TechSpot

Random sound playing virus (hidden iexplorer.exe)

Solved
By jimvanstevens
Aug 2, 2010
  1. Hello,

    I have this problem for a few days already, some strange sounds starting up at random times, first it where farm sounds now its some kind of movie sound...

    I Followed the instruction on the UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions.

    Gmer found some kind of hidden iexplorer i think this is the virus... when the sound starts and i press alt-tab it shows an iexplorer very quick and then loses it...

    I attached the log files...

    Can anyone give me instructions on what to do next :)

    Im running windows xp sp3
     

    Attached Files:

  2. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    I found out with mbrcheck.exe that my mbr is changed

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x00100a44

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\J: --> \\.\PhysicalDrive0 at offset 0x00000004`e22d6a00 (NTFS)
    \\.\L: --> \\.\PhysicalDrive0 at offset 0x00000009`c45a5600 (NTFS)
    \\.\U: --> \\.\PhysicalDrive0 at offset 0x0000000d`c1159a00 (NTFS)

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black I
    nternet)!
    SHA1: 4BD9A670E18D95DF9112D7A70C775062AF06C5A6


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:


    When trying to solve it... Y option 2(restore the mbr) Selected my physical disk 0

    But after running the tool again it still gives the same message... any ideas
     
  3. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Welcome aboard [​IMG]

    Our manual clearly says:
    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  4. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    first off all Thanks for your time!

    i used combofix on my pc and the log file is as followed:



    ComboFix 10-08-02.03 - user_name 03-08-2010 7:43.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.748 [GMT 2:00]
    Running from: c:\documents and settings\user_name\My Documents\Downloads\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
    .

    2010-08-02 19:20 . 2010-08-02 19:20 -------- d-----w- c:\documents and settings\user_name\Application Data\Malwarebytes
    2010-08-02 19:19 . 2010-08-02 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-02 16:31 . 2010-08-02 16:31 -------- d-----w- C:\$AVG8.VAULT$
    2010-08-02 15:58 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-08-02 15:57 . 2010-08-02 15:57 -------- d-----w- c:\program files\Panda Security
    2010-07-29 19:56 . 2010-07-29 19:56 -------- d-----w- c:\documents and settings\user_name\Local Settings\Application Data\Sunbelt Software
    2010-07-29 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-07-29 16:50 . 2010-07-29 16:50 -------- d-----w- c:\program files\Rockstar Games
    2010-07-28 19:53 . 2010-08-03 05:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-28 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-03 05:38 . 2008-12-30 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2010-08-02 18:37 . 2010-01-04 17:46 -------- d-----w- c:\program files\FLV Player
    2010-08-02 08:24 . 2009-04-24 05:27 -------- d-----w- c:\documents and settings\user_name\Application Data\Skype
    2010-08-02 07:44 . 2009-04-24 05:28 -------- d-----w- c:\documents and settings\user_name\Application Data\skypePM
    2010-07-29 16:35 . 2008-12-30 17:16 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-22 18:00 . 2010-06-15 18:32 -------- d-----w- c:\program files\PokerStars
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-08-02_08.40.00 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-08-03 05:40 . 2010-08-03 05:40 16384 c:\windows\temp\Perflib_Perfdata_1a8.dat
    + 2004-08-04 12:00 . 2010-08-03 05:44 59842 c:\windows\system32\perfc009.dat
    - 2004-08-04 12:00 . 2010-08-02 07:48 59842 c:\windows\system32\perfc009.dat
    - 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2010-08-02 20:27 . 2010-08-03 05:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-12-30 17:02 . 2010-08-03 05:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-12-30 17:02 . 2010-08-03 05:43 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2008-12-30 17:02 . 2010-08-02 08:21 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2004-08-04 12:00 . 2010-08-03 05:44 395768 c:\windows\system32\perfh009.dat
    - 2004-08-04 12:00 . 2010-08-02 07:48 395768 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/2/2010 5:58 PM 28552]
    R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [12/30/2008 7:23 PM 191092]
    R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [12/30/2008 7:23 PM 6100]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\user_name\Application Data\Mozilla\Firefox\Profiles\0s6m9rdq.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\program files\Canon\APU\npCCBPLFirefox.dll
    FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-03 07:47
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(788)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-08-03 07:48:11
    ComboFix-quarantined-files.txt 2010-08-03 05:48
    ComboFix2.txt 2010-08-02 20:59
    ComboFix3.txt 2010-08-02 20:17
    ComboFix4.txt 2010-08-02 08:41

    Pre-Run: 6.557.732.864 bytes free
    Post-Run: 6.555.996.160 bytes free

    - - End Of File - - 40542FFB14D45B3A97CCA02FD8D9D18E
     
  5. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    I can see, you ran Combofix several times today.
    Never run Combofix on your own!

    I'd like to see following logs:
    ComboFix2.txt 2010-08-02 20:59
    ComboFix3.txt 2010-08-02 20:17
    ComboFix4.txt 2010-08-02 08:41

    You can find them in C:\Qoobox folder.

    I'll repeat one more time, as our manual says:
    If you do it again, you're on your own....
     
  6. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    i atached file combofix2 combofix3 and combofix4

    I tryed it a few times before posting anything on the forum...i wont do it again :)

    thank you very much for your time i really appreceate it!
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Delete your Combofix file and download fresh copy from HERE
    Run it and post resulting log.
     
  8. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    Thank you for your time!!! btw congratulations on your 5000 post!

    I uninstalled spybot, avg, adaware yesterday morning...

    I used the fresh copy of combofix... it told me i had the whisler rootkit and it needed to restart my pc...

    After restart, it started again and this is the log file:


    ComboFix 10-07-31.01 - user_name 04-08-2010 7:35.5.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.781 [GMT 2:00]
    Running from: c:\documents and settings\user_name\Desktop\wCFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
    .

    2010-08-02 19:20 . 2010-08-02 19:20 -------- d-----w- c:\documents and settings\user_name\Application Data\Malwarebytes
    2010-08-02 19:19 . 2010-08-02 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-02 16:31 . 2010-08-02 16:31 -------- d-----w- C:\$AVG8.VAULT$
    2010-08-02 15:58 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-08-02 15:57 . 2010-08-02 15:57 -------- d-----w- c:\program files\Panda Security
    2010-07-29 19:56 . 2010-07-29 19:56 -------- d-----w- c:\documents and settings\user_name\Local Settings\Application Data\Sunbelt Software
    2010-07-29 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-07-29 16:50 . 2010-07-29 16:50 -------- d-----w- c:\program files\Rockstar Games
    2010-07-28 19:53 . 2010-08-03 05:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-28 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-03 05:38 . 2008-12-30 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2010-08-02 18:37 . 2010-01-04 17:46 -------- d-----w- c:\program files\FLV Player
    2010-08-02 08:24 . 2009-04-24 05:27 -------- d-----w- c:\documents and settings\user_name\Application Data\Skype
    2010-08-02 07:44 . 2009-04-24 05:28 -------- d-----w- c:\documents and settings\user_name\Application Data\skypePM
    2010-07-29 16:35 . 2008-12-30 17:16 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-22 18:00 . 2010-06-15 18:32 -------- d-----w- c:\program files\PokerStars
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-08-02_08.40.00 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-08-04 05:35 . 2010-08-04 05:35 16384 c:\windows\temp\Perflib_Perfdata_200.dat
    + 2004-08-04 12:00 . 2010-08-04 05:39 59842 c:\windows\system32\perfc009.dat
    - 2004-08-04 12:00 . 2010-08-02 07:48 59842 c:\windows\system32\perfc009.dat
    - 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2010-08-02 20:27 . 2010-08-04 05:32 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-12-30 17:02 . 2010-08-04 05:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-12-30 17:02 . 2010-08-04 05:32 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2008-12-30 17:02 . 2010-08-02 08:21 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2004-08-04 12:00 . 2010-08-04 05:39 395768 c:\windows\system32\perfh009.dat
    - 2004-08-04 12:00 . 2010-08-02 07:48 395768 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/2/2010 5:58 PM 28552]
    R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [12/30/2008 7:23 PM 191092]
    R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [12/30/2008 7:23 PM 6100]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\user_name\Application Data\Mozilla\Firefox\Profiles\0s6m9rdq.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\program files\Canon\APU\npCCBPLFirefox.dll
    FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-04 07:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(784)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-08-04 07:41:23
    ComboFix-quarantined-files.txt 2010-08-04 05:41
    ComboFix2.txt 2010-08-03 05:48

    Pre-Run: 6.441.439.232 bytes free
    Post-Run: 6.468.571.136 bytes free

    - - End Of File - - 4C37EFEC7FEA2210D9A6AFFA651FA55B
     
  9. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Very good :)

    How are the issues?

    Please, re-run MBRCheck and post fresh log.
     
  10. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    OK i used mbr check here is the log: as far as i can see it looks better then before! what is the next step :) congrats on making over 5000 posts... you are very helpfull to a lot of people!

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x00100a44

    Kernel Drivers (total 132):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EE000 \WINDOWS\system32\hal.dll
    0xF7D2E000 \WINDOWS\system32\KDCOM.DLL
    0xF7C3E000 \WINDOWS\system32\BOOTVID.dll
    0xF77DF000 ACPI.sys
    0xF7D30000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF77CE000 pci.sys
    0xF782E000 isapnp.sys
    0xF783E000 ohci1394.sys
    0xF784E000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF7C42000 compbatt.sys
    0xF7C46000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7DF6000 pciide.sys
    0xF7AAE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7D32000 intelide.sys
    0xF77B0000 pcmcia.sys
    0xF785E000 MountMgr.sys
    0xF7791000 ftdisk.sys
    0xF7D34000 dmload.sys
    0xF776B000 dmio.sys
    0xF7C4A000 ACPIEC.sys
    0xF7DF7000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF7AB6000 PartMgr.sys
    0xF7ABE000 pavboot.sys
    0xF786E000 VolSnap.sys
    0xF7753000 atapi.sys
    0xF787E000 disk.sys
    0xF788E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7733000 fltmgr.sys
    0xF7721000 sr.sys
    0xF770A000 KSecDD.sys
    0xF767D000 Ntfs.sys
    0xF7650000 NDIS.sys
    0xF7636000 Mup.sys
    0xF789E000 agp440.sys
    0xF7A2E000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF74C1000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF74AD000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7B16000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF7489000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7B1E000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7A3E000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF7477000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
    0xF7D46000 \SystemRoot\system32\drivers\MbxStby.sys
    0xF7448000 \SystemRoot\system32\drivers\o2mmb.sys
    0xF72B3000 \SystemRoot\system32\DRIVERS\w22n51.sys
    0xF7A4E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7B26000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7286000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF7D48000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7B2E000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7A5E000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7A6E000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF7A7E000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF7263000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF723C000 \SystemRoot\system32\drivers\vinyl97.sys
    0xF7218000 \SystemRoot\system32\drivers\portcls.sys
    0xF7A8E000 \SystemRoot\system32\drivers\drmk.sys
    0xF7CF6000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF7EFA000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7A9E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7CFA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF71D9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF78CE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF78DE000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7B36000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF71C8000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF78EE000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7B3E000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7B46000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF70F8000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF78FE000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7D4A000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF709A000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7D1A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF790E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF793E000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7D4C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7F7A000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7D4E000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7B66000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF7B6E000 \SystemRoot\System32\drivers\vga.sys
    0xF7D50000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7D52000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7B76000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7B7E000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF75E1000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAAFCD000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAAF74000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xAAF4C000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xAAF2A000 \SystemRoot\System32\drivers\afd.sys
    0xF794E000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xAAEFF000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xAAE67000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF795E000 \SystemRoot\System32\Drivers\Fips.SYS
    0xAAE41000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF796E000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF797E000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xF799E000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF7210000 \SystemRoot\System32\Drivers\n558.sys
    0xF7B86000 \SystemRoot\System32\Drivers\BTHUSB.sys
    0xAAD5E000 \SystemRoot\System32\Drivers\bthport.sys
    0xF720C000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF79AE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF7B8E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF7200000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF71F8000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF79BE000 \SystemRoot\system32\DRIVERS\rfcomm.sys
    0xF7B96000 \SystemRoot\system32\DRIVERS\BthEnum.sys
    0xAAD1D000 \SystemRoot\system32\DRIVERS\bthpan.sys
    0xAAD05000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7D58000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF7086000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7B9E000 \SystemRoot\System32\watchdog.sys
    0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
    0xF7E8E000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF9D5000 \SystemRoot\System32\ati2dvag.dll
    0xBFA0D000 \SystemRoot\System32\ati2cqag.dll
    0xBFA47000 \SystemRoot\System32\ati3duag.dll
    0xBFC6A000 \SystemRoot\System32\ativvaxx.dll
    0xAAC05000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xAA958000 \SystemRoot\system32\drivers\wdmaud.sys
    0xAAB15000 \SystemRoot\system32\drivers\sysaudio.sys
    0xAA80D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xAA6CB000 \SystemRoot\system32\DRIVERS\srv.sys
    0xF7BBE000 \??\C:\DOCUME~1\user_name\LOCALS~1\Temp\catchme.sys
    0xF7DAA000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
    0xF7C06000 \??\C:\DOCUME~1\user_name\LOCALS~1\Temp\mbr.sys
    0xAA178000 \SystemRoot\system32\drivers\kmixer.sys
    0xAA137000 \SystemRoot\System32\Drivers\HTTP.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 33):
    0 System Idle Process
    4 System
    632 C:\WINDOWS\system32\smss.exe
    744 csrss.exe
    784 C:\WINDOWS\system32\winlogon.exe
    832 C:\WINDOWS\system32\services.exe
    844 C:\WINDOWS\system32\lsass.exe
    1000 C:\WINDOWS\system32\ati2evxx.exe
    1012 C:\WINDOWS\system32\svchost.exe
    1084 svchost.exe
    1176 C:\WINDOWS\system32\svchost.exe
    1216 svchost.exe
    1276 svchost.exe
    1656 C:\WINDOWS\system32\spoolsv.exe
    440 svchost.exe
    456 C:\WINDOWS\system32\CTSVCCDA.EXE
    512 C:\Program Files\Java\jre6\bin\jqs.exe
    544 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    648 C:\WINDOWS\system32\HPZipm12.exe
    1300 C:\WINDOWS\system32\svchost.exe
    1348 wdfmgr.exe
    1576 C:\Program Files\Canon\CAL\CALMAIN.exe
    1752 alg.exe
    2012 C:\WINDOWS\system32\ati2evxx.exe
    344 C:\WINDOWS\system32\wscntfy.exe
    1160 wmiprvse.exe
    1380 C:\WINDOWS\system32\notepad.exe
    200 C:\WINDOWS\explorer.exe
    580 C:\WINDOWS\system32\wuauclt.exe
    1136 C:\Program Files\Mozilla Firefox\firefox.exe
    216 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2196 C:\Program Files\totalcmd\totalcmd\TOTALCMD.EXE
    2276 C:\Documents and Settings\user_name\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\J: --> \\.\PhysicalDrive0 at offset 0x00000004`e22d6a00 (NTFS)
    \\.\L: --> \\.\PhysicalDrive0 at offset 0x00000009`c45a5600 (NTFS)
    \\.\U: --> \\.\PhysicalDrive0 at offset 0x0000000d`c1159a00 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGMP0804H, Rev: UE100-14

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  11. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Thank you :)

    MBRCheck looks good :)

    Any current issues?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
     
  12. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    As far as i can see no current issues...

    I uninstalled Combofix restarted my laptop and did a run with OTL (including the custom settings)

    I think we are getting somewhere thank you very much!

    Here is the extras.txt


    OTL Extras logfile created on: 4-8-2010 7:58:33 - Run 1
    OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\user_name\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000413 | Country: Netherlands | Language: NLD | Date Format: d-M-yyyy

    1.023,00 Mb Total Physical Memory | 748,00 Mb Available Physical Memory | 73,00% Memory free
    2,00 Gb Paging File | 2,00 Gb Available in Paging File | 93,00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 19,53 Gb Total Space | 7,18 Gb Free Space | 36,74% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    Drive G: | 661,33 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded
    Drive J: | 19,53 Gb Total Space | 17,61 Gb Free Space | 90,14% Space Free | Partition Type: NTFS
    Drive L: | 15,95 Gb Total Space | 11,82 Gb Free Space | 74,13% Space Free | Partition Type: NTFS
    Drive U: | 19,53 Gb Total Space | 15,06 Gb Free Space | 77,07% Space Free | Partition Type: NTFS

    Computer Name: LAPTOP-user_name
    Current User Name: user_name
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
    "C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
    "C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{015D937D-9D52-45A4-BDAA-2413938C0564}" = O2Micro MemoryCardBus Windows Driver
    "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
    "{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
    "{10F5387D-1728-423A-A578-B00982CF2646}" = Windows Live Messenger
    "{1AEC8F41-4701-415D-9782-F69CFB535463}" = Creative Zen MicroPhoto
    "{1BD6AE96-4742-4498-9D03-9451C7E5A214}" = Windows Live aanmeldhulp
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live - Hulpprogramma voor uploaden
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
    "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 17
    "{2A8F82E8-7B86-4AFD-BFBC-2BA4C2CF52DB}" = Windows Live Call
    "{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
    "{4B35F00C-E63D-40DC-9839-DF15A33EAC46}" = Grand Theft Auto Vice City
    "{5469D537-9B44-4c78-BF2D-5F9807564F74}" = HP PSC & OfficeJet 4.7
    "{562B9CA4-6E52-4F87-ACEC-912FC004F1F0}" = Windows Live Essentials
    "{5A24DD7E-7B01-41AC-ADA8-F1776177A3BA}" = Logitech ImageStudio
    "{5FE1E412-D114-46E8-A891-5BE087B256A5}" = MVision
    "{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
    "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
    "{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
    "{90120000-0010-0413-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (Dutch) 12
    "{90120000-0015-0413-0000-0000000FF1CE}" = Microsoft Office Access MUI (Dutch) 2007
    "{90120000-0016-0413-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Dutch) 2007
    "{90120000-0018-0413-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Dutch) 2007
    "{90120000-0019-0413-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Dutch) 2007
    "{90120000-001A-0413-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Dutch) 2007
    "{90120000-001B-0413-0000-0000000FF1CE}" = Microsoft Office Word MUI (Dutch) 2007
    "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-0413-0000-0000000FF1CE}" = Microsoft Office Proof (Dutch) 2007
    "{90120000-002C-0413-0000-0000000FF1CE}" = Microsoft Office Proofing (Dutch) 2007
    "{90120000-0044-0413-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Dutch) 2007
    "{90120000-006E-0413-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Dutch) 2007
    "{90120000-00A1-0413-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Dutch) 2007
    "{90120000-00BA-0413-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Dutch) 2007
    "{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{AC76BA86-7AD7-1043-7B44-A90000000001}" = Adobe Reader 9 - Nederlands
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
    "Aangifte inkomstenbelasting 2008" = Aangifte inkomstenbelasting 2008
    "Aangifte inkomstenbelasting 2009" = Aangifte inkomstenbelasting 2009
    "ActiveScan 2.0" = Panda ActiveScan 2.0
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "All ATI Software" = ATI - Software Uninstall Utility
    "APU" = CANON iMAGE GATEWAY Album Plugin Utility
    "ATI Display Driver" = ATI Display Driver
    "CAL" = Canon Camera Access Library
    "CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    "CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    "CameraWindowLauncher" = Canon Utilities CameraWindow
    "CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
    "Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
    "Canon MOV Decoder" = Canon MOV Decoder
    "Creative Removable Disk Manager" = Creative Beheer van verwijderbare schijf
    "CSCLIB" = Canon Camera Support Core Library
    "DPP" = Canon Utilities Digital Photo Professional 3.6
    "ENTERPRISER" = Microsoft Office Enterprise 2007
    "EOS Utility" = Canon Utilities EOS Utility
    "Free Easy Burner_is1" = Free Easy Burner V 3.8
    "ft_Transport Tycoon Deluxe" = Transport Tycoon Deluxe
    "HP Photo & Imaging" = HP Image Zone 4.7
    "Huur- en zorgtoeslag 2009" = Huur- en zorgtoeslag 2009
    "InstallShield_{015D937D-9D52-45A4-BDAA-2413938C0564}" = O2Micro MemoryCardBus Windows Driver
    "lvdrivers_11.50" = Logitech QuickCam Driver Package
    "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
    "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
    "MyCamera" = Canon Utilities MyCamera
    "Original Data Security Tools" = Canon Utilities Original Data Security Tools
    "PhotoStitch" = Canon Utilities PhotoStitch
    "Picture Style Editor" = Canon Utilities Picture Style Editor
    "PokerStars" = PokerStars
    "RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "SysInfo" = Creative-systeeminformatie
    "VIA Audio Driver Setup Program" = VIA Audio Driver Setup Program
    "WFTK" = Canon Utilities WFT-E1/E2/E3/E4 Utility
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Windows Media Player" = Windows Media Player 10
    "Windows Mobile Device Handbook" = Windows Mobile-hulpbronnen
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
    "ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 28-7-2010 15:51:17 | Computer Name = LAPTOP-user_name | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 28-7-2010 15:51:17 | Computer Name = LAPTOP-user_name | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 29-7-2010 15:56:24 | Computer Name = LAPTOP-user_name | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 2-8-2010 15:35:32 | Computer Name = LAPTOP-user_name | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 2-8-2010 17:18:01 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
    module unknown, version 0.0.0.0, fault address 0x7e2d49fe.

    Error - 2-8-2010 17:19:33 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
    module unknown, version 0.0.0.0, fault address 0x7e2d49fe.

    Error - 2-8-2010 17:20:09 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
    module unknown, version 0.0.0.0, fault address 0x7e2d49fe.

    Error - 3-8-2010 11:31:07 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
    Description = Faulting application alg.exe, version 5.1.2600.5512, faulting module
    unknown, version 0.0.0.0, fault address 0x00040000.

    Error - 3-8-2010 11:33:24 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1004
    Description = Faulting application alg.exe, version 5.1.2600.5512, faulting module
    unknown, version 0.0.0.0, fault address 0x00040000.

    Error - 3-8-2010 17:09:08 | Computer Name = LAPTOP-user_name | Source = Application Error | ID = 1000
    Description = Faulting application gta-vc.exe, version 0.0.0.0, faulting module
    gta-vc.exe, version 0.0.0.0, fault address 0x00260fbd.

    [ System Events ]
    Error - 3-8-2010 1:53:09 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
    Description = The HID Input Service service terminated with the following error:
    %%126

    Error - 3-8-2010 11:30:35 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
    Description = The HID Input Service service terminated with the following error:
    %%126

    Error - 3-8-2010 11:32:53 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7034
    Description = The Application Layer Gateway Service service terminated unexpectedly.
    It has done this 1 time(s).

    Error - 3-8-2010 13:51:44 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
    Description = The HID Input Service service terminated with the following error:
    %%126

    Error - 3-8-2010 13:52:26 | Computer Name = LAPTOP-user_name | Source = System Error | ID = 1003
    Description = Error code 10000050, parameter1 e3f0824c, parameter2 00000001, parameter3
    bf9ce566, parameter4 00000001.

    Error - 4-8-2010 1:10:25 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
    Description = The HID Input Service service terminated with the following error:
    %%126

    Error - 4-8-2010 1:35:15 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
    Description = The HID Input Service service terminated with the following error:
    %%126

    Error - 4-8-2010 1:56:27 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
    Description = The HID Input Service service terminated with the following error:
    %%126

    Error - 4-8-2010 1:58:43 | Computer Name = LAPTOP-user_name | Source = SRService | ID = 104
    Description = The System Restore initialization process failed.

    Error - 4-8-2010 1:58:43 | Computer Name = LAPTOP-user_name | Source = Service Control Manager | ID = 7023
    Description = The System Restore Service service terminated with the following error:
    %%2


    < End of report >
     
  13. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    OTL.TXT is to long so i attached it :)
     

    Attached Files:

    • OTL.Txt
      File size:
      57.8 KB
      Views:
      1
  14. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Good news then :)

    What happened to AVG?

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No CLSID value found.
      O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  15. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    The log after the quick fix:

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: user_name
    ->Temp folder emptied: 9325431 bytes
    ->Temporary Internet Files folder emptied: 622836 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 92670538 bytes
    ->Flash cache emptied: 4844 bytes

    User: user_name
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 2424966 bytes
    ->Flash cache emptied: 953 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 100,00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: user_name
    ->Flash cache emptied: 0 bytes

    User: user_name
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService

    Total Flash Files Cleaned = 0,00 mb


    OTL by OldTimer - Version 3.2.9.1 log created on 08052010_070745

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  16. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    and the OTL log...

    avvg is uninstalled 2days ago because it wouldnt disable or stop... any tips for a new virus scanner
     

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Just to make sure, no AVG leftovers are present, run AVG Remover: http://www.avg.com/us-en/download-tools, if you didn't use it to uninstall AVG.

    Download and install ONE of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html

    Then, last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  18. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    Security check log... after this i will run the temp file cleaner and the kaspersky virus scanner, then i will install avira (is this a problem to install the virus scanner as latest?)

    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 3
    Internet Explorer 6 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 21
    Adobe Flash Player 10.0.32.18
    Adobe Reader 9 - Nederlands
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.8)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
     
  19. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Not at all. Make sure, Windows firewall is up.


    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
     
  20. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    OK i updated adobe reader

    Should i also update my internet explorer?
    Im running firefox...but just in case someone uses it?
     
  21. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Absolutely. At least IE7.
     
  22. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    I used tfc and kaspersky... it only found the .dat files (from mbrcheck) with the virus...after i deleted those files it didn't find any virusses
    so that looks good :)

    I update internet explorer to version 8.0.6001.18702
    Installed avira anti virus


    I also have a usb hard drive... do you have any scanning tips for this device?
    Is it possible that the mbr virus is on the disk? (i dont think so because there is no operating system on it)
     
  23. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    If you don't have anything important on that stick, format it.
    If you do have some important stuff, scan it with your AV program.

    Now...

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =====================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  24. jimvanstevens

    jimvanstevens TS Rookie Topic Starter

    I used OTL to clean up...
    Turned off system resotre...restarted and turned it back on...

    I will run defrag...

    I think my computer is clean and safe enough now!

    Thank you very much for your help and your time!!! :)
     
  25. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Yes!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.