Inactive After many attempts to fix, still suspicious spyware/malware is lurking on XP machine

[PuterOozer]

Hello all,

Just ran across your website when searching for answers on how to uncover/get rid of any remaining spyware/malware and this website has a very refreshing venue that includes current net news events (much less boring than some other tech related sites I've looked at)

At any rate, not sure where to start or how to proceed. I suspect that there is still some trojan/spyware/malware lurking as strange things still keep happening. Am on an XP machine and had norton's, spybot and GMER running and then about a year ago added Outpost and SpyShelter, but a little over a month ago, noticed that Spybot's Firefox immunizations kept getting turned off (which I read spybot says it's due to the recent Firefox upgrades), and started locking up after a scan when clicking on "fix problems" and would shut down as well as over 200 temp files in existence that Sypbot can't clean out (15-30 used to be the norm before this all started), ominous zip files showing up on the desktop such as a portion of the content of a word document I write notes in showed up on the desktop in a zip file, and then also of all things zip files of a shortcut icon of a link to “local area connection” I have on the desktop so I can disable the network connection when not using the computer to help protect the computer, would show up on the desktop which I never saw happen before now.

Then also about the same time, started getting ominous generic message boxes showing up when either opening a pdf file or trying to look at a pdf file in firefox saying that "adobe acrobat was being updated" as well as a generic window saying I needed to select 2 updates, but the window would not let you close it, so had to use task manager to get rid of it, and did a system restore back to an earlier date, but don't dare open up any pdf which is a bummer. Also on this, I read that Firefox and Adobe are blaming each other for the virus problems and that the only thing Adobe is offering is for a person to get the latest version vs. offering udates to block such virus compromises which sucks because I'm perfectly happy using my older 6.0 acrobat.

When things first started happening, it got so bad that sometimes windows would freeze and would have to re-boot a number of times, sometimes in safe mode, just to get the computer to run, and finally used system restore, but evidently the virus still lurked, as things like anti-virus notify would get turned off, system restore would be turned off or previously, although there were a number of system restore points visible, when choosing any, windows would report that there are no system restore points available.

I finally went to a prior ghost backup that at least regained some stablity, and got rid of nortons, outpost and spyShelter (am now reading that a number of ant-spyware packages actually have spyware, and found out that outpost comes out of Russia, so not sure what to trust, so since the problems came with nortons and the others in place, uninstalled all using revo uninstaller and installed Avast and Comodo and also installed SpywareBlaster and malwarebytes, but if I open or view a pdf, the ominous message boxes will start back up, and I just yesterday had a zip file of one of my desktop icons show up on the desktop again which I definitely didn't do of the

I had high hopes for Avast and both Avast and Comodo at least provide excellent monitoring / setting options. When I installed Avast and ran as thorough of scans as I could, the only thing it found was some trojans attached to some old driver software and a couple web pages I had copied a long time ago sitting on other non-windows directories as well as a fan control software and camera software that had Trojan dll’s in their setup software that I have been using for years (that norton's never found), but nothing else in active windows directories, but Thunderbird and Skype get sandboxed by Comodo saying something is using the software to try to communicate etc., and a boat load of UDP Out’s try to occur with Skype, as well as attempts to connect by outside computers via Skype all of which I blocked, AND even Spybot, which I had un-installed and then installed elsewhere still has the Firefox immunizations get disabled, and there’s a boat load (over 200) temp files that Spybot can’t clean out that used to only be 15-30 before all this happened (an on a vista machine It’s over 600 temp files which also isn’t normal) so not sure what is going on.

Any help suggestions would be appreciated.

Thanks!

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[PuterOozer]

Acknowledgement

Hello Broni,

Thanks for the prompt reply. Will get on this later tonight when I can devote my total attention to your instructions and will keep you posted!

Thanks!

 

[Broni]

OK ................

 

[PuterOozer]

Logs

Hello Broni,

I got pulled away and just got back to have some time to post the logs. Not sure if you try to do this in a real-time basis but will be away until tomorrow but will check in to let you know I'm available/ready for any next step etc. I don't see much to speak of in the logs, but then am not a tech head. As mentioned I had previously already installed avast, and at that time, avast found a few trojans that were attached to some webpages saved, in the install software for old video / webcam software that I have been using for years (why the heck doesn't nortons/spybot etc catch this stuff???), but not sure if anything that might have been active was removed by nortons/spybot but not aware of it.

Also, I've been using GMER realtime, and one once or twice long ago it listed one or two 4 digit #'s which I have no clue what they represented, but in re-booting, they didn't show up again so didn't worry about it/know what to do. After installing comodo and avast (I'm reading on posts that it's something that has to do with installing their software), the following now shows up every time booting up in the GMER realtime scanner:

Detected NTDLL code modification:
AWClose, ZWOpenFile

Following are the Malwarebytes, GMER and DDS.txt and Attach.txt logs. After those, I will post what avast had found a few weeks ago right after I got rid of nortons and all the original spyware I was using and before I got frustrated and posted on your site (btw, I could easily loose track of time reading all the stuff on techspot.com. A lot of interesting up to date info.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

11/29/2010 4:47:37 PM
mbam-log-2010-11-29 (16-47-37).txt

Scan type: Quick scan
Objects scanned: 172506
Time elapsed: 28 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-29 17:02:55
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHV2060AT_PL rev.000000A0
Running: GMRddkstk8l.exe; Driver: C:\DOCUME~1\Command\LOCALS~1\Temp\pwgirpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xF75AB768]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xF75AB9BE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device aswSP.SYS (avast! self protection module/AVAST Software)
Device Fastfat.sys (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----




DDS (Ver_10-11-27.01) - FAT32x86
Run by Carl at 17:10:07.65 on Mon 11/29/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.244 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Utility.sys\Spyware - Comodo\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Utility.sys\Spyware Ad-Aware 2007\aawservice.exe
C:\Utility.sys\Spyware - Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
SVCHOST.EXE
C:\Utility.sys\Web Vulnerability Scanner 6\WVSScheduler.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Telecom\_Iphone.dir\BlueTooth\BTNtService.exe
SVCHOST.EXE
C:\Program Files\BUFFALO\SLManagerEasy\Bufssvr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\BUFFALO\SLManagerEasy\Inputps.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\D-Link\AIRPLUS.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Utility.sys\Spyware - Comodo\COMODO\COMODO Internet Security\cfp.exe
C:\Utility.sys\Spyware - Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\BUFFALO\BuffaloTools\BuffaloTools.exe
C:\Utility.sys\I8kFanGui\I8kfanGUI.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Utility.sys\NetPerSec\NetPerSec.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\carl\Desktop\DDS.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobeacrobat xp 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\utility.sys\spf869~1\SDHelper.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobeacrobat xp 6.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobeacrobat xp 6.0\acrobat\AcroIEFavClient.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobeacrobat xp 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [i8kfangui] c:\utility.sys\i8kfangui\I8kfanGUI.exe /startup
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [SpybotSD TeaTimer] c:\utility.sys\spyware - spybot\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BigDogPath] c:\windows\VM_STI.EXE Vimicro USB PC Camera (ZC0301PL)
mRun: [AIRPLUS] "c:\program files\d-link\AIRPLUS.exe" -nogui
mRun: [ATIPTA] atiptaxx.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [MyScreenCam] c:\program files\my screen cam\scrcam.exe
mRun: [COMODO Internet Security] "c:\utility.sys\spyware - comodo\comodo\comodo internet security\cfp.exe" -h
mRun: [avast5] "c:\utility.sys\spyware - avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BuffaloTools] c:\program files\buffalo\buffalotools\BuffaloTools.exe
StartupFolder: c:\docume~1\carl\startm~1\programs\startup\_drives.lnk - c:\_drives.bat
StartupFolder: c:\docume~1\carl\startm~1\programs\startup\netper~1.lnk - c:\utility.sys\netpersec\NetPerSec.exe
StartupFolder: c:\docume~1\carl\startm~1\programs\startup\spinwi~1.lnk - c:\spinwiz\SPINWIZ.EXE
StartupFolder: c:\docume~1\carl\startm~1\programs\startup\gmerca~1.lnk - c:\utility.sys\spyware gmer rootkit\catchme.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\telecom\_iphone.dir\im\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\utility.sys\spf869~1\SDHelper.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\carl\applic~1\mozilla\firefox\profiles\sqfvpfgm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 4777
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 4777
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 4777
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 4777
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobeacrobat xp 6.0\acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\docume~1\carl\applic~1\mozilla\firefox\profiles\sqfvpfgm.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Extension: PrefBar: {8A6C82A1-F6C9-481a-AAE7-C96444C9A754} - c:\docume~1\carl\applic~1\mozilla\firefox\profiles\sqfvpfgm.default\extensions\{8A6C82A1-F6C9-481a-AAE7-C96444C9A754}
FF - Extension: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - c:\docume~1\carl\applic~1\mozilla\firefox\profiles\sqfvpfgm.default\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Extension: Personas: personas@christopher.beard - c:\docume~1\carl\applic~1\mozilla\firefox\profiles\sqfvpfgm.default\extensions\personas@christopher.beard
FF - Extension: PDFescape Extension: {2A1D5949-B519-4924-BF62-8522FE0D5274} - c:\docume~1\carl\applic~1\mozilla\firefox\profiles\sqfvpfgm.default\extensions\{2A1D5949-B519-4924-BF62-8522FE0D5274}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 bftpdskc;BUFFALO TurboPC Cache Filter;c:\windows\system32\drivers\bftpdskc.sys [2010-11-11 39680]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-28 165584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 25240]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-5-19 14464]
R2 aawservice;Ad-Aware 2007 Service;c:\utility.sys\spyware ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 AcuWVSSchedulerv6;Acunetix WVS Scheduler v6;c:\utility.sys\web vulnerability scanner 6\WVSScheduler.exe [2009-7-2 994952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-28 17744]
R2 avast! Antivirus;avast! Antivirus;c:\utility.sys\spyware - avast\AvastSvc.exe [2010-10-28 40384]
R2 bufssvr;bufssvr;c:\program files\buffalo\slmanagereasy\Bufssvr.exe [2010-3-16 95608]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\utility.sys\spyware - comodo\comodo\comodo internet security\cmdagent.exe [2010-9-10 1901056]
R3 ati2mpab;ati2mpab;c:\windows\system32\drivers\ati2mpab.sys [2005-5-30 299776]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\windows\system32\drivers\es198xdl.sys [2005-5-30 414400]
S2 gupdate1c9f50d5e243b40;Google Update Service (gupdate1c9f50d5e243b40);c:\program files\google\update\GoogleUpdate.exe [2009-6-24 133104]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\utility.sys\spyware - avast\AvastSvc.exe [2010-10-28 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\utility.sys\spyware - avast\AvastSvc.exe [2010-10-28 40384]
S3 bftpusbx;BUFFALO TurboPC USB Filter;c:\windows\system32\drivers\bftpusbx.sys [2010-11-11 10624]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2009-7-9 69692]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [2005-8-18 173584]
S3 fd_dmdfl;FutureDial USB Modem Filter;c:\windows\system32\drivers\fd_dmdfl.sys [2005-8-18 15248]
S3 fd_dmdm;FutureDial USB Modem Drivers;c:\windows\system32\drivers\fd_dmdm.sys [2005-8-18 316272]
S3 IPN2120;INPROCOMM IPN2120 Wireless LAN Card Driver;c:\windows\system32\drivers\IPN2120.SYS [2005-6-5 79360]
S3 jswimd;jswimd Service;c:\windows\system32\drivers\jswimd.sys --> c:\windows\system32\drivers\jswimd.sys [?]
S3 NUVision;Pinnacle LINX;c:\windows\system32\drivers\Nuvision.sys [2005-12-18 136352]

=============== Created Last 30 ================

2010-11-19 18:50:11 -------- d-----w- c:\docume~1\carl\applic~1\Malwarebytes
2010-11-19 18:49:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 18:49:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-19 18:49:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 12:58:02 -------- d-sh--w- C:\FOUND.001
2010-11-18 16:03:12 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-11 18:30:42 -------- d-----w- c:\docume~1\carl\applic~1\BUFFALO
2010-11-11 18:30:39 398712 ----a-r- c:\windows\UN091114.EXE
2010-11-11 18:30:36 39680 ----a-r- c:\windows\system32\drivers\bftpdskc.sys
2010-11-11 18:30:35 398712 ----a-r- c:\windows\UN091111.EXE
2010-11-11 18:30:35 10624 ----a-r- c:\windows\system32\drivers\bftpusbx.sys
2010-11-11 18:30:32 398712 ----a-r- c:\windows\UN091201.EXE
2010-11-11 18:29:37 398712 ----a-r- c:\windows\UN090430.EXE
2010-11-11 18:29:36 -------- d-----w- c:\program files\BUFFALO
2010-11-06 01:22:54 -------- d-sh--w- C:\FOUND.000
2010-10-31 14:47:08 472808 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-09-15 07:29:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-11 04:41:40 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-07 16:12:18 38848 ----a-w- c:\windows\avastSS.scr
1998-12-09 06:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 06:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 06:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 06:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 06:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 06:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 17:17:58.69 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/30/2005 4:23:56 PM
System Uptime: 11/29/2010 4:13:14 PM (1 hours ago)

Motherboard: Dell Computer Corporation | | Latitude CPx J650GT
Processor: Intel Pentium III processor | Microprocessor | 647/66mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 56 GiB total, 19.14 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Pinnacle LINX
Device ID: ROOT\MEDIA\0000
Manufacturer: Pinnacle Systems
Name: Pinnacle LINX
PNP Device ID: ROOT\MEDIA\0000
Service: NUVision

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Pinnacle LINX 2 Video
Device ID: ROOT\MEDIA\0001
Manufacturer: Pinnacle Systems
Name: Pinnacle LINX 2 Video
PNP Device ID: ROOT\MEDIA\0001
Service: nuvvid2

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Pinnacle LINX 2 Audio
Device ID: ROOT\MEDIA\0002
Manufacturer: Pinnacle Systems
Name: Pinnacle LINX 2 Audio
PNP Device ID: ROOT\MEDIA\0002
Service: nuvaud2

==== System Restore Points ===================

RP1: 11/12/2010 7:05:33 PM - System Checkpoint
RP2: 11/15/2010 12:10:33 AM - System Checkpoint
RP3: 11/15/2010 7:56:14 PM - Restore Operation
RP4: 11/17/2010 6:05:06 AM - System Checkpoint
RP5: 11/18/2010 10:55:41 AM - Restore Operation
RP6: 11/18/2010 9:07:16 PM - Revo Uninstaller's restore point - Skype™ 5.0
RP7: 11/18/2010 9:08:01 PM - Removed Skype™ 5.0
RP8: 11/18/2010 9:43:17 PM - Revo Uninstaller's restore point - Pamela Basic 4.0
RP9: 11/18/2010 9:53:22 PM - Revo Uninstaller's restore point - Nero - Burning Rom (Web installer)
RP10: 11/19/2010 6:16:57 PM - After Skype Re-install and MBAM FirewallDisabledNotify Fix
RP11: 11/26/2010 12:25:18 AM - System Checkpoint
RP12: 11/27/2010 4:44:39 AM - System Checkpoint
RP13: 11/28/2010 11:05:46 PM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint Plus
ABBYY FineReader 6.0 Sprint
Acunetix Web Vulnerability Scanner 6.5
Ad-Aware SE Personal
Adobe Acrobat 6.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Advanced System Optimizer 2.10
AOL Instant Messenger
ArcSoft Software Suite
Aspell English Dictionary-0.50-2
ATI Display Driver Utilities
avast! Free Antivirus
AxCrypt (Remove Only)
BCWipe 2.0
BlueSoleil
BUFFALO BuffaloTools Launcher
BUFFALO SecureLockManagerEasy for HD
BUFFALO TurboCopy
BUFFALO TurboPC for FLASH/HDD
COMODO Internet Security
Convert
Cool Edit 96
D-Link Client Installation Program
eFax Messenger
Epson Easy Photo Print 2
EPSON NX300 Series Printer Uninstall
EPSON Scan
ERUNT 1.1j
Eusing Free Registry Cleaner
Glary Utilities 2.8.0.366
GNU Aspell 0.50-3
GNU Privacy Guard
GnuWin32: Wget-1.11.4-1
Google Update Helper
GTK+ Runtime 2.14.7 rev a (remove only)
HijackThis 2.0.2
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
I8kfanGUI V3.1
iGuidance
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 22
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft ActiveSync
Microsoft FrontPage 2000
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Office Converter Pack
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.12)
Mozilla Thunderbird (3.1.6)
NetPerSec
Paint Shop Pro 7
PaperMaster Pro 7.0
Pegasus Mail
PhotoSuite 4 (Remove Only)
Photovista Panorama 2.02
Pidgin
pidgin-otr 3.2.0-1
Pinnacle Hollywood FX 4.6
Pinnacle Studio LINX
PowerDVD
Presto! ImageFolio
Revo Uninstaller 1.83
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SiSoftware Sandra Professional 2005.SR1 (Win64/32/CE)
Skype™ 5.0
SnadBoy's Revelation
Spectec SDIO WLAN-11b Card for PPC2003
SpeedFan (remove only)
Spybot - Search & Destroy
SpywareBlaster 4.4
Studio 8
TrafficSeeker 6.68
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Videoplayer
Viewpoint Media Player
Vimicro USB PC Camera 301x
WebFldrs XP
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10 Hotfix - KB894476
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WLAN Cardbus Adapter Utility & Driver
Yahoo! Internet Mail
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

11/29/2010 4:11:19 PM, error: Service Control Manager [7034] - The D-Link Configuration Service service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 2:33:53 PM, error: Service Control Manager [7034] - The SNMP Service service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 2:33:53 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 2:33:53 PM, error: Service Control Manager [7034] - The EPSON V5 Service4(01) service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 2:33:53 PM, error: Service Control Manager [7034] - The EPSON V3 Service4(01) service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 2:33:52 PM, error: Service Control Manager [7034] - The bufssvr service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 2:33:52 PM, error: Service Control Manager [7034] - The BlueSoleil Hid Service service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 2:33:52 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 2:33:52 PM, error: Service Control Manager [7034] - The Ad-Aware 2007 Service service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 2:33:52 PM, error: Service Control Manager [7034] - The Acunetix WVS Scheduler v6 service terminated unexpectedly. It has done this 1 time(s).
11/28/2010 5:16:33 PM, error: Service Control Manager [7000] - The avast! Mail Scanner service failed to start due to the following error: All pipe instances are busy.
11/28/2010 5:16:06 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Mail Scanner service.
11/28/2010 5:16:06 PM, error: Service Control Manager [7000] - The avast! Mail Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/28/2010 5:07:07 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Antivirus service.
11/24/2010 4:28:27 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer WINDOWS-I2X63IQ that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B195F31C-246. The master browser is stopping or an election is being forced.
11/23/2010 3:06:55 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the D-Link Configuration Service service to connect.
11/23/2010 11:51:59 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.

==== End Of File ===========================


Following are the earlier Avast trojans etc. that it found when I dumped Norton's and installed comodo and avast which was about a month ago... of which it appears avast fixed/removed. I am running a full avast system, memory etc. scan every night, and the only thing that shows (as well when doing a boot scan), is:

Process 500 [teatimer.exe], memory block 0x000000000012A0000, block size 1310720 (Severity High) Threat JS:ScriptSH-inf [Trj]

Which avast does not fix, nor provides any way to move to chest, repair or delete, and from what I've read on posts, seems to be an error issue with avast, but again, not sure...



11/1/10
Ran Avast full Root Kit scan, then full system scan, then a boot scan. The only things coming up are zip archive files with messages of "ZIP or CAB archive file is corrupted) which most are .exe software install executables and some corrupted files in the RECYCLE.BIN, and some various audio files etc.

11/1/10
Although the generic "adobe acrobat" update window hasn't popped up, out of the blue a bit after adobe flash had updated, some sort of generic message window popped up asking to update flash.

10/30/10 3am
Ran a full boot system scan and all items successfully deleted.

C:\System Volume Information\_restore{3262816D-8DCD-4372-AFB5-4C76BDE4C4F3}\RP872\A0145276.exe (Severity High) Threat: Win32:Injected-AZ

C:\System Volume Information\_restore{3262816D-8DCD-4372-AFB5-4C76BDE4C4F3}\RP872\A0145277.exe (Severity High) Threat: Win32:Injected-AZ

C:\System Volume Information\_restore{3262816D-8DCD-4372-AFB5-4C76BDE4C4F3}\RP872\A0145278.exe (Severity High) Threat: Win32:Adware-GK [Adw]

C:\System Volume Information\_restore{3262816D-8DCD-4372-AFB5-4C76BDE4C4F3}\RP872\A0145278.exe|>%TEMP%\fsg\fsg.exe (Severity Low) PUP: Win32:Gator-P[PUP]

C:\System Volume Information\_restore{3262816D-8DCD-4372-AFB5-4C76BDE4C4F3}\RP872\A0145358.EXE|>%MAINDIR%\javascript...\annoying.js (Severity High) Threat: VBS:Malware-gen

C:\Telecom\Web Page Design\Constellation\Org\CONSE221.EXE|>%MAINDIR%\javascripts\links\annoying.js (Severity High) Threat: VBS:Malware-gen

C:\Utility.sys\Net Tools 5.0\_Orig - privacy.li used to be a sponsor\NetTools5.0.70.zip|>Setup.exe|>{app}\I...\ipscanner.exe (Severity Low) PUP: Win32UP-gen [PUP]



10/28/10
Ran full system scan on Avast and found a few viruses which I deleted, and then later in the scan found a few more that I archived. Ran a second scan, and only the corrupted error pages showed. All items successfully deleted and the following Trojans were found:
C:\Program Files\Vimicro\VM301B\Driver AutoInstall\Action Files\BeforeRemove.exe (Severity High) Threat: Win32:Injected-AZ
C:\Program Files\Vimicro\VM301B\Driver AutoInstall\Action Files\AfterCopy.exe (Severity High) Threat: Win32:Injected-AZ
C:\Finance\TAXES\Form09\2010-capital-gains-Rules.htm (Severity High) Threat: HTML:CVE-2004-1050 [Expl]
C:\F\Business\7_xxx\iLoveFreeWifi Free Wifi Internet Hotspots in Las Vegas, Nevada.htm (Severity High) Threat: VBS:Malware-gen
C:\G\Graphics\CIPART\WebShots\wbsamp.exe (Severity High) Threat: Win32:Adware-GK [Adw]
C:\Attach.dir\__OIS\Statutes\2010-capital-gains-Rules.htm (Severity High) Threat: HTML:CVE-2004-1050 [Expl]





10/26/10
1) Restored computer to earliest ghost backup. GMER was again clean w/o any error messages

Ran content.txt and is saved under Spybot dir After installing COMODO, the GMER errors came back but comments found indicated that they were due to COMODO / Avast.

Installed Comodo which resulted in GMER realtime bootup scan reporting:

Detected NTDLL code modification:
AWClose, ZWOpenFile

Did a system restore to earliest system restore point available on 9/17/10. I did the same on 10/26 but for some reason it is not showing up and a brief rootkit # showed up on GMER, so am doing a system restore again...

2) Uninstalled SpyShelter Outpost and Spybot in safe mode
Booted up in windows
GMER was clean w/o any error messages

3) Uninstalled Nortons in windows as uninstaller
would not work in safe mode

4) Ran Advast rescue disk

At first, a brief rootkit 4# code showed up in GMER, but then went away and the other was not showing.

When starting in Windows, Windows explorer kept opening up on it's own to the Spware Spybot directory indicating that something was trying to access spybot???

10/28/10
6) Installed Comodo in windows as it would not install in safe mode

7) Installed Avast in safe mode

During trying to get things cleaned up,

AIRPLUS.EXE turned out to be running 60+% of computer
resources! Firefox desktop icon also kept turning
into a non associated icon!!!

7) Installed Spybot in a new different directory in safe mode to try to avert what ever it is from finding Spybot right off...



Ran immunization, closed and then restarted and immunizations on Firefox were still active. Ran scan and only found minor fixes, but as soon as I clicked 'fix', the program immediately closes vs. having each get checked with the larger green check mark as it is cleaned.

Spybot firefox immunizations were still active and Spybot had very few temp flies when running scan in windows.

Removed all but most recent restore points
Memory increased from 2.25G to 3.91G

Installed Comodo which resulted in GMER reporting:

Detected NTDLL code modification:
AWClose, ZWOpenFile

which turns out to be hooks and NTDLL code modifications by Comodo and Avast per some comments I found on the net, but not sure...


10/25/10
After installing comodo and avast and running scans which found 5 trojans that norton's wasn't picking up or finding, opened an adobe file from an online banking site and again got a generic box saying "Adobe Acrobat has been updated. Please restart before continue." Which is not proper grammar and most likely a virus!!! And not long after, a music file started playing a file called "paradise", at the same time another message box popped up with something like "processing, please wait..."

I then went back and tried to open another pdf online banking message and got another larger message box with select and drag from left to right two update options w/o any notice or allowance to even allow the updates.

"Adobe Atmostphere Player 1.0 for Acrobat and Adobe" 5.33MB
The Atmosphere Player for Acrobat and Adobe Reader is designed to enable use of Atmosphere environments within a PDF document enabling the user the ability to experience a rich variety of interactive content, including three-dimensional objects, directional sound, streaming audio and video, SWF animations, and physical behaviors.

"Adobe(R) Acrobat Professional patch 6.0.1" 15.18MB
"This will patch Adobe Acrobat 6.0 Professional to version 6.0.1 and includes numerous bug fixes, support for Microsoft Office 2003, Microsoft Visio 2003, AutoCAD 2004, improved support for various scanners, better compatibility with some screen readers, including screen reader interactions with forms, and an easier eBook activation system (including activation on multiple devices). This patch also fixes certain issues when viewing PDF files created in Adobe(R) Photoshop(R), Album, improves compatibility with files created in earlier versions of Acrobat and PDF files created on Mac OSX."

 

[Broni]

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

===============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[PuterOozer]

More logs

Hello Broni,

Has been a challenge to get back to this. Again, while trying to follow through the instructions, am having repeated computer lockups. It seems that after doing any kind of virus scan etc., many times when I go to run another program afterwards, the computer locks up. IF I re-boot I then have a better chance of some random program not locking up and/or not able to shut down the computer normally, and am forced to have to turn off the power, then usually do the chkdisk thing which most of the time doesn't have to trundicate files unless I happened to have a word document or something open when the computer locks up.

In this run, I ran MBRChek without problems and report is below. Then, I went to shut down all antivirus etc. and run ComboFix and 3 problems surfaced.

1) SpywareBlaster which ran fine a few days ago and did a scan as well as updated before I started working with you on this, would not run from it's regular icons... The icons show the software graphic and properties show the current path, but double clicking on the icon, and nothing happens. I had to go find the exe file itself and run it from there and was able to disable the monitoring etc. But then I went and tried to run it from the program group icon, and it ran fine . This also happened when I had activated something when trying to view .pdf's some time back, and icons such as MS Word and thunderbird would do the same thing. Since I did a full restore to an earlier Ghost image and haven't touced anything related to a pdf file, for the most part those kind of issues don't happen, but it sucks not being able to edit/read adobe pdf files for fear of launching some sort of garbage again...

2) some years back had installed Ad-Aware 2007, but was dissapointed in it's performance, as the earlier SE found far more adware and seemed to list/clean up far more usage tracks etc. I don't think their freebie versions allowed the resident monitoring to work and don't see anything in the taskbar, but noticed in some of the prior logs that Ad-Aware might be loading something, not sure. There is an Icon for starting their real-time resident monitoring in the program group, but I don't think it's active (but not sure as I haven't used it since 2007 and I think the freebie versions excluded realtime monitoring) so I didn't 'deactivate' anything regarding Ad-Aware 2007.

3) Started ComboFix and it attempted to create a new system restore point. After a while, what looks like a MS windows message box popped up titled

"Microsoft Windows Recovery Console" saying " this machine does not have the 'Microsoft windows recovery console installed. Alternately, an existing installation of the recovery console may be present, but requires updating.

Without it, ComboFix shall not attempt the fixing of some serious infections.

Click 'Yes" to have ComboFix download/install it.

Note: this requres an active internet connection"


GADS... your instructions say to disable all antivirus software... Comodo has a lot of secondary anti-virus/malware protection as well as their firewall that I disabled. connecting to the internet w/o a firewall seems to me to be suicidal... Hope it wasn't a problem, I turned comodo's firewall back on so ComboFix could do it's thing...

At any rate, I ran MBRCheck and then disabled comodo, avast, sypwareblaster and spybot and ran Combofix and the reports are below.
Please let me know

1) If this comboFix request to download/instal/update windows recovery console is legit/safe. Never seen another software install a windows component like this before...

2) if you know if SpywareBlaster is a safe and legit software to use as I see more and more posts warning of varous free ant-virus anti-spyware software actually having rouge virus's.

Thanks!

------------------------

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x000003ec

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF8C91000 \WINDOWS\system32\KDCOM.DLL
0xF8BA1000 \WINDOWS\system32\BOOTVID.dll
0xF8742000 ACPI.sys
0xF8C93000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF8731000 pci.sys
0xF8791000 isapnp.sys
0xF8BA5000 compbatt.sys
0xF8BA9000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF8C95000 intelide.sys
0xF8A11000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF8713000 pcmcia.sys
0xF87A1000 MountMgr.sys
0xF86F4000 ftdisk.sys
0xF8A19000 PartMgr.sys
0xF87B1000 VolSnap.sys
0xF86DC000 atapi.sys
0xF87C1000 disk.sys
0xF87D1000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF86BC000 fltmgr.sys
0xF86AA000 sr.sys
0xF8687000 Fastfat.sys
0xF8670000 KSecDD.sys
0xF865B000 inspect.sys
0xF862E000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xF8A21000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xF8C97000 speedfan.sys
0xF8613000 Mup.sys
0xF8D59000 giveio.sys
0xF8A29000 BTHidMgr.sys
0xF87E1000 bftpdskc.sys
0xF87F1000 agp440.sys
0xF8811000 \SystemRoot\System32\DRIVERS\p3.sys
0xF8C3D000 \SystemRoot\System32\DRIVERS\CmBatt.sys
0xF8570000 \SystemRoot\system32\DRIVERS\ati2mpab.sys
0xF855C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8A41000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF8539000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8A49000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF8821000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF8A51000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF8A59000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF8A61000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF8831000 \SystemRoot\System32\DRIVERS\serial.sys
0xF8C41000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF84FD000 \SystemRoot\System32\DRIVERS\parport.sys
0xF8C45000 \SystemRoot\system32\drivers\pfc.sys
0xF8841000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF8851000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF84DA000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8A69000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF8474000 \SystemRoot\system32\drivers\es198xdl.sys
0xF8450000 \SystemRoot\system32\drivers\portcls.sys
0xF8861000 \SystemRoot\system32\drivers\drmk.sys
0xF843F000 \SystemRoot\system32\DRIVERS\el90xbc5.sys
0xF8871000 \SystemRoot\System32\Drivers\VcommMgr.sys
0xF8C4D000 \SystemRoot\system32\DRIVERS\vbtenum.sys
0xF8A79000 \SystemRoot\system32\DRIVERS\blueletaudio.sys
0xF8A81000 \SystemRoot\system32\DRIVERS\BlueletSCOAudio.sys
0xF8ECB000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF8C9B000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF8A89000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8891000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8C51000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF83E0000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF88A1000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF88B1000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF83CF000 \SystemRoot\System32\DRIVERS\psched.sys
0xF88C1000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF8A91000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF8A99000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF8C5D000 \SystemRoot\system32\DRIVERS\btnetdrv.sys
0xF8AA1000 \SystemRoot\system32\DRIVERS\VComm.sys
0xF839E000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF88D1000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF8C9D000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF82A5000 \SystemRoot\System32\DRIVERS\update.sys
0xF8C65000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF88E1000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8901000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF8C9F000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF75A0000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xF8CA1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8D61000 \SystemRoot\System32\Drivers\Null.SYS
0xF8CA3000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8AB1000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF8AB9000 \SystemRoot\System32\drivers\vga.sys
0xF8CA5000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8CA7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8AC1000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8AC9000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8525000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF756D000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF7515000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF8931000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF8AD1000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0xF74ED000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF74CB000 \SystemRoot\System32\drivers\afd.sys
0xF8941000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF74A0000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF7409000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF8961000 \SystemRoot\System32\Drivers\Fips.SYS
0xF73E8000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF8295000 \??\C:\WINDOWS\system32\drivers\fanio.sys
0xF73A1000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF8AE1000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF8971000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF8991000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF8AE9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF826D000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF8AF1000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF7361000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8CB1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF8261000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8AF9000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8DB1000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2drab.dll
0xF7379000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xF6A6D000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xF6A69000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF6602000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xF6195000 \SystemRoot\system32\drivers\wdmaud.sys
0xF61F2000 \SystemRoot\system32\drivers\sysaudio.sys
0xF6023000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF8D07000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF545C000 \SystemRoot\System32\DRIVERS\srv.sys
0xF4BC3000 \SystemRoot\System32\Drivers\HTTP.sys
0xF8B69000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF4045000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 50):
0 System Idle Process
4 System
664 C:\WINDOWS\System32\SMSS.EXE
764 CSRSS.EXE
796 C:\WINDOWS\System32\WINLOGON.EXE
840 C:\WINDOWS\System32\SERVICES.EXE
852 C:\WINDOWS\System32\LSASS.EXE
1004 C:\WINDOWS\System32\SVCHOST.EXE
1052 SVCHOST.EXE
1108 C:\Utility.sys\Spyware - Comodo\COMODO\COMODO Internet Security\CMDAGENT.EXE
1152 C:\WINDOWS\System32\SVCHOST.EXE
1312 SVCHOST.EXE
1392 SVCHOST.EXE
1552 C:\Utility.sys\Spyware Ad-Aware 2007\aawservice.exe
1608 C:\Utility.sys\Spyware - Avast\AvastSvc.exe
1940 C:\WINDOWS\System32\SPOOLSV.EXE
1988 C:\WINDOWS\System32\ACS.EXE
244 SVCHOST.EXE
320 C:\Utility.sys\Web Vulnerability Scanner 6\WVSScheduler.exe
532 C:\WINDOWS\System32\ATI2EVXX.EXE
704 C:\Telecom\_Iphone.dir\BlueTooth\BTNtService.exe
728 SVCHOST.EXE
760 C:\Program Files\BUFFALO\SLManagerEasy\Bufssvr.exe
276 C:\WINDOWS\System32\CISVC.EXE
284 C:\Program Files\BUFFALO\SLManagerEasy\Inputps.exe
292 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
756 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
1216 C:\Program Files\Java\JRE6\BIN\JQS.EXE
1100 C:\WINDOWS\EXPLORER.EXE
1524 C:\WINDOWS\System32\SNMP.EXE
1704 C:\WINDOWS\System32\SVCHOST.EXE
2028 WDFMGR.EXE
2608 C:\WINDOWS\Vm_sti.exe
2668 ALG.EXE
2720 C:\Program Files\D-Link\AIRPLUS.exe
2804 C:\WINDOWS\System32\atiptaxx.exe
2840 C:\WINDOWS\System32\rundll32.exe
2916 C:\Utility.sys\Spyware - Comodo\COMODO\COMODO Internet Security\cfp.exe
2996 C:\Utility.sys\Spyware - Avast\AvastUI.exe
3028 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3040 C:\Program Files\BUFFALO\BuffaloTools\BuffaloTools.exe
3148 C:\Utility.sys\I8kFanGui\I8kfanGUI.exe
3212 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
3220 C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
3248 C:\Utility.sys\Spyware - Spybot\TeaTimer.exe
3268 C:\Program Files\Microsoft ActiveSync\rapimgr.exe
3376 C:\Utility.sys\NetPerSec\NetPerSec.exe
3412 C:\WINDOWS\System32\ntvdm.exe
3496 C:\WINDOWS\System32\cidaemon.exe
816 C:\Documents and Settings\Carl\DESKTOP\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: FUJITSUMHV2060ATPL, Rev: 000000A0

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

-----------------------

ComboFix 10-11-30.09 - Carl 12/01/2010 14:48:59.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.113 [GMT -5:00]
Running from: c:\documents and settings\Carl\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\xxyay.bak1

.
((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))
.

2010-11-30 01:49 . 2010-11-30 01:49 -------- d-----w- C:\FOUND.002
2010-11-19 18:50 . 2010-11-19 18:50 -------- d-----w- c:\documents and settings\Carl\Application Data\Malwarebytes
2010-11-19 18:49 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 18:49 . 2010-11-19 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-19 18:49 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 12:58 . 2010-11-19 12:58 -------- d-----w- C:\FOUND.001
2010-11-19 04:07 . 2010-11-19 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-11-18 16:03 . 2010-11-18 16:03 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-11 18:30 . 2010-11-11 18:30 -------- d-----w- c:\documents and settings\Carl\Application Data\BUFFALO
2010-11-11 18:30 . 2010-03-01 17:12 398712 ----a-r- c:\windows\UN091114.EXE
2010-11-11 18:30 . 2010-01-08 11:50 39680 ----a-r- c:\windows\system32\drivers\bftpdskc.sys
2010-11-11 18:30 . 2010-03-01 17:12 398712 ----a-r- c:\windows\UN091111.EXE
2010-11-11 18:30 . 2010-01-16 13:40 10624 ----a-r- c:\windows\system32\drivers\bftpusbx.sys
2010-11-11 18:30 . 2010-03-01 17:12 398712 ----a-r- c:\windows\UN091201.EXE
2010-11-11 18:29 . 2010-03-01 17:12 398712 ----a-r- c:\windows\UN090430.EXE
2010-11-11 18:29 . 2010-11-11 18:29 -------- d-----w- c:\program files\BUFFALO
2010-11-06 01:22 . 2010-11-06 01:22 -------- d-----w- C:\FOUND.000
2010-11-04 17:42 . 2010-11-04 17:42 -------- d-----w- c:\documents and settings\Oper\.ehdc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 09:50 . 2010-10-31 14:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29 . 2010-03-24 02:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-11 04:41 . 2010-09-11 04:41 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-11 04:40 . 2010-09-11 04:40 91560 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-09-11 04:40 . 2010-09-11 04:40 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-11 04:40 . 2010-09-11 04:40 239240 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-09-11 04:40 . 2010-09-11 04:40 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-09-07 16:12 . 2010-10-28 17:52 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 16:11 . 2010-10-28 17:52 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 15:52 . 2010-10-28 17:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 15:52 . 2010-10-28 17:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 15:47 . 2010-10-28 17:52 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 15:47 . 2010-10-28 17:52 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 15:47 . 2010-10-28 17:52 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 15:47 . 2010-10-28 17:52 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 15:46 . 2010-10-28 17:52 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
1998-12-09 06:53 . 1998-12-09 06:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 06:53 . 1998-12-09 06:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 06:53 . 1998-12-09 06:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\utility.sys\I8kFanGui\I8kfanGUI.exe" [2007-02-16 856064]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-12-15 40960]
"AIRPLUS"="c:\program files\D-Link\AIRPLUS.exe" [2005-08-13 733184]
"ATIPTA"="atiptaxx.exe" [2001-09-19 245760]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"COMODO Internet Security"="c:\utility.sys\Spyware - Comodo\COMODO\COMODO Internet Security\cfp.exe" [2010-09-11 2500552]
"avast5"="c:\utility.sys\Spyware - Avast\avastUI.exe" [2010-09-07 2838912]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"BuffaloTools"="c:\program files\BUFFALO\BuffaloTools\BuffaloTools.exe" [2010-03-05 169336]

c:\documents and settings\Carl\Start Menu\Programs\Startup\
_drives.lnk - C:\_drives.bat [2005-5-30 75]
NetPerSec.lnk - c:\utility.sys\NetPerSec\NetPerSec.exe [2005-5-31 192512]
SpinWizard.lnk - c:\spinwiz\SPINWIZ.EXE [2005-7-17 248624]
GMER Catchme Real-time Resident Rootkit Scanner.lnk - c:\utility.sys\Spyware GMER Rootkit\catchme.exe [2008-11-27 28672]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Systweak Wallpaper Changer"=wallpaper.exe -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Telecom\\Utility\\Ws_ftp\\WS_FTP95.EXE"=
"c:\\WINDOWS\\System32\\FXSCLNT.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"c:\\Telecom\\_Iphone.dir\\BlueTooth\\BlueSoleil.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\E_DUPA30.EXE"=
"c:\\Telecom\\_Iphone.dir\\Yahoo\\Messenger\\YahooMessenger.exe"=
"c:\\Telecom\\_Iphone.dir\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 bftpusbx;BUFFALO TurboPC USB Filter;c:\windows\system32\drivers\bftpusbx.sys [2010-01-16 10624]
R3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys [2001-08-17 69692]
R3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\fd_dbus.sys [2003-05-01 173584]
R3 fd_dmdfl;FutureDial USB Modem Filter;c:\windows\system32\DRIVERS\fd_dmdfl.sys [2003-05-01 15248]
R3 fd_dmdm;FutureDial USB Modem Drivers;c:\windows\system32\DRIVERS\fd_dmdm.sys [2003-05-01 316272]
S0 bftpdskc;BUFFALO TurboPC Cache Filter;c:\windows\system32\drivers\bftpdskc.sys [2010-01-08 39680]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-09-11 239240]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-09-11 25240]
S1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-02-16 14464]
S2 AcuWVSSchedulerv6;Acunetix WVS Scheduler v6;c:\utility.sys\Web Vulnerability Scanner 6\WVSScheduler.exe [2009-07-02 994952]
S2 aswFsBlk;aswFsBlk; [x]
S2 bufssvr;bufssvr;c:\program files\BUFFALO\SLManagerEasy\Bufssvr.exe [2010-03-16 95608]
S3 ati2mpab;ati2mpab;c:\windows\system32\DRIVERS\ati2mpab.sys [2001-09-28 299776]

.
Contents of the 'Scheduled Tasks' folder

2010-12-01 c:\windows\Tasks\GlaryInitialize.job
- c:\utility.sys\RegGlaryUtilities\initialize.exe [2009-01-14 22:58]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-24 21:46]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-24 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 4777
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 4777
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 4777
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 4777
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\AdobeAcrobat XP 6.0\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\documents and settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Extension: PrefBar: {8A6C82A1-F6C9-481a-AAE7-C96444C9A754} - c:\documents and settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\{8A6C82A1-F6C9-481a-AAE7-C96444C9A754}
FF - Extension: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - c:\documents and settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Extension: Personas: personas@christopher.beard - c:\documents and settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\personas@christopher.beard
FF - Extension: PDFescape Extension: {2A1D5949-B519-4924-BF62-8522FE0D5274} - c:\documents and settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\{2A1D5949-B519-4924-BF62-8522FE0D5274}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MyScreenCam - c:\program files\My Screen Cam\scrcam.exe
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-01 15:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\guard32.dll
.
Completion time: 2010-12-01 15:34:29
ComboFix-quarantined-files.txt 2010-12-01 20:34

Pre-Run: 19,889,029,120 bytes free
Post-Run: 19,851,378,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - CAF4CED90502F16801B56F0FC36663A3

 

[Broni]

First of all, my instructions clearly say not to make any extra changes to your computer, like installing, running other tools, than those requested by me.

Then, yes, recovery console is very important troubleshooting tool for Windows XP.

Combofix log looks fine.

What are the current computer issues?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[PuterOozer]

OTL results and replies to your Q 1

My appologies if I did not clarify things. since starting to go through the process with you, I haven't purposed to run any other spyware/malware etc. tools. Except for when instructed to turn off, have left anti-virus/firewall software running. I did go in and 'turn off' the daily scan on avast, but you might want to look into how their routines work and let your readers know if they need to go into 'settings' and also disable if needed, as I noticed that it ran another full system scan last night even though I had clicked the "turn off" button on the main screen. Since the files are too large, will post the logs in subsequent posts.

Not very familiar with the avast software yet as I just recently started using it, but evidently if the scheduling settings are ticked, it still runs even though on the main scan window, it shows the scaning to be 'turned off'. For combofix instructions mention to disable all antivirus etc. I don't see any instructions for antivirus programs to be turned off for the OTL so I guess I leave that active? What about teatimer? Teatimer seems to gag some program operations/install etc, so I turned that off before running OTL. Hope that was the right thing to do.

Thanks for the clarifications regarding the recovery console. I had read that a person needs to be sure there's no problems before adding SP3 as it is accumulative, so that as well as being behind on getting things done, have not yet added SP3.

In regards to your Q regarding current computer issues, first, when I went to download the file, all seemed to be fine, no problems other than having to turn off the power and re-start after avast ran another scan (that I detailed above) and logged onto the internet and opened firefox until I clicked on 'save' to save to the desktop and then the computer locked up... I turned off power and re-started but have had to do it twice as the computer locked up as soon as I tried to do anything after booting and had to turn off the power which this time it had to do a chkdisk. The program did get saved to the desktop and after two re-boots, was able to get to it to run it. Do virus' try to block this program name like some do with combofix or rkill?

After running it, the computer seemed at first to lock up after re-booting, so went to safe mode to start up and then too it seemed to lock up, but I waited about 1/2 hr, and the computer finally booted up in safe mode (not sure what was going on, but the HD light was on the whole time hardly blinking at all). After that, was able to re-boot and go into regular windows.

The only other thing that has been occuring during these steps is that after the computer seems like it's finished booting up, if I go to try to open up exploer, start firefox, even turn off the computer, the computer locks up sometimes and I have to turn off the power, turn on, and then of course it does a chkdisk which usually doesn't have any errors (unless in the past I had programs running/documents open etc.) but, after this last function, maybe the computer was not finished completing the startup. Not sure, but this time, after starting and waiting for things to start up in safe mode, I did not have this happen when booting up in windows this time.

As far as other issues, I'm still wary and have not even tried to 'view' a pdf file. I don't know how/what was causing the rouge messages, and it seemed that things deteriorated after opening a pdf file in adobe acrobat 6.0 both times it happened, and so after going back to a prior ghost image, have been reluctant to even try (which is a bummer as I need to read/edit pdf files).

In the past Spybot would also not complete the "fix" function, i.e. after checking for problems, the list of usage tracks etc would be listed, but when clicking on "fix" instead of the software systematically going through the list and putting a big green checkmark next to each item, it would just flash and the program would close, not processing/fixing the items, but during this process have not tried to run spybot to see if it's working ok.

Also, I've read some posts regarding the dangers of Outbound UDP's and some people a person is not to allow any UDP Out's to occur in comodo, but I am not sure if that's the case, as Skype does still have a number of UDP outs, and SVCHOST.EXE also has a few at times. Programs such as Skype are being sandboxed, and when I first installed comodo and this happened, it said that something was likely trying to use those programs to connect to the internet (not sure if that was indeed so), but originally comodo would come up with a boat load of UDP out's and a lot of warning box messages saying that an outside computer was trying to connect. Not having a clue what to do as well as their suggestions to 'deny' if not sure what to do, I went through probably 20 or 30 such requests clicking on 'deny' and clicking 'remember'. Now, it takes a lot longer for Skype to start up, but the warning boxes don't pop up. Still, about 8-10 UDP Out's still show up in active connections for a while when first starting Skype then go away.

Other than that, since I'm not trying much of anything since you mentioned you don't want a person to install/run scans other tools etc., haven't ventured to try things like pdf files etc.

Results of the OTL scan are in the next posts

 

[PuterOozer]

OTL logfile created on: 12/2/2010 4:51:09 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Carl\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 250.00 Mb Available Physical Memory | 49.00% Memory free
864.00 Mb Paging File | 570.00 Mb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.87 Gb Total Space | 18.48 Gb Free Space | 33.08% Space Free | Partition Type: FAT32

Computer Name: WINDOWS-xp1212 | User Name: Carl | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/02 15:53:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Carl\desktop\OTL.exe
PRC - [2010/09/10 23:41:42 | 001,901,056 | ---- | M] (COMODO) -- C:\Utility.sys\Spyware - Comodo\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2010/09/10 23:41:20 | 002,500,552 | ---- | M] (COMODO) -- C:\Utility.sys\Spyware - Comodo\COMODO\COMODO Internet Security\cfp.exe
PRC - [2010/09/07 11:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Utility.sys\Spyware - Avast\AvastUI.exe
PRC - [2010/09/07 11:12:00 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Utility.sys\Spyware - Avast\AvastSvc.exe
PRC - [2010/04/08 01:28:06 | 000,161,144 | R--- | M] (BUFFALO INC.) -- C:\Program Files\BUFFALO\SLManagerEasy\Inputps.exe
PRC - [2010/03/16 01:03:38 | 000,095,608 | R--- | M] (BUFFALO INC.) -- C:\Program Files\BUFFALO\SLManagerEasy\Bufssvr.exe
PRC - [2010/03/05 04:08:22 | 000,169,336 | R--- | M] (BUFFALO INC.) -- C:\Program Files\BUFFALO\BuffaloTools\BuffaloTools.exe
PRC - [2009/07/02 10:59:30 | 000,994,952 | ---- | M] (Acunetix Ltd.) -- C:\Utility.sys\Web Vulnerability Scanner 6\WVSScheduler.exe
PRC - [2008/10/07 16:25:50 | 000,095,744 | ---- | M] (j2 Global Communications, Inc.) -- C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
PRC - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) -- C:\Utility.sys\Spyware Ad-Aware 2007\aawservice.exe
PRC - [2007/12/16 14:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
PRC - [2007/06/13 06:23:08 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/16 12:58:12 | 000,856,064 | ---- | M] (Christian Diefer) -- C:\Utility.sys\I8kFanGui\I8kfanGUI.exe
PRC - [2007/01/10 14:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
PRC - [2006/11/13 13:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 13:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2005/08/12 19:34:52 | 000,733,184 | ---- | M] (D-Link) -- C:\Program Files\D-Link\AIRPLUS.exe
PRC - [2005/04/26 22:26:00 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2005/04/06 16:03:28 | 000,110,592 | ---- | M] () -- C:\Telecom\_Iphone.dir\BlueTooth\BTNtService.exe
PRC - [2004/12/15 06:01:44 | 000,040,960 | ---- | M] (Vimicro) -- C:\WINDOWS\Vm_sti.exe
PRC - [2004/08/04 00:56:56 | 000,419,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
PRC - [2001/09/19 11:20:34 | 000,245,760 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\system32\atiptaxx.exe


========== Modules (SafeList) ==========

MOD - [2010/12/02 15:53:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Carl\desktop\OTL.exe
MOD - [2010/09/10 23:41:40 | 000,285,480 | ---- | M] (COMODO) -- C:\WINDOWS\system32\guard32.dll
MOD - [2010/03/04 12:17:08 | 000,057,344 | R--- | M] (BUFFALO INC.) -- C:\Program Files\BUFFALO\BuffaloTools\BuffaloTools.dll
MOD - [2006/08/25 11:45:56 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/09/10 23:41:42 | 001,901,056 | ---- | M] (COMODO) [Auto | Running] -- C:\Utility.sys\Spyware - Comodo\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2010/09/07 11:12:00 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Utility.sys\Spyware - Avast\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 11:12:00 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Utility.sys\Spyware - Avast\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 11:12:00 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Utility.sys\Spyware - Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/16 01:03:38 | 000,095,608 | R--- | M] (BUFFALO INC.) [Auto | Running] -- C:\Program Files\BUFFALO\SLManagerEasy\Bufssvr.exe -- (bufssvr)
SRV - [2009/07/02 10:59:30 | 000,994,952 | ---- | M] (Acunetix Ltd.) [Auto | Running] -- C:\Utility.sys\Web Vulnerability Scanner 6\WVSScheduler.exe -- (AcuWVSSchedulerv6)
SRV - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Utility.sys\Spyware Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2007/12/16 14:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE -- (EPSON_EB_RPCV4_01) EPSON V5 Service4(01)
SRV - [2007/01/10 14:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)
SRV - [2005/04/26 22:26:00 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2005/04/06 16:03:28 | 000,110,592 | ---- | M] () [Auto | Running] -- C:\Telecom\_Iphone.dir\BlueTooth\BTNtService.exe -- (BlueSoleil Hid Service)
SRV - [2005/01/29 18:29:16 | 000,173,040 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Utility.sys\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe -- (SandraDataSrv)
SRV - [2005/01/29 18:29:12 | 001,135,592 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Utility.sys\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe -- (SandraTheSrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20070426.003\symidsco.sys -- (SYMIDSCO)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\jswimd.sys -- (jswimd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Carl\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/09/10 23:40:54 | 000,091,560 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2010/09/10 23:40:52 | 000,239,240 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2010/09/10 23:40:52 | 000,025,240 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2010/09/07 10:52:26 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 10:52:04 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 10:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 10:47:20 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/09/07 10:47:08 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/07 10:46:52 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/01/16 08:40:26 | 000,010,624 | R--- | M] (BUFFALO INC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bftpusbx.sys -- (bftpusbx)
DRV - [2010/01/08 06:50:02 | 000,039,680 | R--- | M] (BUFFALO INC.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\bftpdskc.sys -- (bftpdskc)
DRV - [2007/02/16 05:05:48 | 000,014,464 | ---- | M] (Christian Diefer) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fanio.sys -- (fanio)
DRV - [2006/09/24 09:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2005/10/23 17:25:12 | 000,023,000 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2005/10/23 17:21:42 | 000,010,068 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BtNetDrv.sys -- (BT)
DRV - [2005/08/31 10:34:52 | 000,020,480 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BlueletSCOAudio.sys -- (BlueletSCOAudio)
DRV - [2005/08/31 10:34:10 | 000,020,480 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2005/08/11 17:56:08 | 000,463,104 | ---- | M] (D-Link ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/07/29 16:21:32 | 000,011,988 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VBTEnum.sys -- (BTHidEnum)
DRV - [2005/04/30 14:50:10 | 000,028,271 | ---- | M] (IVT Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2005/03/25 17:18:48 | 000,082,148 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2004/12/16 16:32:54 | 000,013,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BTNetFilter.sys -- (BTNetFilter)
DRV - [2004/10/19 13:37:38 | 000,061,312 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2004/08/05 18:05:02 | 000,090,532 | ---- | M] (VM) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbVM31b.sys -- (ZSMC301b) Vimicro USB PC Camera (ZC0301PL)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2003/06/17 11:03:00 | 000,079,360 | ---- | M] (Inprocomm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IPN2120.SYS -- (IPN2120)
DRV - [2003/05/01 15:10:10 | 000,316,272 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fd_dmdm.sys -- (fd_dmdm)
DRV - [2003/05/01 15:09:58 | 000,015,248 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fd_dmdfl.sys -- (fd_dmdfl)
DRV - [2003/05/01 15:08:48 | 000,173,584 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fd_dbus.sys -- (fd_dbus) FutureDial USB Composite Device driver (WDM)
DRV - [2002/10/07 15:16:10 | 000,075,168 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2002/10/07 15:16:10 | 000,042,992 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2002/06/20 17:53:54 | 000,414,400 | ---- | M] (ESS Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es198xdl.sys -- (maestro) ESS Maestro Audio Driver (WDM)
DRV - [2002/06/13 14:08:46 | 000,014,604 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/05/02 12:52:22 | 000,017,134 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCANDIS5.SYS -- (PCANDIS5)
DRV - [2001/12/03 12:55:14 | 000,155,264 | ---- | M] (Zoran Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuvvid2.sys -- (nuvvid2)
DRV - [2001/12/03 12:55:12 | 000,026,560 | ---- | M] (Zoran Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuvaud2.sys -- (nuvaud2)
DRV - [2001/09/28 09:13:10 | 000,299,776 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mpab.sys -- (ati2mpab)
DRV - [2001/08/17 12:48:56 | 000,289,664 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atimpab.sys -- (atimpab)
DRV - [2001/08/17 12:13:20 | 000,027,164 | ---- | M] (Xircom, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CE3N5.SYS -- (CE3)
DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)
DRV - [2001/08/17 12:10:58 | 000,069,692 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el575ND5.sys -- (el575nd5)
DRV - [2000/07/16 11:52:42 | 000,136,352 | ---- | M] (Nogatech Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Nuvision.sys -- (NUVision)
DRV - [1996/04/03 15:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {3205B348-523A-4fac-9BC4-9939CBF583B0}:2.1.5
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1
FF - prefs.js..extensions.enabledItems: {8A6C82A1-F6C9-481a-AAE7-C96444C9A754}:5.1.1
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.2
FF - prefs.js..extensions.enabledItems: {2A1D5949-B519-4924-BF62-8522FE0D5274}:0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..network.proxy.backup.ftp: ""
FF - prefs.js..network.proxy.backup.ftp_port: 0
FF - prefs.js..network.proxy.backup.gopher: ""
FF - prefs.js..network.proxy.backup.gopher_port: 0
FF - prefs.js..network.proxy.backup.socks: "127.0.0.1"
FF - prefs.js..network.proxy.backup.socks_port: 81
FF - prefs.js..network.proxy.backup.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.backup.ssl_port: 81
FF - prefs.js..network.proxy.ftp: "localhost"
FF - prefs.js..network.proxy.ftp_port: 4777
FF - prefs.js..network.proxy.gopher: "localhost"
FF - prefs.js..network.proxy.gopher_port: 4777
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 4777
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.ssl: "localhost"
FF - prefs.js..network.proxy.ssl_port: 4777
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Firefox\components [2007/07/17 13:29:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Firefox\plugins [2007/07/17 13:29:10 | 000,000,000 | ---D | M]

[2008/09/05 15:38:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Mozilla\Extensions
[2010/09/08 22:30:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Carl\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2007/07/17 13:29:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions
[2010/09/11 11:38:40 | 000,000,000 | ---D | M] (PDFescape Extension) -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\{2A1D5949-B519-4924-BF62-8522FE0D5274}
[2010/08/15 18:51:18 | 000,000,000 | ---D | M] (Old Location Bar) -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
[2009/10/15 23:05:18 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/08/17 13:01:42 | 000,000,000 | ---D | M] (PrefBar) -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\{8A6C82A1-F6C9-481a-AAE7-C96444C9A754}
[2010/02/11 14:00:22 | 000,000,000 | ---D | M] (Live HTTP Headers) -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
[2010/09/18 22:18:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\CertPatrol@PSYC(2).EU
[2010/09/23 05:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\en-US@dictionaries.addons.mozilla(2).org
[2010/10/08 18:01:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\es-es@dictionaries.addons.mozilla(2).org
[2010/03/21 19:00:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\personas@christopher.beard
[2009/10/31 11:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\seo4firefox@seobook(2).com
[2010/09/24 22:02:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\unplug@compunach(2)
[2010/11/16 15:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\extensions\unplug@compunach(3)
[2008/06/03 10:39:54 | 000,001,340 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\bbc-news.xml
[2008/06/24 16:58:20 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\webster.xml
[2009/06/21 22:29:28 | 000,002,246 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\espn.xml
[2008/06/24 16:58:14 | 000,001,712 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\askcom.xml
[2007/07/17 15:34:08 | 000,001,035 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\usatodaycom.xml
[2008/06/24 16:58:22 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\wikipedia-en.xml
[2007/07/17 16:01:00 | 000,002,095 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\expediacom.xml
[2007/07/17 16:01:22 | 000,001,437 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\yahoo-answers.xml
[2007/10/10 21:08:16 | 000,001,355 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\godaddycom.xml
[2010/11/26 18:49:52 | 000,002,143 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\marketwatch.xml
[2010/11/26 18:49:52 | 000,001,835 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\weathercom.xml

O1 HOSTS File: ([2010/12/01 15:11:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobat XP 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utility.sys\Spyware - Spybot\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\AdobeAcrobat XP 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\AdobeAcrobat XP 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\AdobeAcrobat XP 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\AdobeAcrobat XP 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [AIRPLUS] C:\Program Files\D-Link\AIRPLUS.exe (D-Link)
O4 - HKLM..\Run: [ATIPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avast5] C:\Utility.sys\Spyware - Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE (Vimicro)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [BuffaloTools] C:\Program Files\BUFFALO\BuffaloTools\BuffaloTools.exe (BUFFALO INC.)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Utility.sys\Spyware - Comodo\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [eFax 4.4] C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe (j2 Global Communications, Inc.)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKCU..\Run: [i8kfangui] C:\Utility.sys\I8kFanGui\I8kfanGUI.exe (Christian Diefer)
O4 - Startup: C:\Documents and Settings\Carl\Start Menu\Programs\Startup\_drives.lnk = C:\_drives.bat ()
O4 - Startup: C:\Documents and Settings\Carl\Start Menu\Programs\Startup\NetPerSec.lnk = C:\Utility.sys\NetPerSec\NetPerSec.exe (Ziff-Davis Media, Inc.)
O4 - Startup: C:\Documents and Settings\Carl\Start Menu\Programs\Startup\SpinWizard.lnk = C:\Spinwiz\SPINWIZ.EXE ()
O4 - Startup: C:\Documents and Settings\Carl\Start Menu\Programs\Startup\GMER Catchme Real-time Resident Rootkit Scanner.lnk = C:\Utility.sys\Spyware GMER Rootkit\catchme.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Telecom\_Iphone.dir\IM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utility.sys\Spyware - Spybot\SDHelper.dll (Safer Networking Limited)
O12 - Plugin for: .fpx - C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll ()
O12 - Plugin for: .ivr - C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll ()
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} Reg Error: Value error. (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: DirectAnimation Java Classes Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\WINDOWS\IslandView2.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\IslandView2.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/30 16:16:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: VIDC.NTN1 - C:\WINDOWS\System32\NUVision.ax (Zoran Ltd.)
Drivers32: VIDC.PIM1 - C:\WINDOWS\System32\pclepim1.dll (Pinnacle Systems)
Drivers32: VIDC.PIXL - C:\WINDOWS\System32\pclepixl.dll (Pinnacle Systems)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54901231209938944)

========== Files/Folders - Created Within 30 Days ==========

[2010/12/02 15:53:54 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Carl\Desktop\OTL.exe
[2010/12/01 15:54:17 | 000,000,000 | -HSD | C] -- C:\Recycled
[2010/12/01 14:43:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/12/01 14:28:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/12/01 14:28:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/12/01 14:28:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/12/01 14:28:08 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/12/01 14:27:46 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/12/01 14:23:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/11/29 20:49:12 | 000,000,000 | ---D | C] -- C:\FOUND.002
[2010/11/19 13:50:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carl\Application Data\Malwarebytes
[2010/11/19 13:49:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/19 13:49:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/11/19 13:49:44 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/19 07:58:02 | 000,000,000 | ---D | C] -- C:\FOUND.001
[2010/11/18 23:07:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/11/11 13:30:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Carl\Application Data\BUFFALO
[2010/11/11 13:30:39 | 000,398,712 | R--- | C] (BUFFALO INC.) -- C:\WINDOWS\UN091114.EXE
[2010/11/11 13:30:36 | 000,039,680 | R--- | C] (BUFFALO INC.) -- C:\WINDOWS\System32\drivers\bftpdskc.sys
[2010/11/11 13:30:35 | 000,398,712 | R--- | C] (BUFFALO INC.) -- C:\WINDOWS\UN091111.EXE
[2010/11/11 13:30:35 | 000,010,624 | R--- | C] (BUFFALO INC.) -- C:\WINDOWS\System32\drivers\bftpusbx.sys
[2010/11/11 13:30:32 | 000,398,712 | R--- | C] (BUFFALO INC.) -- C:\WINDOWS\UN091201.EXE
[2010/11/11 13:29:37 | 000,398,712 | R--- | C] (BUFFALO INC.) -- C:\WINDOWS\UN090430.EXE
[2010/11/11 13:29:36 | 000,000,000 | ---D | C] -- C:\Program Files\BUFFALO
[2010/11/05 20:22:54 | 000,000,000 | ---D | C] -- C:\FOUND.000
[2010/11/02 21:09:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[1998/12/09 01:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/09 01:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/09 01:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/09 01:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/09 01:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/09 01:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL

========== Files - Modified Within 30 Days ==========

[2010/12/02 17:05:14 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/02 16:41:48 | 000,047,011 | ---- | M] () -- C:\WINDOWS\Spinwiz.ar
[2010/12/02 16:41:48 | 000,000,187 | ---- | M] () -- C:\WINDOWS\Spinwiz.ini
[2010/12/02 16:25:28 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/12/02 16:25:26 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/02 16:24:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/02 15:53:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Carl\Desktop\OTL.exe
[2010/12/02 13:51:20 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/12/02 10:49:02 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2010/12/01 14:43:26 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/12/01 12:47:00 | 003,983,387 | R--- | M] () -- C:\Documents and Settings\Carl\Desktop\ComboFix.exe
[2010/12/01 12:07:08 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Carl\Desktop\MBRCheck.exe
[2010/11/25 10:21:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/24 10:11:52 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Carl\Desktop\Word.lnk
[2010/11/19 13:49:54 | 000,000,556 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/19 13:32:12 | 000,002,471 | ---- | M] () -- C:\Documents and Settings\Carl\Desktop\Excel.lnk
[2010/11/18 11:14:22 | 000,002,622 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/11/11 15:16:14 | 000,001,379 | ---- | M] () -- C:\Documents and Settings\Carl\Desktop\Windows Explorer.lnk
[2010/11/10 21:23:56 | 000,000,550 | ---- | M] () -- C:\Documents and Settings\Carl\Desktop\Mozilla Thunderbird.lnk
[2010/11/08 20:24:00 | 001,012,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/11/03 05:43:26 | 000,000,876 | ---- | M] () -- C:\WINDOWS\wininit.ini

========== Files Created - No Company Name ==========

[2010/12/01 14:43:23 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/12/01 14:43:18 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/12/01 14:28:08 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/12/01 14:28:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/12/01 14:28:08 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/12/01 14:28:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/12/01 14:28:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/12/01 12:46:16 | 003,983,387 | R--- | C] () -- C:\Documents and Settings\Carl\Desktop\ComboFix.exe
[2010/12/01 12:07:47 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Carl\Desktop\MBRCheck.exe
[2010/11/29 14:04:39 | 000,000,187 | ---- | C] () -- C:\WINDOWS\Spinwiz.ini
[2010/11/19 13:49:52 | 000,000,556 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/18 23:09:05 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/11/11 13:30:39 | 000,012,448 | R--- | C] () -- C:\WINDOWS\UN091114.INI
[2010/11/11 13:30:35 | 000,030,592 | R--- | C] () -- C:\WINDOWS\UN091111.INI
[2010/11/11 13:30:32 | 000,012,167 | R--- | C] () -- C:\WINDOWS\UN091201.INI
[2010/11/11 13:29:37 | 000,009,793 | R--- | C] () -- C:\WINDOWS\UN090430.INI
[2008/12/01 14:54:00 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/12/01 14:51:23 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPSNX300.ini
[2008/11/27 23:55:10 | 000,000,297 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2008/11/27 23:55:09 | 000,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2008/04/07 17:09:42 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2007/12/16 13:38:44 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Carl\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/28 19:56:48 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Carl\Application Data\$_hpcst$.hpc
[2007/08/18 21:08:06 | 000,000,049 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2006/12/17 20:32:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/08/19 12:57:37 | 000,000,029 | ---- | C] () -- C:\WINDOWS\qbwcd.ini
[2006/08/19 12:47:38 | 000,001,385 | ---- | C] () -- C:\WINDOWS\QfnOnl.ini
[2006/08/19 12:47:29 | 000,000,362 | ---- | C] () -- C:\WINDOWS\QDQICK.INI
[2006/08/19 12:47:29 | 000,000,038 | ---- | C] () -- C:\WINDOWS\ACCWIZ.INI
[2006/08/19 12:47:29 | 000,000,021 | ---- | C] () -- C:\WINDOWS\QFNOA.INI
[2006/08/06 14:42:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\yayxx.dll
[2006/07/26 19:21:33 | 000,000,020 | ---- | C] () -- C:\WINDOWS\DOSAPP.INI
[2006/07/09 17:32:14 | 000,000,135 | ---- | C] () -- C:\WINDOWS\EPSON CX5200 Installer.ini
[2006/03/22 16:37:33 | 000,233,606 | ---- | C] () -- C:\WINDOWS\System32\jswsup.dll
[2006/01/18 02:44:02 | 000,045,699 | ---- | C] () -- C:\WINDOWS\unvpeye.ini
[2005/12/05 16:35:40 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/11/18 22:06:56 | 000,000,182 | ---- | C] () -- C:\WINDOWS\dgnsetup.ini
[2005/11/17 21:26:29 | 000,028,747 | ---- | C] () -- C:\WINDOWS\System32\KMemoryMMX.dll
[2005/11/17 21:26:29 | 000,024,653 | ---- | C] () -- C:\WINDOWS\System32\KMemoryPIII.dll
[2005/11/17 21:26:29 | 000,024,632 | ---- | C] () -- C:\WINDOWS\System32\KMemory.dll
[2005/11/17 21:26:29 | 000,020,546 | ---- | C] () -- C:\WINDOWS\System32\KMemoryC.dll
[2005/11/17 21:25:53 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini
[2005/11/17 21:25:47 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\Fpl.dll
[2005/11/17 21:25:47 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EnrouteStitch.dll
[2005/11/17 21:25:46 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\CPUINF32.DLL
[2005/11/17 21:25:45 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\FPXLIB.DLL
[2005/11/17 21:25:45 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\JPEGLIB.DLL
[2005/11/17 20:42:59 | 000,003,565 | ---- | C] () -- C:\WINDOWS\imgfolio.ini
[2005/11/17 20:22:56 | 000,000,290 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2005/08/29 23:51:06 | 000,003,812 | ---- | C] () -- C:\WINDOWS\COOL.INI
[2005/08/20 16:41:10 | 000,003,319 | ---- | C] () -- C:\WINDOWS\WPR.INI
[2005/07/29 16:21:32 | 000,011,988 | ---- | C] () -- C:\WINDOWS\System32\drivers\VBTEnum.sys
[2005/07/23 20:08:45 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Carl\Local Settings\Application Data\fusioncache.dat
[2005/07/22 23:54:44 | 000,000,636 | ---- | C] () -- C:\WINDOWS\tlknw80.ini
[2005/07/19 20:58:46 | 000,008,179 | ---- | C] () -- C:\WINDOWS\lviewp.ini
[2005/07/17 19:17:53 | 000,000,876 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/17 15:04:35 | 000,000,187 | ---- | C] () -- C:\WINDOWS\Spinwiz.bkk.ini
[2005/07/17 14:14:49 | 000,000,022 | ---- | C] () -- C:\WINDOWS\WS_FTP.INI
[2005/06/20 21:55:14 | 000,000,187 | ---- | C] () -- C:\WINDOWS\CoverDes.INI
[2005/06/04 20:13:29 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2005/06/04 19:16:48 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PI_setup.ini
[2005/06/04 19:06:12 | 000,000,204 | ---- | C] () -- C:\WINDOWS\EPSON RX500 Installer.ini
[2005/05/30 23:49:37 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/05/30 17:16:04 | 000,061,616 | ---- | C] () -- C:\WINDOWS\System32\drivers\atinrvxx.sys
[2005/05/30 17:16:04 | 000,058,704 | ---- | C] () -- C:\WINDOWS\System32\drivers\atinbtxx.sys
[2005/05/30 17:16:04 | 000,032,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\atinraxx.sys
[2005/05/30 17:16:04 | 000,027,360 | ---- | C] () -- C:\WINDOWS\System32\drivers\atinxbxx.sys
[2005/05/30 17:16:04 | 000,024,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\atintuxx.sys
[2005/05/30 17:16:04 | 000,023,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\atinsnxx.sys
[2005/05/30 15:50:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/12/16 16:32:54 | 000,013,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\BTNetFilter.sys
[2001/06/24 17:32:44 | 000,172,032 | ---- | C] () -- C:\WINDOWS\japi2.dll
[2000/07/28 18:48:12 | 000,102,400 | ---- | C] () -- C:\WINDOWS\japi.dll
[1999/01/22 17:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 07:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2005/05/30 23:52:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2005/07/17 22:35:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2005/07/23 21:53:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2006/06/16 19:11:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\j2 Global
[2006/08/19 11:41:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2008/04/11 12:43:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bluetooth
[2008/12/01 14:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2008/12/01 14:57:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2009/08/18 23:07:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Agnitum
[2010/04/19 13:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.4 Output
[2010/08/18 05:17:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/10/28 12:51:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2005/06/04 19:32:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Leadertech
[2005/07/05 21:36:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\EPSON
[2008/09/24 12:04:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\.purple
[2005/07/17 22:36:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Aim
[2005/07/23 20:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\IsolatedStorage
[2005/07/23 22:02:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\ScanSoft
[2005/08/20 23:22:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Jasc
[2006/01/19 00:49:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Systweak
[2006/06/16 19:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\j2
[2006/07/02 13:14:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\eFax Messenger
[2010/04/19 13:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\j2 Global
[2008/08/07 15:54:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\NwDocx
[2008/09/24 12:06:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\gtk-2.0
[2008/09/24 15:59:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Thunderbird
[2009/01/13 20:33:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\GlarySoft
[2009/01/23 11:47:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\Pamela
[2010/11/11 13:30:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carl\Application Data\BUFFALO
[2010/12/02 16:25:28 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/12/02 16:24:16 | 000,101,146 | ---- | M] () -- C:\BOOTEX.LOG
[2006/01/28 23:15:18 | 000,013,030 | ---- | M] () -- C:\PDOXUSRS.NET
[2005/11/17 21:22:24 | 000,014,147 | ---- | M] () -- C:\PVOEM_debug.txt
[2007/01/29 22:09:02 | 000,000,000 | ---- | M] () -- C:\HPSW.CKI
[2010/11/29 11:48:52 | 000,043,725 | ---- | M] () -- C:\winzip.log
[2005/05/30 17:05:32 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2005/05/30 17:05:32 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/12/01 14:43:26 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2005/05/30 16:16:54 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005/05/30 16:16:54 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2005/05/30 16:16:54 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2005/05/30 16:16:54 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/11/26 21:21:40 | 000,000,075 | ---- | M] () -- C:\_drives.bat
[2006/01/16 16:39:36 | 000,000,611 | ---- | M] () -- C:\DeviceManageHiddenDevices.bat
[2007/02/09 00:42:28 | 000,024,064 | ---- | M] () -- C:\fat32format.exe
[2008/01/12 21:57:36 | 000,031,562 | ---- | M] () -- C:\ASLog.txt
[2009/06/25 20:13:44 | 000,000,000 | ---- | M] () -- C:\plx_proxy.log
[2009/07/26 19:02:34 | 000,000,504 | ---- | M] () -- C:\functionalLog.txt
[2005/07/05 21:30:54 | 000,000,094 | ---- | M] () -- C:\twacker.org.log
[2010/12/02 16:24:18 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
[2010/11/19 18:26:48 | 000,001,605 | ---- | M] () -- C:\rkill.log
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2006/08/19 11:42:54 | 000,000,211 | ---- | M] () -- C:\Boot.bak

 

[PuterOozer]

< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2005/05/30 16:15:50 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[1998/12/11 23:29:52 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\OLFPNT40.DLL

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[1993/05/04 15:59:32 | 000,021,552 | ---- | M] () -- C:\WINDOWS\GOSSAMER.SCR
[1995/03/16 11:16:34 | 000,064,976 | ---- | M] () -- C:\WINDOWS\HUMBIRD.SCR
[1995/07/10 14:10:00 | 000,044,128 | ---- | M] () -- C:\WINDOWS\MCSAVER.SCR
[1994/12/14 15:55:38 | 000,034,128 | ---- | M] () -- C:\WINDOWS\MONKEY.SCR
[1994/05/23 14:09:58 | 000,037,568 | ---- | M] () -- C:\WINDOWS\OLDGLORY.SCR
[1996/07/17 12:15:06 | 000,022,080 | ---- | M] () -- C:\WINDOWS\PROSTAR.SCR
[1994/12/14 16:00:50 | 000,151,888 | ---- | M] () -- C:\WINDOWS\REPTILES.SCR
[1993/11/01 03:11:00 | 000,005,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SCRNSAVE.SCR
[1993/11/01 03:11:00 | 000,016,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SSFLYWIN.SCR
[1993/11/01 03:11:00 | 000,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SSMARQUE.SCR
[1992/03/10 03:10:00 | 000,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SSMYST.SCR
[1993/11/01 03:11:00 | 000,017,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SSSTARS.SCR
[1999/04/23 22:22:00 | 000,091,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Channel Screen Saver.SCR
[2010/09/07 11:12:18 | 000,038,848 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >
[2004/05/18 16:26:04 | 000,000,208 | ---- | M] () -- C:\Documents and Settings\All Users\Favorites\Yahoo! Mail.url
[2004/05/18 16:13:06 | 000,000,207 | ---- | M] () -- C:\Documents and Settings\All Users\Favorites\Yahoo!.url

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2005/05/30 15:47:46 | 000,401,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
[2005/05/30 15:47:46 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/05/30 15:47:46 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2005/05/30 17:17:36 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2005/05/30 17:30:36 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\Carl\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2005/05/30 16:29:48 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/12/01 12:07:08 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Carl\desktop\MBRCheck.exe
[2010/12/01 12:47:00 | 003,983,387 | R--- | M] () -- C:\Documents and Settings\Carl\desktop\ComboFix.exe
[2010/12/02 15:53:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Carl\desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >
[1998/12/09 01:53:54 | 000,099,840 | ---- | M] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/09 01:53:54 | 000,048,640 | ---- | M] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/09 01:53:54 | 000,070,144 | ---- | M] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/09 01:53:54 | 000,186,368 | ---- | M] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/09 01:53:54 | 000,017,920 | ---- | M] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL
[1998/12/09 01:53:54 | 000,031,744 | ---- | M] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2001/08/23 05:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\addins\fxsext.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2005/05/30 17:30:36 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Carl\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/12/02 16:33:38 | 000,245,760 | ---- | M] () -- C:\Documents and Settings\Carl\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2004/09/22 18:46:10 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2002/08/20 15:30:06 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2002/08/20 15:30:06 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2002/08/20 15:29:48 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2002/08/20 15:29:46 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2002/08/20 12:32:20 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2002/08/20 15:08:38 | 000,069,663 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgsin.exe
[2002/08/20 12:32:22 | 000,000,807 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
[2002/08/20 12:32:18 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2004/07/17 11:41:06 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm
[2004/08/04 00:56:14 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2004/08/04 00:56:42 | 000,028,672 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2004/10/13 12:24:38 | 001,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2008/05/02 10:22:02 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >
[1996/12/04 10:19:08 | 000,264,704 | ---- | M] (Inverse Network Technology Inc.) -- C:\WINDOWS\system\ACCWIZ32.EXE

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-11-10 15:19:19


< End of report >

 

[PuterOozer]

OTL Extras logfile created on: 12/2/2010 4:51:09 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Carl\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 250.00 Mb Available Physical Memory | 49.00% Memory free
864.00 Mb Paging File | 570.00 Mb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.87 Gb Total Space | 18.48 Gb Free Space | 33.08% Space Free | Partition Type: FAT32

Computer Name: WINDOWS-xp1212 | User Name: Carl | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[carl]\carl]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabledxpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Telecom\Utility\Ws_ftp\WS_FTP95.EXE" = C:\Telecom\Utility\Ws_ftp\WS_FTP95.EXE:*:Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA 02173)
"C:\WINDOWS\System32\FXSCLNT.exe" = C:\WINDOWS\System32\FXSCLNT.exe:*isabled:Microsoft Fax Console -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office\1033\WFXMSRVR.EXE" = C:\Program Files\Microsoft Office\Office\1033\WFXMSRVR.EXE:*:Enabled:WFXMSRVR -- ()
"C:\Telecom\_Iphone.dir\BlueTooth\BlueSoleil.exe" = C:\Telecom\_Iphone.dir\BlueTooth\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\E_DUPA30.EXE" = C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\E_DUPA30.EXE:*:Enabled:EPSON Driver Update -- (SEIKO EPSON CORPORATION)
"C:\Telecom\_Iphone.dir\Yahoo\Messenger\YahooMessenger.exe" = C:\Telecom\_Iphone.dir\Yahoo\Messenger\YahooMessenger.exe:*isabled:Yahoo! Messenger -- (Yahoo! Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{00120409-78E1-11D2-B60F-006097C998E7}" = Microsoft FrontPage 2000
"{23970E31-948B-466E-8376-1224D32FDF0C}" = Convert
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 22
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = D-Link Client Installation Program
"{339F110C-B90C-4324-8A6A-2BA1705886D7}" = PaperMaster Pro 7.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{38F0F8B4-3786-42D6-A82C-DF1FEB010C46}" = BlueSoleil
"{41E496B5-47F4-11D6-9BBB-00E0987BB2CD}" = Vimicro USB PC Camera 301x
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53EF6570-21A4-47ED-A40A-E6470A5677A3}" = Studio 8
"{5C9C949C-B9CA-463E-A436-39BC56A3522B}" = WLAN Cardbus Adapter Utility & Driver
"{634F6989-4BB5-4EF2-AF6F-C15700F81494}}_is1" = Advanced System Optimizer 2.10
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66C8BE35-8BBB-472B-96C7-C7C9A499F988}" = ArcSoft Software Suite
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6EECB283-E65F-40EF-86D3-D51BF02A8D43}" = Microsoft Office Converter Pack
"{6F983043-8A0B-44EB-AD4F-F1C1AE5AEC91}" = Spectec SDIO WLAN-11b Card for PPC2003
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{91A77B88-7702-453F-8AA5-545CFD07A1DD}" = iGuidance
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-0000-7760-000000000001}" = Adobe Acrobat 6.0 Professional
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BBC97D54-E28A-48F3-965A-DF36EC4EF85C}" = TrafficSeeker 6.68
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint Plus
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{DEDB47A3-C988-4A43-A645-E2CEA571E680}" = Epson Easy Photo Print 2
"{DF6DA606-904D-4C18-823F-A4CFC3035E53}" = eFax Messenger
"{E60BFE17-F44C-4A28-9ACF-1DD7362B0278}_is1" = Acunetix Web Vulnerability Scanner 6.5
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{FD8E178D-8B4E-42DA-B434-EFF270329B1C}" = COMODO Internet Security
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"AOL Instant Messenger" = AOL Instant Messenger
"Aspell English Dictionary_is1" = Aspell English Dictionary-0.50-2
"ATI Display Driver" = ATI Display Driver Utilities
"avast5" = avast! Free Antivirus
"AxCrypt" = AxCrypt (Remove Only)
"BCWipe" = BCWipe 2.0
"Cool Edit 96" = Cool Edit 96
"EPSON NX300 Series" = EPSON NX300 Series Printer Uninstall
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"Glary Utilities_is1" = Glary Utilities 2.8.0.366
"GNU Aspell_is1" = GNU Aspell 0.50-3
"GnuPG" = GNU Privacy Guard
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"HijackThis" = HijackThis 2.0.2
"Hollywood FX 4.6" = Pinnacle Hollywood FX 4.6
"I8kfanGUI" = I8kfanGUI V3.1
"InstallShield_{6F983043-8A0B-44EB-AD4F-F1C1AE5AEC91}" = Spectec SDIO WLAN-11b Card for PPC2003
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"Mozilla Thunderbird (3.1.6)" = Mozilla Thunderbird (3.1.6)
"NetPerSec" = NetPerSec
"Pegasus Mail" = Pegasus Mail
"Photovista Panorama 2.02" = Photovista Panorama 2.02
"Pidgin" = Pidgin
"pidgin-otr" = pidgin-otr 3.2.0-1
"Pinnacle Studio LINX" = Pinnacle Studio LINX
"Presto! ImageFolio" = Presto! ImageFolio
"Revo Uninstaller" = Revo Uninstaller 1.83
"ROXIO_PRISM_V4_0" = PhotoSuite 4 (Remove Only)
"SiSoftware Sandra Professional 2005.SR1_is1" = SiSoftware Sandra Professional 2005.SR1 (Win64/32/CE)
"SnadBoy's Revelation" = SnadBoy's Revelation
"SpeedFan" = SpeedFan (remove only)
"SpywareBlaster_is1" = SpywareBlaster 4.4
"UN090430" = BUFFALO SecureLockManagerEasy for HD
"UN091111" = BUFFALO TurboPC for FLASH/HDD
"UN091114" = BUFFALO TurboCopy
"UN091201" = BUFFALO BuffaloTools Launcher
"Videoplayer" = Videoplayer
"ViewpointMediaPlayer" = Viewpoint Media Player
"WGA" = Windows Genuine Advantage Validation Tool
"Wget-1.11.4-1_is1" = GnuWin32: Wget-1.11.4-1
"Wget-src-1.11.4-1_is1" = GnuWin32: Wget-1.11.4-1
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/24/2033 6:10:08 AM | Computer Name = WINDOWS-xp1212 | Source = Norton Ghost 9.0 | ID = 100
Description =

Error - 8/24/2033 6:10:08 AM | Computer Name = WINDOWS-xp1212 | Source = Application Error | ID = 1000
Description = Faulting application Rtvscan.exe, version 10.0.0.359, faulting module
Rtvscan.exe, version 10.0.0.359, fault address 0x0004da90.

Error - 8/19/2007 12:12:21 PM | Computer Name = WINDOWS-xp1212 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.8.20070.6982, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/19/2007 12:12:22 PM | Computer Name = WINDOWS-xp1212 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.8.20070.6982, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/21/2007 11:03:31 AM | Computer Name = WINDOWS-xp1212 | Source = Application Hang | ID = 1002
Description = Hanging application trillian.exe, version 2.0.1.624, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/21/2007 3:18:29 PM | Computer Name = WINDOWS-xp1212 | Source = Application Error | ID = 1000
Description = Faulting application ghosttray.exe, version 9.0.0.2583, faulting module
ghosttray.exe, version 9.0.0.2583, fault address 0x00095e87.

Error - 8/25/2007 9:41:31 PM | Computer Name = WINDOWS-xp1212 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.8.20070.6982, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/5/2007 10:09:34 AM | Computer Name = WINDOWS-xp1212 | Source = Application Error | ID = 1000
Description = Faulting application trillian.exe, version 2.0.1.624, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 11/29/2010 7:22:32 PM | Computer Name = WINDOWS-xp1212 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the D-Link Configuration
Service service to connect.

Error - 11/29/2010 7:40:12 PM | Computer Name = WINDOWS-xp1212 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the D-Link Configuration
Service service to connect.

Error - 11/30/2010 10:48:18 AM | Computer Name = WINDOWS-xp1212 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 11/30/2010 10:48:46 AM | Computer Name = WINDOWS-xp1212 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 11/30/2010 6:49:21 PM | Computer Name = WINDOWS-xp1212 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the D-Link Configuration
Service service to connect.

Error - 12/1/2010 2:07:30 PM | Computer Name = WINDOWS-xp1212 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the D-Link Configuration
Service service to connect.

Error - 12/1/2010 2:44:50 PM | Computer Name = WINDOWS-xp1212 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the D-Link Configuration
Service service to connect.

Error - 12/1/2010 3:48:34 PM | Computer Name = WINDOWS-xp1212 | Source = Service Control Manager | ID = 7034
Description = The D-Link Configuration Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/1/2010 3:48:34 PM | Computer Name = WINDOWS-xp1212 | Source = Service Control Manager | ID = 7034
Description = The BlueSoleil Hid Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 12/1/2010 4:11:14 PM | Computer Name = WINDOWS-xp1212 | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_GMER\0000 disappeared from the system without
first being prepared for removal.


< End of report >

 

[Broni]

511.00 Mb Total Physical Memory

Your computer would run much better, if you added another 512MB of RAM.

==========================================================================

Are you running Comodo firewall only (no AV part)?

======================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20070426.003\symidsco.sys -- (SYMIDSCO)
  [2008/06/24 16:58:14 | 000,001,712 | ---- | M] () -- C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\askcom.xml
  O4 - Startup: C:\Documents and Settings\Carl\Start Menu\Programs\Startup\GMER Catchme Real-time Resident Rootkit Scanner.lnk = C:\Utility.sys\Spyware GMER Rootkit\catchme.exe ()
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: DirectAnimation Java Classes Reg Error: Value error. (Reg Error: Key error.)
  O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
  O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
  [1998/12/09 01:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
  [1998/12/09 01:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
  [1998/12/09 01:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
  [1998/12/09 01:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
  [1998/12/09 01:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
  [1998/12/09 01:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL
  [2008/11/27 23:55:10 | 000,000,297 | ---- | C] () -- C:\WINDOWS\gmer.ini
  [2008/11/27 23:55:09 | 000,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
  [2005/07/17 22:35:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

====================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• IMPORTANT! UN-check Remove found threats
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[PuterOozer]

OTL, SecurityCheck and ESET logs

Hello Broni,

The OTL, SecurityCheck and ESET logs are below and ran TFC as well as per instructed. In response to your Q's, I am currently only using Comodo's free firewall and the included Comodo Proactive Security (not their paid for additional A/V) but I have been going in and disabling all but the firewall, Avast, spywareblaster, spybot's teatimer etc when you ask to disable A/V etc. Not sure if Avast's A/V is as good or better, but reviews put it high on the list and I do like it's user-friendliness and how it runs, so am using the free Avast A/V.

yes, more ram would be nice but bios/MB limit is 512 :I have a vista machine with 2GB ram but I, like many others I read, are not happy with Vista and have seriously considered back-peddling to XP, but I've grown fond of the 'side bar' . For it having a dual core and 2GB ram, you would think it would run circles around this older machine but maybe only about twice as fast. Vista is such a resource hog.

It looks like most of the stuff found so far has been in folders/files of software downloads of software that I had downloaded in the past but had not installed/used, except early on when I first installed Avast, Avast did find some of those trojans etc associated with those little programs in their install/remove files etc. such as the fan speed control, and I think NetPerSec etc. which Comodo also sandboxed. But, I haven't seen anything that I can relate to it being tied to/involved in the adobe acrobat pdf file infection issue. I am still afraid to try to open up anything related to pdf's.

Have you seen anything that would be tied to the pdf culprit?

After starting ESET, it ran for a couple hourse and then suddenly stopped with the statement on the screen saying that scan was stopped by user (but not by me). It did find the 1st 2 virus in the list but I then closed and re-started ESET and this time it completed, again finding the first two items, but this time finding the third.

After finishing with ESET, I went to go turn all antivirus back on. No problem with Avast and the Comodo Proactive Security, but when I went to re-activate spywareblaster, as soon as I clicked on the icon, the computer locked up and could not do anything or shut off, so had to turn the power off and start back up. Did not go into chkdisk but started up windows right away. During startup, noticed that for some reason NetPerSec had dissapeared out of the startup folder as I had that running in the taskbar to monitor any network activity. Something odd after re-booting after finishing with ESET, that I've not seen before showed up in the task bar was just a white box with the letters dPa in the bottom of the white box, but was not able to explore that, as the computer had locked up and had to shut down and re-start.

Do you have any idea what that was?

I went to open explorer to look to see if ESET had done something/deleted NetPerSec (none of the problems listed in the error log related to NetPerSec), and the computer again locked up (or maybe every time one of these full scans are done, the computer has to totally re-index all files folders? Not sure, but the HD light quit flashing, so after a while I again turned off the power and re-booted and it booted up into windows w/o doing a chkdisk. Have been checking messages and doing some surfing, and so far no major problems but skype is still sandboxed and takes a long time to start up.

Following are the OTL, SecurityCheck and ESET logs

 

[PuterOozer]

OTL

All processes killed
========== OTL ==========
Service SYMIDSCO stopped successfully!
Service SYMIDSCO deleted successfully!
File C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20070426.003\symidsco.sys not found.
C:\Documents and Settings\Carl\Application Data\Mozilla\Firefox\Profiles\sqfvpfgm.default\searchplugins\askcom.xml moved successfully.
C:\Documents and Settings\Carl\Start Menu\Programs\Startup\GMER Catchme Real-time Resident Rootkit Scanner.lnk moved successfully.
C:\Utility.sys\Spyware GMER Rootkit\catchme.exe moved successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control DirectAnimation Java Classes Reg Error: Value error.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes Reg Error: Value error.\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes Reg Error: Value error.\ not found.
Starting removal of ActiveX control Microsoft XML Parser for Java Reg Error: Value error.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon\ deleted successfully.
C:\Program Files\Common Files\IRAREG.DLL moved successfully.
C:\Program Files\Common Files\IRAABOUT.DLL moved successfully.
C:\Program Files\Common Files\IRAMDMTR.DLL moved successfully.
C:\Program Files\Common Files\IRALPTTR.DLL moved successfully.
C:\Program Files\Common Files\IRAWEBTR.DLL moved successfully.
C:\Program Files\Common Files\IRASRIAL.DLL moved successfully.
C:\WINDOWS\gmer.ini moved successfully.
C:\WINDOWS\gmer.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\UserShell\AOL9Plus folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\UserShell\AOL9 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\UserShell folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Carl
->Temp folder emptied: 1070773 bytes
->Temporary Internet Files folder emptied: 967050 bytes
->Java cache emptied: 304990 bytes
->FireFox cache emptied: 47808123 bytes
->Flash cache emptied: 1923 bytes

User: Operations
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Support
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 458752 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 101056 bytes

Total Files Cleaned = 48.00 mb


[EMPTYFLASH]

User: Default User

User: All Users

User: NetworkService

User: LocalService

User: Carl
->Flash cache emptied: 0 bytes

User: Operations
->Flash cache emptied: 0 bytes

User: Support

User: Administrator

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12032010_182632

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!
C:\WINDOWS\temp\Perflib_Perfdata_534.dat moved successfully.

Registry entries deleted on Reboot...

 

[PuterOozer]

Security Check & ESET

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Eusing Free Registry Cleaner
Java(TM) 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Mozilla Firefox (3.6.12) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
Spyware - Avast AvastSvc.exe
Spyware - Avast avastUI.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````




ESET Scan results

C:\Telecom\_Iphone.dir\IM\Orig\Aim95_55.exe Win32/Adware.WBug.A application
C:\Utility.sys\Registry Fix 1.3\_Orig\registryfix.exe a variant of Win32/Adware.ErrorClean application
C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyay.bak1.vir Win32/Adware.Virtumonde.NEO application

 

[Broni]

Update Internet Explorer to at least version 7. Version 6 is obsolete and thus dangerous.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\Telecom\_Iphone.dir\IM\Orig\Aim95_55.exe 
  C:\Utility.sys\Registry Fix 1.3\_Orig\registryfix.exe
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

========================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current (including Service Pack 3 installation!)

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

 

[PuterOozer]

Remaining Logs and Q's and observations

Hello Broni,

Have been swamped and still try to get this done and noticed that gads, there's about 170 views on this post so far Evidently my concerns (or at least my post title) are something of interest to a lot of people. At any rate, The logs on the remaining scans are below.

It seems that the computer lock-ups, not being able to shut down windows etc. seems to have abated, but will have to start using the computer normally, venture into the pdf unknown, and see if such behavior has indeed settled down.

Do let me know about the below Q's, and will keep you posted.

1) The directory cmdcons showed up on C:\ and looks to be a part of the installation of the windows recovery console from what I can tell, but I don't know if that is something that needs to be left there, or is junk and needs to be removed. Has one executable and an .inf file, but most everything else are dll's and compacted files which looks like it might have been the 'install' package or something. Do let me know if I need to delete, or leave it there.

2) Do you know if service pack 3 has been 'updated' significanly in the last few years, or if there's just been the original release? I got it gads a year or two ago, just haven't had time to mess with it yet.

3) As mentioned early on, the most blatant tale tale intrusion signs was at one point something disabled the ability to restore to earlier restore points, and then the generic looking adobe acrobat update boxes would pop up when I would open a pdf file or view a pdf file those on a secure SSL banking website. Was there anything that showed up that was cleaned that would be responsible for such activity?

I guess having created a new restore point (OTL didn't create one like is was supposed to - see below), if something does get launched trying to read/access a pdf file, I guess I can backpeddle to the one restore point, but it sure would be nice if something did surface that was identifiable as being the culprit for those rouge adobe acrobat 'update' attempts when trying to access a pdf file (whether it be on a website or one that I had on the HD). Any thoughts on this?

4) In the prior group of scans, GMER boot up Rootkit scan was "moved"... and no longer in the starup.... do you know why? Isn't GMER root kit startup scan something good to have in place?

5) Also, had asked before about the warning that the GMER boot up rootkit scan was showing after I had installed Avast and Comodo. Do you know if those warnings (listed again below) are indeed due to Avast and/or Comodo installation?

Detected NTDLL code modification:
AWClose, ZWOpenFile

6) During not this, but the last set of routines being completed and booting back up Was checking to see if the computer was responding properly and opened firefox and while using firfox a brief window popped up saying default plug-in being installed... I try to not have any software set to allow automatic updates (always try to set anything to notify so as to help prevent rouge software from installing0 other then avast's update). I can't even find anything in firefox to allow/deny auto-updating of anything and don't see such options in the add-on section other than individual plug-ins already installed...

7) and after this happened, I remembered seeing a very brief generic message box pop up saying something like "Mozilla default plug-in removed. Not sure if this occured before or after the #6 event above occured. Do you know what the reason/issue was with this? Did one of the scans remove the MOzilla default plug-in, and then something re-install it, or Visa Versa? Is there a rouge "Mozilla default plug-in trojan or virus?

Also, just a note, after running the OTL system restore cleanup routine, out of habit I went to check to make sure a new restore point was set, but for some reason there was no new restore point done. I then did manually create a restore point, but am wondering why OTL didn't create a new restore point even though it indicated it had done so in the software screen's bottom task bar.

Do let me know, and will keep you posted.

Thanks!


All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Telecom\_Iphone.dir\IM\Orig\Aim95_55.exe moved successfully.
C:\Utility.sys\Registry Fix 1.3\_Orig\registryfix.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Carl
->Temp folder emptied: 13119 bytes
->Temporary Internet Files folder emptied: 10646815 bytes
->Java cache emptied: 310278 bytes
->FireFox cache emptied: 47266799 bytes
->Flash cache emptied: 1657 bytes

User: Operations
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Support
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 196608 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 56.00 mb


[EMPTYFLASH]

User: Default User

User: All Users

User: NetworkService

User: LocalService

User: Carl
->Flash cache emptied: 0 bytes

User: Operations
->Flash cache emptied: 0 bytes

User: Support

User: Administrator

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12072010_132148

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_4e0.dat moved successfully.

Registry entries deleted on Reboot...


OTL log after clearing out system restore points:

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Carl
->Temp folder emptied: 1500 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Operations
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Support
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Default User

User: All Users

User: NetworkService

User: LocalService

User: Carl
->Flash cache emptied: 0 bytes

User: Operations
->Flash cache emptied: 0 bytes

User: Support

User: Administrator

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.17.3 log created on 12072010_134041

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_364.dat moved successfully.

Registry entries deleted on Reboot...

 

[Broni]

1. Yes, it's a part of recovery console. Leave it alone.
2. SP3 doesn't change. Same file all the time.
3. OTL may fail to create new restore point for various reasons, so if you created it by yourself, you did well.
4. You may want to reinstall it.
5. Nothing to worry about.
6. Tools>Options>Advanced>Update tab
7. It's hard to say without more details.

As for shutdown problem.....

Go Start>Run (Start Search in Vista), type in:
msconfig
Click OK (hit Enter in Vista).

Click on Startup tab.
Click Disable all
IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

Click Services tab.
Put checkmark in Hide all Microsoft services
Click Disable all.

Click OK.
Restart computer in Normal Mode.

NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
If you use Windows firewall, you're fine.

See, if it'll shut down properly now.