TechSpot

Strange winlogon.exe infection that can't be removed because it's read only?

By robynloraine
Aug 19, 2010
  1. Hello all.

    I decided to join your website because I couldn't find anywhere else that seemed like it could help with this problem. I searched for similar topics but only two came up, one that was only sort of like my issue and other that had nearly no responses.

    A couple weeks ago I got infected with a 'browser hijacker' that made Firefox re-direct me to random sites when searching through google. Apparently my AVG hadn't been keeping anything out. I got Avast and Malwarebites (and google chrome with Avast, which has not yet had the same redirecting issue Firefox had- I had to uninstall Firefox because it simply wouldn't let me do any searches). I ran a scan in safe mode and thought I'd gotten rid of the infection, which I was told by Malwarebites was called Vundo.

    Now, I ran Avast yesterday and keep getting a strange infection called win32:Bamital-X (it shows up under winlogon.exe in the system32 folder) that, no matter what I try, I can't delete because it keeps telling me it's a "read only 6009" file. I run Malwarebites and it doesn't pick anything up. I ran both in safemode again and not even Avast got it then! Avast also keeps giving me a popup that says it blocked bamital-x from executing whenever I run Avast. My computer is getting extremely slow.


    Here is my most recent Malwarebites log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4412

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    8/19/2010 4:44:16 PM
    mbam-log-2010-08-19 (16-44-16).txt

    Scan type: Quick scan
    Objects scanned: 140700
    Time elapsed: 10 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Not sure what else I need to post. Any help is appreciated.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,895   +344

  3. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Hello! I looked through those steps. I was unable to get GMER to work properly, although I do not have Windows 7 (I have XP). However, I got DDS to work so here are the two logs from that (I attached the one I'm not supposed to copy paste here, so I hope that's right).


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 20:14:54.45 on Thu 08/19/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.879.349 [GMT -6:00]

    AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\ClamWin\bin\ClamTray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
    uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=aNSF2kg7YKwVX4Asp9iBcXeqUyE
    mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: {206f3977-fc89-479f-b62e-73560319ee2a} - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
    mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
    mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    dRun: [Power2GoExpress] NA
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    uPolicies-system: EnableProfileQuota = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252447483984
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    AppInit_DLLs: c:\windows\system32\katenugu.dll c:\windows\system32\dobipimo.dll c:\windows\system32\hapoyivu.dll c:\windows\system32\fodevuna.dll c:\windows\system32\zizatewa.dll c:\windows\system32\jajovoga.dll c:\windows\system32\dabukido.dll c:\windows\system32\bolivovi.dll c:\windows\system32\faruregi.dll,c:\windows\system32\vamonumi.dll
    LSA: Notification Packages = scecli l3dfclni.dll c:\windows\system32\vamonumi.dll
    Hosts: 209.44.111.62 surety.microsoft.com
    Hosts: 209.44.111.62 aware-protect.com
    Hosts: 209.44.111.62 www.aware-protect.com

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-8 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-8 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-8 136176]
    S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-9-11 627072]

    =============== Created Last 30 ================

    2010-08-10 09:28:33 0 d-----w- C:\RegBack
    2010-08-10 09:28:16 0 d-----w- c:\windows\system32\NtmsData
    2010-08-10 09:26:55 0 d-----w- c:\program files\ACW
    2010-08-10 03:04:11 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
    2010-08-10 03:03:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-10 03:03:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-08-10 03:03:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-10 03:03:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-09 06:12:02 0 d-----w- c:\docume~1\owner\applic~1\.clamwin
    2010-08-09 06:11:12 0 d-----w- c:\program files\ClamWin
    2010-08-09 06:11:12 0 d-----w- c:\documents and settings\all users\.clamwin
    2010-08-09 04:24:10 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-09 04:23:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-08-09 03:36:01 0 d-----w- C:\NetworkControl
    2010-08-09 03:31:00 0 d-----w- C:\d467db2a9be49790e3830233b0

    ==================== Find3M ====================

    2009-04-12 13:29:43 2098 --sh--w- c:\windows\system32\bibegipe.exe
    2009-03-28 17:09:41 2098 --sh--w- c:\windows\system32\bodolali.exe
    2009-04-24 09:36:17 2098 --sh--w- c:\windows\system32\fuguyelo.exe
    2009-03-30 17:10:23 2098 --sh--w- c:\windows\system32\gifuyovi.exe
    2009-03-30 05:10:24 2098 --sh--w- c:\windows\system32\kabujupe.exe
    2009-03-29 17:10:07 2098 --sh--w- c:\windows\system32\lijohoyo.exe
    2009-03-29 05:10:01 2098 --sh--w- c:\windows\system32\yurezasa.exe

    ============= FINISH: 20:15:29.01 ===============
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    You have some McAfee leftovers.
    Please, run McAfee Consumer Product Removal Tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

    =========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Here's the Combofix report


    ComboFix 10-08-18.04 - Owner 08/19/2010 20:48:35.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.879.468 [GMT -6:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}
    c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\chrome.manifest
    c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\chrome\content\_cfg.js
    c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\chrome\content\c.js
    c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\chrome\content\overlay.xul
    c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\install.rdf
    c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
    c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\flags.ini
    c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\server.dat
    c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\uses32.dat
    C:\NetworkControl
    c:\windows\Fonts\mlog
    c:\windows\Install.txt
    c:\windows\system32\bibegipe.exe
    c:\windows\system32\ekanivev.ini
    c:\windows\system32\emapavud.ini
    c:\windows\system32\epezuwiw.ini
    c:\windows\system32\Install.txt
    c:\windows\system32\isejupaw.ini
    c:\windows\system32\obekalin.ini
    c:\windows\system32\odoboyek.ini
    c:\windows\system32\okuwotun.ini
    c:\windows\system32\omuyoreg.ini
    c:\windows\system32\owalulis.ini
    c:\windows\system32\ukavuwon.ini
    c:\windows\system32\umemaziv.ini
    c:\windows\system32\utiwabon.ini
    c:\windows\system32\uvimever.ini
    c:\windows\system32\uyatavat.ini
    c:\windows\system32\uyukofef.ini
    D:\Autorun.inf

    c:\windows\system32\winlogon.exe . . . is infected!!

    c:\windows\system32\proquota.exe . . . is missing!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4
    -------\Legacy_MSNCACHE
    -------\Legacy_PCMSTUB
    -------\Legacy_SOPIDKC
    -------\Service_6to4


    ((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
    .

    2010-08-10 16:36 . 2010-08-10 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-10 09:28 . 2010-08-10 09:28 -------- d-----w- C:\RegBack
    2010-08-10 09:28 . 2010-08-10 09:29 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-10 09:26 . 2010-08-10 16:27 -------- d-----w- c:\program files\ACW
    2010-08-10 03:04 . 2010-08-10 03:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-08-10 03:03 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-10 03:03 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-09 06:12 . 2010-08-09 06:13 -------- d-----w- c:\documents and settings\Owner\Application Data\.clamwin
    2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\program files\ClamWin
    2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\documents and settings\All Users\.clamwin
    2010-08-09 04:31 . 2010-08-09 04:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2010-08-09 04:26 . 2010-08-19 22:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
    2010-08-09 04:26 . 2010-08-09 04:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2010-08-09 04:25 . 2010-08-09 04:28 -------- d-----w- c:\program files\Google
    2010-08-09 04:25 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-09 04:25 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-09 04:25 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-09 04:25 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-09 04:25 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-08-09 04:25 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-08-09 04:25 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-09 04:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-09 04:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-09 04:23 . 2010-08-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-08-09 03:31 . 2010-08-09 04:50 -------- d-----w- C:\d467db2a9be49790e3830233b0

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-14 06:19 . 2009-09-08 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
    2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-09 07:45 . 2009-07-08 18:03 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-08-09 04:48 . 2009-03-29 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2010-08-09 04:23 . 2008-10-29 19:32 -------- d-----w- c:\program files\Alwil Software
    2010-08-08 12:31 . 2010-01-21 06:07 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
    2010-06-14 14:30 . 2008-04-27 21:49 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2009-03-28 17:09 . 2009-03-28 17:09 2098 --sh--w- c:\windows\system32\bodolali.exe
    2009-04-24 09:36 . 2009-04-24 09:36 2098 --sh--w- c:\windows\system32\fuguyelo.exe
    2009-03-30 17:10 . 2009-03-30 17:10 2098 --sh--w- c:\windows\system32\gifuyovi.exe
    2009-03-30 05:10 . 2009-03-30 05:10 2098 --sh--w- c:\windows\system32\kabujupe.exe
    2009-03-29 17:10 . 2009-03-29 17:10 2098 --sh--w- c:\windows\system32\lijohoyo.exe
    2009-03-29 05:10 . 2009-03-29 05:10 2098 --sh--w- c:\windows\system32\yurezasa.exe
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe
    [-] 2004-08-04 . 8E269F080887F222AD9BB26B6792FEAA . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
    "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
    "Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"="NA" [X]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
    "c:\\WINDOWS\\RTHDCPL.exe"=
    "c:\\TEMP\\vlc-1.0.3\\vlc.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/8/2010 10:25 PM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/8/2010 10:25 PM 17744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/8/2010 10:26 PM 136176]
    S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [9/11/2009 3:45 PM 627072]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]

    2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=aNSF2kg7YKwVX4Asp9iBcXeqUyE
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{206f3977-fc89-479f-b62e-73560319ee2a} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-19 20:59
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(516)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(1000)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\windows\system32\wdfmgr.exe
    c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-19 21:03:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-20 03:03

    Pre-Run: 42,089,943,040 bytes free
    Post-Run: 42,185,531,392 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 906D5AF9954E8698A236BB344F0243BD
     
  6. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\bodolali.exe
    c:\windows\system32\fuguyelo.exe
    c:\windows\system32\gifuyovi.exe
    c:\windows\system32\kabujupe.exe
    c:\windows\system32\lijohoyo.exe
    c:\windows\system32\yurezasa.exe
    
    
    Folder::
    c:\documents and settings\All Users\Application Data\avg8
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  7. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Hello. I have gone ahead and done that. The log is very long so I have to attach it. I would also like to note that I am still getting the Avast alerts of 'Malware Blocked' for bamital-x even after running combofix.
     

    Attached Files:

    • log.txt
      File size:
      88.2 KB
      Views:
      2
  8. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    You're still infected, that's why...

    Make sure, your Avast is updated. Run full scan.
    Report on any findings.

    When done, delete your Combofix file, download fresh one and post new log.
     
  9. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Ran a full scan with Avast- I got two bamital-x's.

    Ran a new Combofix. Here's the log.


    ComboFix 10-08-18.04 - Owner 08/20/2010 0:17.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.879.309 [GMT -6:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\winlogon.exe . . . is infected!!

    c:\windows\system32\proquota.exe . . . is missing!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
    .

    2010-08-10 16:36 . 2010-08-10 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-10 16:34 . 2008-10-29 05:25 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
    2010-08-10 16:34 . 2008-10-29 05:25 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
    2010-08-10 09:28 . 2010-08-10 09:28 -------- d-----w- C:\RegBack
    2010-08-10 09:28 . 2010-08-10 09:29 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-10 09:26 . 2010-08-10 16:27 -------- d-----w- c:\program files\ACW
    2010-08-10 03:04 . 2010-08-10 03:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-08-10 03:03 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-10 03:03 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-09 06:12 . 2010-08-09 06:13 -------- d-----w- c:\documents and settings\Owner\Application Data\.clamwin
    2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\program files\ClamWin
    2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\documents and settings\All Users\.clamwin
    2010-08-09 04:31 . 2010-08-09 04:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2010-08-09 04:26 . 2010-08-19 22:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
    2010-08-09 04:26 . 2010-08-09 04:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2010-08-09 04:25 . 2010-08-09 04:28 -------- d-----w- c:\program files\Google
    2010-08-09 04:25 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-09 04:25 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-09 04:25 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-09 04:25 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-09 04:25 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-08-09 04:25 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-08-09 04:25 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-09 04:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-09 04:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-09 04:23 . 2010-08-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-08-09 03:31 . 2010-08-09 04:50 -------- d-----w- C:\d467db2a9be49790e3830233b0

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-14 06:19 . 2009-09-08 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
    2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-09 07:45 . 2009-07-08 18:03 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-08-09 04:23 . 2008-10-29 19:32 -------- d-----w- c:\program files\Alwil Software
    2010-08-08 12:31 . 2010-01-21 06:07 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
    2010-06-14 14:30 . 2008-04-27 21:49 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe
    [-] 2004-08-04 . 8E269F080887F222AD9BB26B6792FEAA . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
    "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
    "Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"="NA" [X]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
    "c:\\WINDOWS\\RTHDCPL.exe"=
    "c:\\TEMP\\vlc-1.0.3\\vlc.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/8/2010 10:25 PM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/8/2010 10:25 PM 17744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/8/2010 10:26 PM 136176]
    S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [9/11/2009 3:45 PM 627072]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]

    2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=aNSF2kg7YKwVX4Asp9iBcXeqUyE
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-20 00:23
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(516)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-08-20 00:25:59
    ComboFix-quarantined-files.txt 2010-08-20 06:25
    ComboFix2.txt 2010-08-20 03:33
    ComboFix3.txt 2010-08-20 03:03

    Pre-Run: 42,182,725,632 bytes free
    Post-Run: 42,166,931,456 bytes free

    - - End Of File - - 95E890D4DFCE3F4EB6453AA3A6AD33AA
     
  10. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Was Avast able to remove them?

    Do you have Windows XP CD?

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      proquota.exe
      winlogon.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  11. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Avast is not able to remove them because they are "read only files". I can't even move them to the chest.

    I think I might but I am not sure where my Windows xp cd would be. I've had this computer for five years.

    System look gets me this:

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 17:10 on 20/08/2010 by Owner (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "proquota.exe"
    C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\proquota.exe --a--- 50176 bytes [08:17 14/03/2010] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

    Searching for "winlogon.exe"
    C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe --a--- 507904 bytes [08:18 14/03/2010] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
    C:\WINDOWS\system32\winlogon.exe --a--- 502272 bytes [21:55 27/04/2008] [19:00 04/08/2004] (Unable to calculate MD5)

    -=End Of File=-
     
  12. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    If the fix we're about to run won't work, you'll need to find Windows XP CD (borrowed one will do).

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\proquota.exe | c:\windows\system32\proquota.exe
    C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe | C:\WINDOWS\system32\winlogon.exe
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  13. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Here is the Combofix log:


    ComboFix 10-08-18.04 - Owner 08/20/2010 17:23:03.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.879.484 [GMT -6:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    --------------- FCopy ---------------

    c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\proquota.exe --> c:\windows\system32\proquota.exe
    c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe --> c:\windows\system32\winlogon.exe
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
    .

    2010-08-20 23:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2010-08-10 16:36 . 2010-08-10 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-10 16:34 . 2008-10-29 05:25 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
    2010-08-10 16:34 . 2008-10-29 05:25 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
    2010-08-10 09:28 . 2010-08-10 09:28 -------- d-----w- C:\RegBack
    2010-08-10 09:28 . 2010-08-10 09:29 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-10 09:26 . 2010-08-10 16:27 -------- d-----w- c:\program files\ACW
    2010-08-10 03:04 . 2010-08-10 03:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-08-10 03:03 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-10 03:03 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-09 06:12 . 2010-08-09 06:13 -------- d-----w- c:\documents and settings\Owner\Application Data\.clamwin
    2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\program files\ClamWin
    2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\documents and settings\All Users\.clamwin
    2010-08-09 04:31 . 2010-08-09 04:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2010-08-09 04:26 . 2010-08-19 22:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
    2010-08-09 04:26 . 2010-08-09 04:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2010-08-09 04:25 . 2010-08-09 04:28 -------- d-----w- c:\program files\Google
    2010-08-09 04:25 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-09 04:25 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-09 04:25 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-09 04:25 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-09 04:25 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-08-09 04:25 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-08-09 04:25 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-09 04:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-09 04:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-09 04:23 . 2010-08-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-08-09 03:31 . 2010-08-09 04:50 -------- d-----w- C:\d467db2a9be49790e3830233b0

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-14 06:19 . 2009-09-08 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
    2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-09 07:45 . 2009-07-08 18:03 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-08-09 04:23 . 2008-10-29 19:32 -------- d-----w- c:\program files\Alwil Software
    2010-08-08 12:31 . 2010-01-21 06:07 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
    2010-06-14 14:30 . 2008-04-27 21:49 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe
    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
    "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
    "Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"="NA" [X]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
    "c:\\WINDOWS\\RTHDCPL.exe"=
    "c:\\TEMP\\vlc-1.0.3\\vlc.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/8/2010 10:25 PM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/8/2010 10:25 PM 17744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/8/2010 10:26 PM 136176]
    S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [9/11/2009 3:45 PM 627072]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]

    2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=aNSF2kg7YKwVX4Asp9iBcXeqUyE
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-20 17:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(516)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-08-20 17:29:39
    ComboFix-quarantined-files.txt 2010-08-20 23:29
    ComboFix2.txt 2010-08-20 06:26
    ComboFix3.txt 2010-08-20 03:33
    ComboFix4.txt 2010-08-20 03:03

    Pre-Run: 42,016,391,168 bytes free
    Post-Run: 41,999,536,128 bytes free

    - - End Of File - - AD123BF0590BBECEF2F5970DDFA45A17
     
  14. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    It looks like our fix worked :)

    How are the issues?

    Please, re-run SystemLook with the same script as in my post #10
     
  15. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Ran systemlook, here is the log:

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 17:47 on 20/08/2010 by Owner (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "proquota.exe"
    C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\proquota.exe ------ 50176 bytes [08:17 14/03/2010] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8
    C:\WINDOWS\system32\proquota.exe --a--- 50176 bytes [23:23 20/08/2010] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

    Searching for "winlogon.exe"
    C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe ------ 507904 bytes [08:18 14/03/2010] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
    C:\WINDOWS\system32\winlogon.exe --a--- 507904 bytes [21:55 27/04/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

    -=End Of File=-

    Also ran an Avast scan, it picked up Bamital-x, but in a different place than before. It allowed me to delete the file.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    All looks much better :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  17. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    I did the uninstall of Combofix but now my computer wont let me restart. I click on the 'turn off computer' under the Start menu to get to the option to restart and it takes a very long time. Then when the menu comes up and I click Restart it does nothing.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Turn it off (not restart). Turn it back on.
     
  19. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Clicking 'turn off' doesn't work either. Even manually pushing the button does nothing.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Hold power button for a few seconds.
     
  21. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    I got the computer to turn off and turn on again. Here is the MBRcheck log:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 174):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806CF000 \WINDOWS\system32\hal.dll
    0xF7B28000 \WINDOWS\system32\KDCOM.DLL
    0xF7A38000 \WINDOWS\system32\BOOTVID.dll
    0xF74F9000 ACPI.sys
    0xF7B2A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF74E8000 pci.sys
    0xF7628000 isapnp.sys
    0xF7BF0000 pciide.sys
    0xF78A8000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7B2C000 aliide.sys
    0xF7B2E000 cmdide.sys
    0xF7B30000 toside.sys
    0xF7B32000 viaide.sys
    0xF7B34000 intelide.sys
    0xF7638000 MountMgr.sys
    0xF74C9000 ftdisk.sys
    0xF78B0000 PartMgr.sys
    0xF7648000 VolSnap.sys
    0xF7A3C000 cpqarray.sys
    0xF74B1000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF7499000 atapi.sys
    0xF7A40000 aha154x.sys
    0xF78B8000 sparrow.sys
    0xF7A44000 symc810.sys
    0xF7658000 aic78xx.sys
    0xF7A48000 dac960nt.sys
    0xF7668000 ql10wnt.sys
    0xF7A4C000 amsint.sys
    0xF78C0000 asc.sys
    0xF7A50000 asc3550.sys
    0xF78C8000 mraid35x.sys
    0xF78D0000 i2omp.sys
    0xF7A54000 ini910u.sys
    0xF7678000 ql1240.sys
    0xF7688000 aic78u2.sys
    0xF78D8000 symc8xx.sys
    0xF78E0000 sym_hi.sys
    0xF78E8000 sym_u3.sys
    0xF78F0000 ABP480N5.SYS
    0xF78F8000 asc3350p.sys
    0xF7B36000 cd20xrnt.sys
    0xF7698000 ultra.sys
    0xF7480000 adpu160m.sys
    0xF7900000 dpti2o.sys
    0xF76A8000 ql1080.sys
    0xF76B8000 ql1280.sys
    0xF76C8000 ql12160.sys
    0xF7908000 perc2.sys
    0xF7B38000 perc2hib.sys
    0xF7910000 hpn.sys
    0xF7A58000 cbidf2k.sys
    0xF7454000 dac2w2k.sys
    0xF76D8000 disk.sys
    0xF76E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7435000 fltMgr.sys
    0xF741E000 KSecDD.sys
    0xF7391000 Ntfs.sys
    0xF7364000 NDIS.sys
    0xF76F8000 sisagp.sys
    0xF7708000 viaagp.sys
    0xF7349000 Mup.sys
    0xF7718000 agp440.sys
    0xF7728000 alim1541.sys
    0xF7738000 amdagp.sys
    0xF7748000 agpCPQ.sys
    0xF7778000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF70DB000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF70C7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7990000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF70A4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7998000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7788000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7798000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF77A8000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF7081000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7AEC000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF7034000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF77B8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF79B0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF79B8000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7020000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF77C8000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF7AFC000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF700C000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
    0xF6FD5000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
    0xF6ED8000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xF6E2B000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xF79E8000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF7D6C000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF77D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7B08000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6E14000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF77E8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF77F8000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7A08000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6E03000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7808000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7A18000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7A28000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7818000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7B42000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6D2F000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7B1C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7838000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7868000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7B48000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xEE8B1000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xEE88F000 \SystemRoot\system32\drivers\portcls.sys
    0xF7878000 \SystemRoot\system32\drivers\drmk.sys
    0xF7B50000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7B54000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7C26000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7B58000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7968000 \SystemRoot\System32\drivers\vga.sys
    0xF7B5C000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7B60000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7978000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7988000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7AE0000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xEE80C000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xEE7B4000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF7898000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xEE76B000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF72E0000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xEE743000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEE721000 \SystemRoot\System32\drivers\afd.sys
    0xF72D0000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xEE656000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF7065000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF72B0000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF79C0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xEE5E7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF72A0000 \SystemRoot\System32\Drivers\Fips.SYS
    0xEE5C0000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF79F0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xEE59D000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF7A00000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF6D2B000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF6D1F000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0xF7A20000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF7948000 \SystemRoot\system32\DRIVERS\HPZius12.sys
    0xF7958000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF7280000 \SystemRoot\system32\DRIVERS\HPZid412.sys
    0xF6D1B000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
    0xEE55D000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7B6C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF7ADC000 \SystemRoot\System32\drivers\Dxapi.sys
    0xEE84F000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7D21000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF054000 \SystemRoot\System32\ati2cqag.dll
    0xBF093000 \SystemRoot\System32\atikvmag.dll
    0xBF0C9000 \SystemRoot\System32\ati3duag.dll
    0xBF345000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xEC451000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xF79A8000 \SystemRoot\system32\DRIVERS\AegisP.sys
    0xEC33D000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xF79D0000 \SystemRoot\system32\DRIVERS\pnarp.sys
    0xF79E0000 \SystemRoot\system32\DRIVERS\purendis.sys
    0xEC176000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xEBFEE000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xEBC61000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEC3C5000 \SystemRoot\system32\drivers\sysaudio.sys
    0xEBA2D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7B62000 \SystemRoot\System32\Drivers\ASCTRM.SYS
    0xEBA09000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xEB8BE000 \SystemRoot\system32\DRIVERS\srv.sys
    0xEB00B000 \SystemRoot\System32\Drivers\HTTP.sys
    0xF79F8000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 54):
    0 System Idle Process
    4 System
    424 C:\WINDOWS\system32\smss.exe
    484 csrss.exe
    512 C:\WINDOWS\system32\winlogon.exe
    556 C:\WINDOWS\system32\services.exe
    568 C:\WINDOWS\system32\lsass.exe
    716 C:\WINDOWS\system32\ati2evxx.exe
    744 C:\WINDOWS\system32\svchost.exe
    824 svchost.exe
    896 C:\WINDOWS\system32\svchost.exe
    1044 svchost.exe
    1168 svchost.exe
    1268 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1356 C:\WINDOWS\system32\ati2evxx.exe
    1420 C:\WINDOWS\explorer.exe
    1580 C:\WINDOWS\RTHDCPL.exe
    1604 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    1620 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    1628 C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
    1636 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    1648 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
    1660 C:\Program Files\ClamWin\bin\ClamTray.exe
    1668 C:\Program Files\QuickTime\QTTask.exe
    1740 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    1816 C:\Program Files\OpenOffice.org 3\program\soffice.exe
    1844 C:\Program Files\OpenOffice.org 3\program\soffice.bin
    336 C:\WINDOWS\system32\spoolsv.exe
    1008 svchost.exe
    1064 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    1188 C:\WINDOWS\system32\svchost.exe
    1292 C:\Program Files\Java\jre6\bin\jqs.exe
    988 C:\WINDOWS\system32\svchost.exe
    1532 C:\WINDOWS\system32\svchost.exe
    1760 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    1904 C:\WINDOWS\system32\svchost.exe
    1936 wdfmgr.exe
    2076 C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    2160 C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    2204 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    2288 C:\WINDOWS\system32\wuauclt.exe
    2516 wmiprvse.exe
    2924 C:\WINDOWS\system32\wuauclt.exe
    532 wmiprvse.exe
    2596 alg.exe
    3952 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    3428 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    3396 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    2680 C:\Program Files\Google\Chrome\Application\chrome.exe
    3872 C:\Program Files\Google\Chrome\Application\chrome.exe
    4008 C:\Program Files\Google\Chrome\Application\chrome.exe
    3940 C:\Program Files\Google\Chrome\Application\chrome.exe
    2988 C:\Program Files\Google\Chrome\Application\chrome.exe
    3592 C:\Documents and Settings\Owner\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`289c3a00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: ST3100011A, Rev: 3.02

    Size Device Name MBR Status
    --------------------------------------------
    93 GB \\.\PhysicalDrive0 Gateway MBR code detected
    SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD


    Done!
     
  22. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Here is Extras.txt:


    OTL Extras logfile created on: 8/20/2010 6:37:26 PM - Run 1
    OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
    Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    879.00 Mb Total Physical Memory | 348.00 Mb Available Physical Memory | 40.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1320 2640 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 88.52 Gb Total Space | 41.55 Gb Free Space | 46.94% Space Free | Partition Type: NTFS
    Drive D: | 4.63 Gb Total Space | 2.24 Gb Free Space | 48.36% Space Free | Partition Type: FAT32
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: GEORGETTECOMP
    Current User Name: Owner
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE File not found

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
    htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 File not found
    http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
    https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 File not found
    CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
    "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
    "C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe" = C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe:*:Enabled:WMP54Gv4 -- (Linksys)
    "C:\TEMP\vlc-1.0.3\vlc.exe" = C:\TEMP\vlc-1.0.3\vlc.exe:*:Enabled:VLC media player -- ()
    "C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
    "C:\Program Files\Java\jre6\bin\javaws.exe" = C:\Program Files\Java\jre6\bin\javaws.exe:*:Disabled:Java(TM) Web Start Launcher -- (Sun Microsystems, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
    "{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update
    "{15262012-213A-4f65-9019-C8A409EC0156}" = HP Officejet J6400 Series
    "{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
    "{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
    "{188C0E25-3D65-4DAC-9C00-7483FBA4C7EB}" = Status
    "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
    "{279D3818-7287-4ab4-A927-542EBEA9E365}" = ProductContext
    "{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
    "{380CC749-8C28-4C74-BE01-45921D062302}" = BPDSoftware_Ini
    "{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
    "{41853D20-40CC-4266-978D-F128BB97CA96}" = 6400_Help
    "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
    "{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter
    "{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
    "{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
    "{54F6C98F-94A0-421C-B90E-0B6A2A96A9CF}" = Pure Networks Platform
    "{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
    "{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan
    "{5D934326-165A-413b-B056-26BE1EC082AF}" = J6400
    "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
    "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
    "{676981B7-A2D9-49D0-9F4C-03018F131DA9}" = DocProc
    "{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
    "{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
    "{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
    "{85C8D391-0EAE-4492-8A0A-2EE8B0B6DA03}" = BPDSoftware
    "{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
    "{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
    "{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway
    "{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
    "{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
    "{ABA00898-9467-4689-9F40-DE7F58C8429C}" = Fax
    "{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
    "{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
    "{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
    "{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D142FE39-3386-4d82-9AD3-36D4A92AC3C2}" = DocMgr
    "{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
    "{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
    "{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
    "{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
    "{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
    "{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
    "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
    "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "ATI Display Driver" = ATI Display Driver
    "avast5" = avast! Free Antivirus
    "AviSynth" = AviSynth 2.5
    "CCleaner" = CCleaner (remove only)
    "ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.96.1
    "CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
    "DivX Setup.divx.com" = DivX Setup
    "Google Chrome" = Google Chrome
    "HP Document Manager" = HP Document Manager 1.0
    "HP Imaging Device Functions" = HP Imaging Device Functions 10.0
    "HP Photosmart Essential" = HP Photosmart Essential 2.5
    "HP Smart Web Printing" = HP Smart Web Printing
    "HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
    "HPExtendedCapabilities" = HP Customer Participation Program 10.0
    "HPOCR" = OCR Software by I.R.I.S. 10.0
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "IrfanView" = IrfanView (remove only)
    "Linksys Wireless Manager" = Linksys Wireless Manager
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "RealPlayer 6.0" = RealPlayer Basic
    "Shop for HP Supplies" = Shop for HP Supplies
    "ViewpointMediaPlayer" = Viewpoint Media Player
    "VLC media player" = VLC media player 1.0.5
    "WGA" = Windows Genuine Advantage Validation Tool
    "WIC" = Windows Imaging Component
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Windows Media Player" = Windows Media Player 10
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WinRAR archiver" = WinRAR archiver
    "Yahoo! Companion" = Yahoo! Toolbar
    "Yahoo! Toolbar" = Yahoo! Toolbar

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 11/30/2009 7:56:38 PM | Computer Name = GEORGETTECOMP | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: The data is invalid.

    Error - 12/14/2009 2:07:35 AM | Computer Name = GEORGETTECOMP | Source = Application Error | ID = 1000
    Description = Faulting application hpqtra08.exe, version 100.0.170.0, faulting module
    hpqusg.dll, version 100.0.170.0, fault address 0x00026418.

    Error - 1/12/2010 2:12:36 AM | Computer Name = GEORGETTECOMP | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The server name or address could not be resolved

    Error - 1/12/2010 10:32:01 PM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 1/21/2010 8:33:21 PM | Computer Name = GEORGETTECOMP | Source = Application Error | ID = 1000
    Description = Faulting application hpqtra08.exe, version 100.0.170.0, faulting module
    hpqusg.dll, version 100.0.170.0, fault address 0x00026418.

    Error - 2/12/2010 9:44:24 PM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 2/21/2010 10:00:01 PM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 2/22/2010 8:53:38 PM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.9.1.3685, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 2/24/2010 7:55:01 AM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.9.1.3685, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 3/1/2010 4:29:06 AM | Computer Name = GEORGETTECOMP | Source = Application Error | ID = 1000
    Description = Faulting application firefox.exe, version 1.9.1.3685, faulting module
    npswf32.dll, version 10.0.45.2, fault address 0x0017c735.

    [ System Events ]
    Error - 8/19/2010 10:27:14 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
    Description = The HP CUE DeviceDiscovery Service service hung on starting.

    Error - 8/19/2010 10:29:33 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7023
    Description = The 6to4 service terminated with the following error: %%126

    Error - 8/19/2010 10:29:52 PM | Computer Name = GEORGETTECOMP | Source = System Error | ID = 1003
    Description = Error code 000000f4, parameter1 00000003, parameter2 84ca54e0, parameter3
    84ca5654, parameter4 805c874a.

    Error - 8/19/2010 10:31:09 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
    Description = The HP CUE DeviceDiscovery Service service hung on starting.

    Error - 8/19/2010 10:37:04 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7023
    Description = The 6to4 service terminated with the following error: %%126

    Error - 8/19/2010 10:38:53 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
    Description = The HP CUE DeviceDiscovery Service service hung on starting.

    Error - 8/19/2010 10:59:27 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
    Description = The HP CUE DeviceDiscovery Service service hung on starting.

    Error - 8/20/2010 8:32:14 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
    Description = The HP CUE DeviceDiscovery Service service hung on starting.

    Error - 8/20/2010 8:37:51 PM | Computer Name = GEORGETTECOMP | Source = SRService | ID = 104
    Description = The System Restore initialization process failed.

    Error - 8/20/2010 8:37:51 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7023
    Description = The System Restore Service service terminated with the following error:
    %%2


    < End of report >
     
  23. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Go on..............
     
  24. robynloraine

    robynloraine TS Rookie Topic Starter Posts: 20

    Here is OTL.txt attached, it wont let me copy/paste.
     

    Attached Files:

    • OTL.Txt
      File size:
      140.6 KB
      Views:
      3
  25. Broni

    Broni Malware Annihilator Posts: 52,895   +344

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...