10-13 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-10-13 16:23 . 2010-10-13 16:23 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-10-13 16:19 . 2010-10-13 21:08 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-10-13 16:16 . 2010-10-13 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-10-13 16:16 . 2010-10-13 16:16 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-10-09 11:26 . 2010-10-09 11:26 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-10-09 11:26 . 2010-10-09 11:26 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-10-07 18:56 . 2010-10-07 18:56 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
    2010-09-25 11:08 . 2010-09-25 11:08 -------- d-----r- C:\assembly

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
    [7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\cache\explorer.exe

    c:\windows\explorer.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-02-04 16:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AOL Dialer"="c:\program files\Common Files\AOL\ACS\AOlDial.exe" [2007-12-07 71008]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2004-07-29 77824]
    "SiSPower"="SiSPower.dll" [2004-09-24 49152]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-12-18 26112]
    "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
    "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
    "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
    "HostManager"="c:\program files\Common Files\AOL\1229762181\ee\AOLSoftware.exe" [2006-09-26 50736]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-09 344064]
    "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
    "AlcWzrd"="ALCWZRD.EXE" [2004-07-29 2551808]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-15 149280]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
    "HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-10-13 6238016]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0a\aoltray.exe [2010-1-15 156784]
    AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2010-1-15 250992]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1229762181\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\AOL 9.0\\waol.exe"=
    "c:\\Program Files\\AOL 9.0a\\waol.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)
    "7070:TCP"= 7070:TCP:nfr

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/10/2010 18:34 135336]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 15:41 92008]
    R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/2005 10:48 24544]
    S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\HP_Owner\Desktop\SASDIFSV.SYS --> c:\documents and settings\HP_Owner\Desktop\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\HP_Owner\Desktop\SASKUTIL.SYS --> c:\documents and settings\HP_Owner\Desktop\SASKUTIL.SYS [?]
    S3 jgameenp;jgameenp;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\jgameenp.sys --> c:\docume~1\HP_Owner\LOCALS~1\Temp\jgameenp.sys [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-14 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-02-04 16:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.explosm.net/comics/new/
    FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_UK&q=
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-{B2C3A697-10AE-771D-B0EC-5F196B0E88F6} - c:\documents and settings\HP_Owner\Application Data\Etan\neot.exe
    HKCU-Run-SUPERAntiSpyware - c:\documents and settings\HP_Owner\Desktop\SUPERAntiSpyware.exe
    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\documents and settings\HP_Owner\Desktop\SASSEH.DLL
    Notify-!SASWinLogon - c:\documents and settings\HP_Owner\Desktop\SASWINLO.DLL
    AddRemove-Puzzle Bobble - E:\Loader.exe
    AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - c:\documents and settings\HP_Owner\Desktop\Uninstall.exe


    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(636)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-10-14 18:09:33
    ComboFix-quarantined-files.txt 2010-10-14 17:09

    Pre-Run: 152,835,112,960 bytes free
    Post-Run: 152,793,993,216 bytes free

    - - End Of File - - 0485B388A7B17EF21CBD66CAE52A5433
     
  6. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Let's start with your infected MBR.

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.
     
  7. Jun23

    Jun23 TS Rookie Topic Starter

    Hi, when following the 8-step Viruses/Spyware/Malware Preliminary Removal

    Instructions before posting my computer rebooted itself (when using TFC) and I lost the system taskbar as well as the

    icons on my desktop. I am now running my computer on Windows task manager. I've tried running

    NTBR_CD.exe but no folder is showing up.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Open Task Manager, click on "New task" button.
    Type in:
    explorer.exe
    Click OK.
    Is your desktop back to normal?
     
  9. Jun23

    Jun23 TS Rookie Topic Starter

    No, a prompt came up saying that Windows cannot find "explorer.exe".
     
  10. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Under the Custom Scan box paste this in:

      /md5start
      explorer.exe
      /md5stop

    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  11. Jun23

    Jun23 TS Rookie Topic Starter

    OTL.txt

    OTL logfile created on: 10/17/2010 4:32:16 PM - Run
    OTLPE by OldTimer - Version 3.1.42.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    511.00 Mb Total Physical Memory | 252.00 Mb Available Physical Memory | 49.00% Memory free
    459.00 Mb Paging File | 300.00 Mb Available in Paging File | 65.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 181.71 Gb Total Space | 142.30 Gb Free Space | 78.31% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    Drive H: | 4.58 Gb Total Space | 0.96 Gb Free Space | 20.94% Space Free | Partition Type: FAT32
    I: Drive not present or media not loaded
    Drive X: | 434.99 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO
    Current User Name: SYSTEM
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: All users
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard
    Using ControlSet: ControlSet005

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2010/06/24 10:41:38 | 000,092,008 | ---- | M] (TomTom) [Auto] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
    SRV - [2010/04/01 08:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2010/02/24 05:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2009/05/19 07:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
    SRV - [2006/10/23 08:50:35 | 000,046,640 | ---- | M] (AOL LLC) [Auto] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
    SRV - [2004/08/03 23:00:00 | 000,086,016 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
    SRV - [2004/08/03 23:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\tcpsvcs.exe -- (SimpTcp)
    SRV - [2004/08/03 23:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | System] -- C:\Documents and Settings\HP_Owner\Desktop\SASKUTIL.SYS -- (SASKUTIL)
    DRV - File not found [Kernel | System] -- C:\Documents and Settings\HP_Owner\Desktop\SASDIFSV.SYS -- (SASDIFSV)
    DRV - File not found [Kernel | On_Demand] -- C:\WINDOWS\System32\DRIVERS\PPPoEWin.SYS -- (PPPoEWin)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | On_Demand] -- C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\jgameenp.sys -- (jgameenp)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand] -- C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/03/01 05:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/02/16 09:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2010/02/11 08:01:43 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
    DRV - [2009/07/15 02:24:00 | 000,024,832 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
    DRV - [2009/07/15 02:23:00 | 000,020,736 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
    DRV - [2009/07/15 02:23:00 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
    DRV - [2009/05/11 07:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/05/11 05:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2008/12/18 16:47:57 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
    DRV - [2004/10/27 16:40:30 | 000,335,360 | ---- | M] (ASUSTek) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Cap7134.sys -- (Cap7134)
    DRV - [2004/10/24 11:35:00 | 000,024,544 | ---- | M] (ASUSTek) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PhTVTune.sys -- (PhTVTune)
    DRV - [2004/09/29 18:55:50 | 000,229,888 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
    DRV - [2004/09/24 06:38:40 | 000,012,928 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
    DRV - [2004/09/10 01:15:00 | 000,798,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2004/07/29 16:04:26 | 002,216,128 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2004/06/29 13:07:18 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2004/04/26 18:31:14 | 000,135,168 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
    DRV - [2003/09/10 19:36:54 | 000,021,060 | ---- | M] (InterVideo, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi)
    DRV - [2003/07/18 12:58:20 | 000,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SISAGPX.SYS -- (SISAGP)
    DRV - [2003/07/02 07:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1)
    DRV - [2003/01/10 17:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
    DRV - [2002/10/04 13:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
    DRV - [2001/06/04 09:00:00 | 000,014,112 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\HP_Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    IE - HKU\HP_Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    IE - HKU\HP_Owner_ON_C\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    IE - HKU\HP_Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Ask.com"
    FF - prefs.js..browser.search.order.1: "Ask.com"
    FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://www.explosm.net/comics/new/"
    FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
    FF - prefs.js..extensions.enabledItems: foxfilter@inspiredeffect.net:7.6.1
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.87
    FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100503
    FF - prefs.js..keyword.URL: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_UK&q="


    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/09 07:26:48 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/09 07:26:48 | 000,000,000 | ---D | M]

    [2010/07/14 06:14:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Extensions
    [2010/07/14 06:14:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Extensions\home2@tomtom.com
    [2010/10/16 12:42:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions
    [2010/06/12 04:51:32 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    [2010/06/12 04:51:31 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    [2010/06/12 04:51:33 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    [2010/06/12 04:51:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\foxfilter@inspiredeffect.net
    [2010/02/16 08:02:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com
    [2010/02/16 08:55:49 | 000,002,429 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\searchplugins\askcom.xml
    [2010/10/16 12:42:08 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/10/09 07:26:40 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2010/10/09 07:26:40 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2010/10/09 07:26:40 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2010/10/09 07:26:40 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2010/10/14 13:07:03 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (SpywareGuardDLBLOCK.CBrowserHelper) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll ()
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
    O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
    O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O3 - HKLM\..\Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
    O3 - HKU\HP_Owner_ON_C\..\Toolbar\ShellBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
    O3 - HKU\HP_Owner_ON_C\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O3 - HKU\HP_Owner_ON_C\..\Toolbar\WebBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
    O3 - HKU\HP_Owner_ON_C\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKU\HP_Owner_ON_C\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
    O4 - HKLM..\Run: [AOL Spyware Protection] C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe ()
    O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
    O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1229762181\ee\aolsoftware.exe (America Online, Inc.)
    O4 - HKLM..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
    O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
    O4 - HKLM..\Run: [LSBWatcher] C:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE (Hewlett-Packard Company)
    O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
    O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
    O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
    O4 - HKU\HP_Owner_ON_C..\Run: [AOL Dialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)
    O4 - HKU\HP_Owner_ON_C..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe (America Online, Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe ()
    O4 - Startup: C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
    O4 - Startup: C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\HP_Owner_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\HP_Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\HP_Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\HP_Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
    O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Key error. File not found
    O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (MSN Games - Installer)
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - File not found
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {81559C35-8464-49F7-BB0E-07A383BEF910} - C:\Program Files\SpywareGuard\spywareguard.dll ()
    O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/01/01 04:58:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - H:\AUTOEXEC.BAT -- [ FAT32 ]
    O32 - AutoRun File - [2004/04/30 22:01:14 | 000,000,053 | -HS- | M] () - H:\AUTORUN.FCB -- [ FAT32 ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/10/17 08:34:18 | 127,355,327 | ---- | C] (Igor Pavlov) -- C:\Documents and Settings\HP_Owner\Desktop\OTLPENet.exe
    [2010/10/15 16:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Desktop\NTBR_CD
    [2010/10/14 15:27:23 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LocalService\Cookies
    [2010/10/14 12:40:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/10/14 12:40:16 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/10/14 12:40:16 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/10/14 12:40:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/10/14 12:39:46 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/10/14 12:00:04 | 000,921,512 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\HP_Owner\Desktop\Norton_Removal_Tool.exe
    [2010/10/13 14:49:08 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\TFC.exe
    [2010/10/13 13:41:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
    [2010/10/13 13:35:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\Avira
    [2010/10/13 13:34:03 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2010/10/13 13:34:02 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010/10/13 13:34:02 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010/10/13 13:34:02 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2010/10/13 13:34:01 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2010/10/13 13:33:57 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2010/10/13 13:17:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\My Documents\SuperAntiSpyware
    [2010/10/13 12:33:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
    [2010/10/13 12:23:04 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
    [2010/10/13 12:16:51 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
    [2010/10/13 12:16:09 | 006,238,016 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\HP_Owner\Desktop\HitmanPro35.exe
    [2010/10/13 12:01:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Owner\Recent
    [2010/10/07 14:56:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Application Updater
    [2010/09/25 07:08:38 | 000,000,000 | R--D | C] -- C:\assembly
    [2005/01/01 05:38:35 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll

    ========== Files - Modified Within 30 Days ==========

    [2010/10/17 10:17:36 | 000,237,568 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
    [2010/10/17 10:17:36 | 000,237,568 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
    [2010/10/17 10:17:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/10/17 10:17:25 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/10/17 10:17:10 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\HP_Owner\NTUSER.DAT
    [2010/10/17 10:17:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\HP_Owner\ntuser.ini
    [2010/10/17 10:01:00 | 000,000,240 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
    [2010/10/17 09:16:27 | 127,355,327 | ---- | M] (Igor Pavlov) -- C:\Documents and Settings\HP_Owner\Desktop\OTLPENet.exe
    [2010/10/17 08:04:23 | 536,203,264 | -HS- | M] () -- C:\hiberfil.sys
    [2010/10/15 11:10:18 | 002,565,432 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\NTBR_CD.exe
    [2010/10/14 13:07:19 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/10/14 13:07:03 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/10/14 12:22:27 | 003,878,092 | R--- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
    [2010/10/14 12:13:10 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\MBRCheck.exe
    [2010/10/14 12:08:41 | 000,000,692 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/10/14 12:00:14 | 000,921,512 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\HP_Owner\Desktop\Norton_Removal_Tool.exe
    [2010/10/13 17:08:14 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/10/13 16:31:27 | 000,544,768 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\dds.scr
    [2010/10/13 15:00:35 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\fgju2nqd.exe
    [2010/10/13 14:49:09 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\TFC.exe
    [2010/10/13 13:53:53 | 000,000,248 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
    [2010/10/13 13:46:48 | 000,073,728 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCFDRTM.VER
    [2010/10/13 13:31:49 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\HP_Owner\My Documents\avira_antivir_personal_en.exe
    [2010/10/13 12:23:04 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
    [2010/10/13 12:19:30 | 006,238,016 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\HP_Owner\Desktop\HitmanPro35.exe
    [2010/10/09 16:31:55 | 000,000,659 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
    [2010/10/01 13:40:05 | 000,043,520 | ---- | M] () -- C:\WINDOWS\System32\CmdLineExt03.dll

    ========== Files Created - No Company Name ==========

    [2010/10/15 11:10:17 | 002,565,432 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\NTBR_CD.exe
    [2010/10/14 12:40:16 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/10/14 12:40:16 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/10/14 12:40:16 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/10/14 12:40:16 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/10/14 12:22:24 | 003,878,092 | R--- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
    [2010/10/14 12:13:08 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\MBRCheck.exe
    [2010/10/13 16:31:27 | 000,544,768 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\dds.scr
    [2010/10/13 15:00:34 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\fgju2nqd.exe
    [2010/10/13 13:29:54 | 044,089,904 | ---- | C] () -- C:\Documents and Settings\HP_Owner\My Documents\avira_antivir_personal_en.exe
    [2010/10/13 12:19:57 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/02/27 10:07:18 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
    [2009/09/23 17:25:13 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\CommonDL.dll
    [2009/09/23 17:25:13 | 000,002,412 | ---- | C] () -- C:\WINDOWS\System32\lgAxconfig.ini
    [2009/08/07 15:51:34 | 000,178,430 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
    [2009/02/19 13:11:25 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
    [2009/02/16 21:12:40 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
    [2009/02/16 21:11:01 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
    [2009/02/16 21:08:32 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE CX6600E.ini
    [2009/01/29 17:08:55 | 000,000,665 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2009/01/04 15:25:18 | 000,000,081 | ---- | C] () -- C:\WINDOWS\DVDConverter.INI
    [2009/01/04 15:24:51 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2009/01/04 15:24:51 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2008/12/23 10:16:33 | 000,000,162 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2008/12/20 05:03:34 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\HP_Owner\LuResult.txt
    [2008/12/19 13:07:44 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/12/19 12:58:21 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
    [2008/12/18 17:06:10 | 000,000,540 | ---- | C] () -- C:\WINDOWS\AppRun.ini
    [2008/12/18 16:42:44 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\fusioncache.dat
    [2008/12/18 16:42:41 | 008,912,896 | -H-- | C] () -- C:\Documents and Settings\HP_Owner\NTUSER.DAT
    [2008/12/18 16:42:41 | 000,131,072 | -H-- | C] () -- C:\Documents and Settings\HP_Owner\NTUSER.DAT.LOG
    [2008/12/18 16:42:41 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\HP_Owner\ntuser.ini
    [2006/03/06 06:41:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\AMV_DecDLL.dll
    [2006/01/04 14:19:27 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
    [2005/01/01 20:00:19 | 000,103,579 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
    [2005/01/01 20:00:19 | 000,095,249 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
    [2005/01/01 11:45:30 | 000,000,548 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2005/01/01 09:11:32 | 000,262,144 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
    [2005/01/01 09:11:32 | 000,008,192 | -H-- | C] () -- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
    [2005/01/01 08:08:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2005/01/01 06:48:20 | 000,013,779 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
    [2005/01/01 06:48:11 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
    [2005/01/01 05:43:52 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\RTCOMDLL.dll
    [2005/01/01 05:43:52 | 000,156,160 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
    [2005/01/01 05:14:45 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
    [2005/01/01 05:14:45 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
    [2005/01/01 05:14:30 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
    [2005/01/01 05:02:20 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2005/01/01 05:01:36 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
    [2005/01/01 05:01:35 | 000,237,568 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
    [2005/01/01 05:01:35 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG
    [2005/01/01 05:01:35 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT.LOG
    [2005/01/01 05:01:35 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
    [2005/01/01 05:01:34 | 000,237,568 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
    [2004/09/16 09:26:40 | 000,012,634 | ---- | C] () -- C:\WINDOWS\System32\drivers\ADFUUD.SYS
    [2004/08/19 23:14:46 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
    [2004/08/19 23:14:46 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
    [2003/04/10 19:04:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll

    ========== LOP Check ==========

    [2010/10/07 14:56:01 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Application Updater
    [2005/01/01 06:29:25 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Intervideo
    [2005/01/01 09:08:36 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
    [2010/10/17 10:01:00 | 000,000,240 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

    ========== Purity Check ==========



    ========== Custom Scans ==========



    < MD5 for: EXPLORER.EXE >
    [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
    [2004/08/03 23:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\system32\dllcache\cache\explorer.exe
    < End of report >
     
  12. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    DRV - File not found [Kernel | On_Demand] -- C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\jgameenp.sys -- (jgameenp)
    IE - HKU\HP_Owner_ON_C\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Ask.com"
    FF - prefs.js..browser.search.order.1: "Ask.com"
    FF - prefs.js..keyword.URL: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_UK&q="
    [2010/02/16 08:02:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com
    [2010/02/16 08:55:49 | 000,002,429 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\searchplugins\askcom.xml
    O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKLM\..\Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKU\HP_Owner_ON_C\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Key error. File not found
    O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
    [2010/10/17 10:01:00 | 000,000,240 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
    
    
    :Services
    
    :Reg
    
    :Files
    C:\Program Files\Ask.com
    C:\Windows\explorer.exe|C:\WINDOWS\system32\dllcache\cache\explorer.exe /replace
    
    :Commands
    [purity]
    [emptytemp]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into windows.

    Let me know, if your desktop is back.
     
  13. Jun23

    Jun23 TS Rookie Topic Starter

    Desktop is back :D Thank you!

    Log produced from OTLPE

    ========== OTL ==========
    Service\Driver key jgameenp not found.
    File C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\jgameenp.sys not found.
    Registry key HKEY_USERS\HP_Owner_ON_C\Software\Microsoft\Internet Explorer\URLSearchHooks not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\ not found.
    C:\Program Files\Ask.com\GenericAskToolbar.dll moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\searchplugins folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\logs folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\defaults\preferences folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\defaults folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\datastore folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\chrome\temp\ff-config.Tue-16-Feb-2010-12-55-46-GMT folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\chrome\temp\ff-config.Thu-21-Jan-2010-17-10-20-GMT folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\chrome\temp folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\chrome\skin folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\chrome\content folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com\chrome folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\extensions\toolbar@ask.com folder moved successfully.
    C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\searchplugins\askcom.xml moved successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
    File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
    Registry key HKEY_USERS\HP_Owner_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
    C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Program Files\Ask.com folder moved successfully.
    File C:\Windows\explorer.exe successfully replaced with C:\WINDOWS\system32\dllcache\cache\explorer.exe
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users
    -> No Temporary Internet Files cache folder defined!

    User: Default User
    -> No Temporary Internet Files cache folder defined!

    User: HP_Owner
    -> No Temporary Internet Files cache folder defined!

    User: LocalService
    -> No Temporary Internet Files cache folder defined!

    User: NetworkService
    -> No Temporary Internet Files cache folder defined!

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16384 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes

    Total Files Cleaned = 0.00 mb


    OTLPE by OldTimer - Version 3.1.42.0 log created on 10182010_195917

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_7c0.dat not found!

    Registry entries deleted on Reboot...
     
  14. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Very good :)

    Now, re-run Combofix and give me fresh log.
     
  15. Jun23

    Jun23 TS Rookie Topic Starter

    Combo fix log

    ComboFix 10-10-18.05 - HP_Owner 19/10/2010 20:13:40.6.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.273 [GMT 1:00]
    Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
    .

    2010-10-18 18:59 . 2010-09-22 22:44 553472 ----a-r- C:\OTLPE.exe
    2010-10-18 18:59 . 2004-08-04 03:00 1032192 -c--a-w- c:\windows\system32\dllcache\explorer.exe
    2010-10-18 18:59 . 2004-08-04 03:00 1032192 ----a-w- c:\windows\explorer.exe
    2010-10-18 18:58 . 2010-10-18 18:58 -------- d-----w- C:\_OTL
    2010-10-13 17:41 . 2010-10-13 18:18 -------- d-----w- c:\windows\system32\NtmsData
    2010-10-13 17:35 . 2010-10-13 17:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Avira
    2010-10-13 17:34 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-10-13 17:34 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-10-13 17:34 . 2009-05-11 11:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-10-13 17:34 . 2009-05-11 11:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-10-13 17:33 . 2010-10-13 17:33 -------- d-----w- c:\program files\Avira
    2010-10-13 17:33 . 2010-10-13 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-10-13 16:33 . 2010-10-13 16:33 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com
    2010-10-13 16:33 . 2010-10-13 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-10-13 16:23 . 2010-10-13 16:23 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-10-13 16:19 . 2010-10-19 18:41 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-10-13 16:16 . 2010-10-13 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-10-13 16:16 . 2010-10-13 16:16 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-10-09 11:26 . 2010-10-09 11:26 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-10-09 11:26 . 2010-10-09 11:26 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-10-07 18:56 . 2010-10-07 18:56 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
    2010-09-25 11:08 . 2010-09-25 11:08 -------- d-----r- C:\assembly

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-10-14_17.07.18 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-10-19 18:39 . 2010-10-19 18:39 16384 c:\windows\temp\Perflib_Perfdata_3fc.dat
    + 2010-10-19 18:39 . 2010-10-19 18:39 196608 c:\windows\ERDNT\AutoBackup\19-10-2010\Users\00000002\UsrClass.dat
    + 2010-10-19 18:39 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\19-10-2010\ERDNT.EXE
    + 2010-10-18 19:01 . 2010-10-18 19:01 196608 c:\windows\ERDNT\AutoBackup\18-10-2010\Users\00000002\UsrClass.dat
    + 2010-10-18 19:01 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\18-10-2010\ERDNT.EXE
    + 2010-10-19 18:39 . 2010-10-19 18:39 8839168 c:\windows\ERDNT\AutoBackup\19-10-2010\Users\00000001\NTUSER.DAT
    + 2010-10-18 19:01 . 2010-10-18 19:01 8839168 c:\windows\ERDNT\AutoBackup\18-10-2010\Users\00000001\NTUSER.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AOL Dialer"="c:\program files\Common Files\AOL\ACS\AOlDial.exe" [2007-12-07 71008]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2004-07-29 77824]
    "SiSPower"="SiSPower.dll" [2004-09-24 49152]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-12-18 26112]
    "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
    "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
    "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
    "HostManager"="c:\program files\Common Files\AOL\1229762181\ee\AOLSoftware.exe" [2006-09-26 50736]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-09 344064]
    "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
    "AlcWzrd"="ALCWZRD.EXE" [2004-07-29 2551808]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-15 149280]
    "AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    OneNote 2007 Screen Clipper and Launcher.lnk.disabled [2009-2-19 958]
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    AOL 9.0 Tray Icon.lnk.disabled [2010-1-15 748]
    AOL Companion.lnk.disabled [2010-1-20 1657]
    HP Digital Imaging Monitor.lnk.disabled [2005-1-1 1808]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1229762181\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\AOL 9.0\\waol.exe"=
    "c:\\Program Files\\AOL 9.0a\\waol.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)
    "7070:TCP"= 7070:TCP:nfr

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/10/2010 18:34 135336]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 15:41 92008]
    R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/2005 10:48 24544]
    S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\HP_Owner\Desktop\SASDIFSV.SYS --> c:\documents and settings\HP_Owner\Desktop\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\HP_Owner\Desktop\SASKUTIL.SYS --> c:\documents and settings\HP_Owner\Desktop\SASKUTIL.SYS [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\17ibpqgm.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.explosm.net/comics/new/
    FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_UK&q=
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)


    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(644)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(1820)
    c:\windows\system32\msi.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-10-19 20:22:26
    ComboFix-quarantined-files.txt 2010-10-19 19:22
    ComboFix2.txt 2010-10-14 17:09

    Pre-Run: 152,054,878,208 bytes free
    Post-Run: 152,490,422,272 bytes free

    - - End Of File - - 63B6DC117D862F3A42DD5A9E5CEFC54F
     
  16. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Looks good :)

    How is computer doing at the moment?

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  17. Jun23

    Jun23 TS Rookie Topic Starter

    Computer is working fine. Nothing bad happening :)

    Security check log

    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 2
    Out of date service pack!!
    Internet Explorer 6 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    Avira AntiVir Personal - Free Antivirus
    ESET Online Scanner v3
    Avira successfully updated!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    HijackThis 2.0.2
    Java(TM) 6 Update 15
    Out of date Java installed!
    Adobe Flash Player 10.0.32.18
    Adobe Reader 7.0
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.10) Firefox Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GOOD! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````

    ESSET Scan report

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk3.zip Win32/Bagle.gen.zip worm
    C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.EK trojan
    C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000541.exe a variant of Win32/Kryptik.HHI trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000589.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000592.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000595.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000610.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000611.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000614.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000620.dll Win32/Adware.Toolbar.Dealio application
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000621.exe Win32/Adware.Toolbar.Dealio application
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000624.exe Win32/Adware.Toolbar.Dealio application
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP3\A0000630.dll Win32/Adware.Toolbar.Dealio application
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP4\A0000675.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP4\A0000676.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP4\A0000678.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP4\A0000691.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP4\A0000692.exe Win32/Bamital.EL trojan
    C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP5\A0001875.exe Win32/Bamital.EL trojan

    Now suddenly I am very worried.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Nah....most files are in your restore points, which we'll reset in a moment.
    Two other files are in Spybot and Combofix quarantine folders (safe).
    There is only one file, Bamital leftover, which we'll remove, but even that file is not an active one.

    You'll need to do some updating though.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk3.zip 
      C:\Documents and Settings\All Users\Documents\Server\hlp.dat
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ========================================================================

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
    On this page:

    [​IMG]

    make sure, you have both boxes UN-checked AND (important!) click on Decline button

    =======================================================================

    Update Internet Explorer to at least version 7.

    ======================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current (including Service Pack 3 installation!!)

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
  19. Jun23

    Jun23 TS Rookie Topic Starter

    Oh, I see. I'm relieved and very grateful for your help ^^
    Computer is working very well. Nothing wrong with it anymore.

    OTL log 1

    Error: Unable to interpret <OTL> in the current context!
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk3.zip moved successfully.
    C:\Documents and Settings\All Users\Documents\Server\hlp.dat moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users
    -> No Temporary Internet Files cache folder defined!

    User: Default User
    -> No Temporary Internet Files cache folder defined!

    User: HP_Owner
    -> No Temporary Internet Files cache folder defined!

    User: LocalService
    -> No Temporary Internet Files cache folder defined!

    User: NetworkService
    -> No Temporary Internet Files cache folder defined!

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16384 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users
    -> No Temporary Internet Files cache folder defined!

    User: Default User
    -> No Temporary Internet Files cache folder defined!

    User: HP_Owner
    -> No Temporary Internet Files cache folder defined!

    User: LocalService
    -> No Temporary Internet Files cache folder defined!

    User: NetworkService
    -> No Temporary Internet Files cache folder defined!

    Total Flash Files Cleaned = 0.00 mb


    OTLPE by OldTimer - Version 3.1.42.0 log created on 10212010_202344

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_22c.dat not found!

    Registry entries deleted on Reboot...

    OTL log 2

    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users
    -> No Temporary Internet Files cache folder defined!

    User: Default User
    -> No Temporary Internet Files cache folder defined!

    User: HP_Owner
    -> No Temporary Internet Files cache folder defined!

    User: LocalService
    -> No Temporary Internet Files cache folder defined!

    User: NetworkService
    -> No Temporary Internet Files cache folder defined!

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users
    -> No Temporary Internet Files cache folder defined!

    User: Default User
    -> No Temporary Internet Files cache folder defined!

    User: HP_Owner
    -> No Temporary Internet Files cache folder defined!

    User: LocalService
    -> No Temporary Internet Files cache folder defined!

    User: NetworkService
    -> No Temporary Internet Files cache folder defined!

    Total Flash Files Cleaned = 0.00 mb

    Error: Unable to interpret <[CLEARALLRESTOREPOINTS]> in the current context!

    OTLPE by OldTimer - Version 3.1.42.0 log created on 10222010_023806


    On the OTL there is no clean up button. Is there another method to remove the tools used?
     
  20. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...