Inactive Isolated Positive Findings (Trend and Avast!)

tanya · 2011/06/01

[Inactive] Isolated Positive Findings (Trend and Avast!)

Hello,

SUMMARY
The following threat "Threat: Win32:Hostile[Wrm]" (from an unopened email message), is / are in some MozBackUp files on a Dell E520 (profiled in control panel)
(C | Documents and Settings | My Documents)
And were on:
2 flash drives:
They are not in the mail folder (C | App data | ThunderBird | Profiles -> mail)
or in the entire Thunderbird folder (C | App data ->Thunderbird)
The computer is running as it normally does.

*** DETAILS ***

The culprit computer is detailed in the control panel. (Dell E520, Windows XP home SP3 totally up to date).
Avast! Free version, 5.0.545 completely up to date.

Email Client: Thunderbird: version 2.0.0.24 (20100228)

Several months ago, got a suspicious email: made a new mail folder for the message and scanned it with Avast! and a mini program from Trend's Web site. Both came up negative.
I never opened the message or ran its executable file (fed ex doc.exe(?))

I deleted the message but kept the new folder.

Have been using MozBackUp and copying the back up files (*.pcv) to 2 flash drives.

I wanted to transfer files to another PC (Dell Optiplex 780) which runs Trend Microsystems Internet Security (Full version) Program version: 16.60.3021; engine version 9.200.1008; Pattern version: 8.183.50 completely up to date
Scanned each flash drive which came up with:
"Item: TSC_GENCLEAN; type: trojan; staus: successfully removed "
7 files:
These are quarantined by Trend.

(Problem: Each instance reports differently with Trend (i.e. Virus found; Trojan and with Avast! ) The identified threats all had different names (But are in same locations etc...
Trend found "TROJ_CHEPVIL.H" in the Thunderbird backup files on the flash drives.)

After Trend "fixed" the problem, re-ran flash drives and they are clean.

Ran the same drives through Avast! on the problem PC and they are "clean ".

Full Avast! scan (5/27/11 and 6/1/11) on the problem PC are negative.

However running the backup file(s) through Avast! (I.e. right click the file "Thunderbird 2.0.0.24 (en-US) - 2011-05-27.pcv" scan for viruses) finds (found) a threat: "Threat: Win32:Hostile[Wrm] "
which Avast! moved to the virus chest.
Rescanning the file (after Avast!'s fix) is clean.
The mail (C | App Data | Thunderbird | Profiles -> mail) and the Thunderbird Program (C | App Data -> Thunderbird) are both clean according to Avast!

*** END OF DETAILS ***

LOGS
Avast! Antivirus (Free version) 5.0.545 is clean today and was on 5/27/11 (Full Scans)

STEP 1
Malwarebytes Anti-Malware
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6694

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/1/2011 1:52:24 PM
mbam-log-2011-06-01 (13-52-24).txt

Scan type: Quick scan
Objects scanned: 136482
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

STEP 2
GMER
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-01 12:03:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST350063 rev.3.AA
Running: pg9m7m7c.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\ugpcapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA890CC7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA890CB36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA890D0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA890D014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA890C70C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA890CC10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA890C64C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA890C6B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA890CD30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA890D1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA890CCF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA890CE70]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA751A75C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA8919AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA89198EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA8919A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CE0 8050457C 4 Bytes JMP 8AA890D0
PAGE ntkrnlpa.exe!ZwLoadDriver 80584160 7 Bytes JMP A8919A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AB3C8 7 Bytes JMP A89198EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC556 5 Bytes JMP A8915536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FDA 5 Bytes JMP A8916EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP A8919ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8FE9360, 0x21235D, 0xE8000020]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----

STEP 3
MBRCheck

dds.txt
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA328000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9E92000 iaStor.sys
0xBA330000 cercsr6.sys
0xB9E7A000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E5A000 fltmgr.sys
0xB9E48000 sr.sys
0xB9E31000 KSecDD.sys
0xB9DA4000 Ntfs.sys
0xB9D77000 NDIS.sys
0xB9D5D000 Mup.sys
0xBA228000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8FE9000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB8FD5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8F9C000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8F78000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3D0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8F50000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8F1C000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB8EF9000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8DFA000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB8D53000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA3D8000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA3E0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA238000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA248000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA258000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8D24000 \SystemRoot\system32\DRIVERS\agnfilt.sys
0xBA696000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA268000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9C8F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8D0D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA278000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA288000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8CFC000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA298000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA408000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5CE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8C9E000 \SystemRoot\system32\DRIVERS\update.sys
0xB9C83000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB63A7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB6387000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA63C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAE82D000 \SystemRoot\system32\drivers\sthda.sys
0xAE809000 \SystemRoot\system32\drivers\portcls.sys
0xB60D5000 \SystemRoot\system32\drivers\drmk.sys
0xB6BDB000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA640000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB1C85000 \SystemRoot\System32\Drivers\Null.SYS
0xBA642000 \SystemRoot\System32\Drivers\Beep.SYS
0xB6BCB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB6BC3000 \SystemRoot\System32\drivers\vga.sys
0xBA644000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA646000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB6331000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB6329000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB66A8000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAE6AA000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAE651000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB60A5000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xAE62B000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB6095000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB6309000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAE603000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAE5E1000 \SystemRoot\System32\drivers\afd.sys
0xB6085000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAE5B6000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAE546000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB6075000 \SystemRoot\System32\Drivers\Fips.SYS
0xB1BEB000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB27A8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAD364000 \SystemRoot\System32\Drivers\aswSP.SYS
0xB4904000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xA988D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA98E1000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA98D9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA8904000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA98C1000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xA987D000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA884D000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA933B000 \SystemRoot\System32\drivers\Dxapi.sys
0xA9323000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA769000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF3CF000 \SystemRoot\System32\ATMFD.DLL
0xBA564000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xAE6F5000 \SystemRoot\system32\DRIVERS\agnwifi.sys
0xB9D10000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7777000 \SystemRoot\system32\drivers\wdmaud.sys
0xB63C7000 \SystemRoot\system32\drivers\sysaudio.sys
0xA75DB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA759C000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA7578000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA74F4000 \SystemRoot\system32\DRIVERS\srv.sys
0xA74DC000 \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
0xB834E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA70A3000 \SystemRoot\System32\Drivers\HTTP.sys
0xA9313000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xA66C0000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 29):
0 System Idle Process
4 System
836 C:\WINDOWS\system32\smss.exe
884 csrss.exe
908 C:\WINDOWS\system32\winlogon.exe
952 C:\WINDOWS\system32\services.exe
964 C:\WINDOWS\system32\lsass.exe
1124 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe
1256 C:\WINDOWS\system32\svchost.exe
1412 svchost.exe
1448 svchost.exe
1612 C:\WINDOWS\system32\spoolsv.exe
1848 C:\WINDOWS\explorer.exe
1908 svchost.exe
1980 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
2020 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
164 C:\Program Files\Java\jre6\bin\jqs.exe
212 C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
248 C:\Program Files\AT&T Global Network Client\NetClientSvc.exe
264 C:\WINDOWS\system32\nvsvc32.exe
364 C:\WINDOWS\system32\svchost.exe
372 C:\WINDOWS\stsystra.exe
440 C:\Program Files\UPHClean\uphclean.exe
468 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
552 C:\WINDOWS\system32\ctfmon.exe
616 C:\WINDOWS\system32\wuauclt.exe
2276 alg.exe
2812 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3500630AS, Rev: 3.AAE

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

STEP 4
DDS
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Run by Owner at 12:10:39 on 2011-06-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1691 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files\AT&T Global Network Client\NetClientSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\stsystra.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242278063078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\2idq41eq.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-4-30 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-30 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R2 NetClientSvc;AT&T Global Network Client Service;c:\program files\at&t global network client\NetClientSvc.exe [2009-12-10 342368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
S3 NetLogSvc;NetLogSvc;c:\progra~1\at&tgl~1\NETLOG~1.EXE [2009-12-10 75616]
.
=============== Created Last 30 ================
.
2011-05-07 17:01:57 -------- d-----w- c:\documents and settings\owner\local settings\application data\Identities
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
.
============= FINISH: 12:11:08.10 ===============

Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/29/2009 9:55:13 PM
System Uptime: 6/1/2011 12:06:58 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0WG864
Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | Microprocessor | 2128/1066mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 443.472 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP737: 3/3/2011 12:43:59 AM - System Checkpoint
RP738: 3/4/2011 12:03:59 PM - System Checkpoint
RP739: 3/5/2011 1:15:08 PM - System Checkpoint
RP740: 3/6/2011 1:37:07 PM - System Checkpoint
RP741: 3/7/2011 2:04:48 PM - System Checkpoint
RP742: 3/8/2011 6:30:41 PM - System Checkpoint
RP743: 3/9/2011 12:23:46 PM - prior to avast and updates 3/9/11
RP744: 3/9/2011 3:35:10 PM - Software Distribution Service 3.0
RP745: 3/10/2011 3:56:15 PM - System Checkpoint
RP746: 3/11/2011 6:30:15 PM - System Checkpoint
RP747: 3/12/2011 6:47:48 PM - System Checkpoint
RP748: 3/13/2011 9:31:12 PM - System Checkpoint
RP749: 3/14/2011 9:44:15 PM - System Checkpoint
RP750: 3/15/2011 7:21:55 PM - prior to acast! and updates 3/15/11
RP751: 3/15/2011 7:22:34 PM - Software Distribution Service 3.0
RP752: 3/16/2011 9:59:14 PM - System Checkpoint
RP753: 3/17/2011 10:20:18 PM - System Checkpoint
RP754: 3/18/2011 10:24:13 PM - System Checkpoint
RP755: 3/19/2011 10:58:52 PM - System Checkpoint
RP756: 3/20/2011 11:44:25 PM - System Checkpoint
RP757: 3/22/2011 12:25:28 PM - System Checkpoint
RP758: 3/23/2011 1:49:05 PM - System Checkpoint
RP759: 3/24/2011 9:32:23 AM - prior to avast! and other updates 3.24.11
RP760: 3/24/2011 9:33:52 AM - Software Distribution Service 3.0
RP761: 3/25/2011 12:47:36 PM - System Checkpoint
RP762: 3/26/2011 2:48:33 PM - System Checkpoint
RP763: 3/27/2011 2:49:06 PM - System Checkpoint
RP764: 3/28/2011 3:17:03 PM - System Checkpoint
RP765: 3/29/2011 3:24:01 PM - System Checkpoint
RP766: 3/30/2011 3:45:01 PM - System Checkpoint
RP767: 3/31/2011 6:12:56 PM - System Checkpoint
RP768: 4/1/2011 8:58:54 PM - System Checkpoint
RP769: 4/2/2011 9:47:10 AM - prior to avast!update 4/2/11
RP770: 4/3/2011 12:03:01 PM - System Checkpoint
RP771: 4/4/2011 1:02:07 PM - System Checkpoint
RP772: 4/5/2011 6:13:05 PM - System Checkpoint
RP773: 4/6/2011 9:18:30 PM - System Checkpoint
RP774: 4/7/2011 9:38:25 AM - Restore Operation
RP775: 4/8/2011 10:54:38 AM - System Checkpoint
RP776: 4/9/2011 12:45:40 PM - System Checkpoint
RP777: 4/10/2011 1:45:59 PM - System Checkpoint
RP778: 4/11/2011 6:17:15 PM - System Checkpoint
RP779: 4/12/2011 8:57:17 PM - System Checkpoint
RP780: 4/13/2011 9:48:17 AM - prior to avast! and updates 4.1
RP781: 4/14/2011 3:31:50 PM - System Checkpoint
RP782: 4/15/2011 11:19:23 AM - Software Distribution Service 3.0
RP783: 4/16/2011 12:04:04 PM - System Checkpoint
RP784: 4/17/2011 1:16:51 PM - System Checkpoint
RP785: 4/18/2011 2:41:41 PM - System Checkpoint
RP786: 4/19/2011 4:54:06 PM - System Checkpoint
RP787: 4/20/2011 10:12:46 AM - prior to avast and update 4/20/11
RP788: 4/21/2011 2:44:42 PM - System Checkpoint
RP789: 4/22/2011 6:12:41 PM - prior to avast and updates 4.22.11
RP790: 4/23/2011 6:16:19 PM - System Checkpoint
RP791: 4/24/2011 11:48:41 PM - System Checkpoint
RP792: 4/25/2011 5:22:10 PM - prior to updates 4/25/11
RP793: 4/26/2011 4:54:18 PM - prior to avast! and general updates 4.26.11
RP794: 4/27/2011 2:11:43 PM - prior to installing fax service 4/27/11
RP795: 4/27/2011 5:02:27 PM - Software Distribution Service 3.0
RP796: 4/28/2011 12:00:35 PM - prior to updates April 28 2011
RP797: 4/28/2011 12:34:46 PM - Software Distribution Service 3.0
RP798: 4/29/2011 6:39:23 PM - System Checkpoint
RP799: 4/30/2011 6:46:27 PM - System Checkpoint
RP800: 5/1/2011 10:53:21 AM - prior to updates 5/1/11
RP801: 5/2/2011 1:15:27 PM - System Checkpoint
RP802: 5/3/2011 1:42:13 PM - System Checkpoint
RP803: 5/3/2011 5:49:54 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP804: 5/3/2011 5:50:02 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP805: 5/4/2011 6:46:38 PM - System Checkpoint
RP806: 5/5/2011 7:08:51 PM - System Checkpoint
RP807: 5/6/2011 9:42:15 PM - System Checkpoint
RP808: 5/7/2011 10:16:11 PM - System Checkpoint
RP809: 5/8/2011 10:47:33 PM - System Checkpoint
RP810: 5/9/2011 11:39:11 PM - System Checkpoint
RP811: 5/11/2011 11:57:58 AM - prior to avast and updates 5/11/11
RP812: 5/11/2011 1:35:26 PM - Software Distribution Service 3.0
RP813: 5/12/2011 2:23:37 PM - System Checkpoint
RP814: 5/13/2011 3:33:55 PM - System Checkpoint
RP815: 5/14/2011 12:07:05 PM - prior to updates 5/14/11
RP816: 5/15/2011 12:17:26 PM - System Checkpoint
RP817: 5/15/2011 11:35:52 PM - prior to more gd updates 5/15/11
RP818: 5/15/2011 11:36:03 PM - Software Distribution Service 3.0
RP819: 5/17/2011 1:09:52 PM - System Checkpoint
RP820: 5/18/2011 9:54:08 PM - System Checkpoint
RP821: 5/19/2011 10:21:43 PM - System Checkpoint
RP822: 5/20/2011 11:18:06 PM - System Checkpoint
RP823: 5/22/2011 12:09:26 AM - System Checkpoint
RP824: 5/23/2011 12:39:59 PM - System Checkpoint
RP825: 5/24/2011 1:22:49 PM - System Checkpoint
RP826: 5/25/2011 6:34:39 PM - System Checkpoint
RP827: 5/26/2011 9:49:41 PM - System Checkpoint
RP828: 5/27/2011 10:31:53 PM - System Checkpoint
RP829: 5/28/2011 11:20:17 PM - System Checkpoint
RP830: 5/30/2011 10:28:56 AM - System Checkpoint
RP831: 5/31/2011 11:18:02 AM - System Checkpoint
RP832: 6/1/2011 10:46:54 AM - before scan 2 of rootscan 6.1.11
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
AT&T Global Network Client Internet Edition
avast! Free Antivirus
Canon MP Navigator EX 2.0
Canon MP240 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Chinese Traditional Fonts Support For Adobe Reader 9
Conexant D850 56K V.9x DFVc Modem
Dell Resource CD
GoToAssist 8.0.0.514
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Inkjet Printer/Scanner Extended Survey Program
Intel(R) PRO Network Connections Drivers
Java Auto Updater
Java(TM) 6 Update 18
K-Lite Codec Pack 6.4.0 (Standard)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MozBackup 1.4.10
Mozilla Firefox (3.6.13)
Mozilla Thunderbird (2.0.0.24)
NVIDIA Drivers
SeaTools for Windows
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Symantec Technical Support Web Controls
System Requirements Lab
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
User Profile Hive Cleanup Service
WebFldrs XP
WhoCrashed 3.00
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
5/29/2011 3:51:13 PM, error: Print [6161] - The document CP24- Wylde On Health Weekly Recomendations - August 06 owned by Owner failed to print on printer Canon MP240 series Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 4784128. Number of bytes printed: 3972848. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\OMA-CD95D1A96E7. Win32 error code returned by the print processor: 13 (0xd).
5/25/2011 10:05:07 AM, error: Print [6161] - The document Microsoft Word - Note to Glen Canada Post May 2011 5.25.11.docx owned by Owner failed to print on printer Canon MP240 series Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 131072. Number of bytes printed: 39060. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\OMA-CD95D1A96E7. Win32 error code returned by the print processor: 13 (0xd).
.
==== End Of File ===========================

END OF LOGS
Thanks in advance

broni · 2011/06/01

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================

I don't see much, so far....

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

Double-click on RKUnhookerLE.exe to start the program.
Vista/Windows 7 users right-click and select Run As Administrator.

Click the Report tab, then click Scan.

Check Drivers, Stealth, and uncheck the rest.

Click OK.

Wait until it's finished and then go to File > Save Report.

Save the report to your Desktop.

Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay? ".

=====================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

tanya · 2011/06/03

Hi broni,
Thank you for replying!
First I will need > 5 days
Please see below

"broni said: ↑

Please, observe following rules:

=====================================================

I don't see much, so far....
Click to expand...

Problem:
Do you see anything?

Because I never opened the message and did delete the new folder (that I'd put the message into to test it when I got it).

There has only been reference to this malware item in the files created by MozBackUP for Thunderbird where is *should* have been "“ in the mail back up files ( "Thunderbird 2.0.0.24 (en-US) - year-month-day.pcv ")

After Avast! fixed this and the other positive MozBackUP created files: ( "Thunderbird 2.0.0.24 (en-US) - year-month-day.pcv ") "“ running the right-click "scan for viruses" scan, results in "no threats foundâ€.

After deleting the new folder (which Iâ€™d created for and put the suspicious message into) I have backed up Thunderbird (MozBackUp) again and run the file created again through Avast! and there is nothing.

The other location of the "threat" was on the flash drives I used to copy files (including Mozilla back-up files) from the culprit Computer (profiled) - found by Trend microsystems which I use on another PC (Dell Optiplex 780). These were in the MozBackUp files (e.g. "Thunderbird 2.0.0.24 (en-US) - year-month-day.pcv ") which I'd copied to each flash drive. (Again where the malware "should have been ")
(NB: I checked each drive with the right click "find virus" scan)

I am worried about the warnings written in your post: that if I don’t follow directions I could loose the ability to boot into windows.

"broni said: ↑

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
Click to expand...

I am concerned about downloading too much E.G. "RKUnhookerLE.exeâ€, "7-zip utility ", etc...

So ... I will need more than 5 days please:
... Because ...
The final request I have is how can I read the logs.
Do you have knowledge of tutorial sites for reading gmer results for example? Or does it just output red text and a script warning(s) as here?
â€œGMER - Rootkit Detector and Removerâ€
http://www.gmer.net/

Thanks broni!
P.S.
I will also follow the steps outlined here:
"Windows BBS - Announcements in Forum : Malware and Virus Removal "
http://www.windowsbbs.com/malware-virus-removal/announcements.html
For the Dell Optiplex 780 (since it put the suspect files into its viral chest) when the Dell E520 (current - profiled) PC is sorted out.

P.P.S.
What about the integrity of the flash drives?
They are clean according to both AVs:
Avast! (Free version, 5.0.545 completely up to date) (right click - scan for ...)
and
Trend Microsystems Internet Security ((Full version) Program version: 16.60.3021; engine version 9.200.1008; Pattern version: 8.183.50 completely up to date) (Right click "“ Find Viruses) so is the mail folder on the Optiplex (Right click "“ find viruses)

Should I run the programs outlined here: --->
"Windows BBS - Announcements in Forum: Malware and Virus Removal "
http://www.windowsbbs.com/malware-virus-removal/announcements.html
---> on each flash drive?

How can I ensure they are clean?

Thanks again!!!

broni · 2011/06/03

Well, we're far from being done.

All I need are the logs prescribed in my previous reply.

broni · 2011/06/11

Reopened.

tanya · 2011/06/12

"broni said: ↑

Reopened.
Click to expand...

Thanks,

Questions in PURPLE
Is there a Web site that explains how to interpret the log results for:
DDS.txt
and
attach.txt?
(I use "Malwarebytes' Anti-Malware" routinely and it SEEMS straightforward (AFAIK)) (Although I have never done the thorough scan).

I found the following on GMER and MBRCheck:

for GMER is this what one would expect?
"GMER - Rootkit Detector and Remover "
http://www.gmer.net/
Since I see no "Rootkit" activity on the log I ran, am I correct to assume this log result is clean??

MBRCheck (aswMBR)
This Avast! Web site *seems* to show results: (Although version? -- Please see bottom ( "ADDENDUM "))
"aswMBR 0.9.5 "
http://public.avast.com/~gmerek/aswMBR.htm

I cannot find any rootkit activity in my log either. Nor any reference to "MBR" except for text at bottom (please see below)

Also searching for ( "find ") for "TDL4/3 ", "MBRoot ", "Sinowal ", "Whistler" and "kit" are negative...

Is this log clean too?

I have run MBRcheck.exe again today:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 119):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA328000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9E92000 iaStor.sys
0xBA330000 cercsr6.sys
0xB9E7A000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E5A000 fltmgr.sys
0xB9E48000 sr.sys
0xB9E31000 KSecDD.sys
0xB9DA4000 Ntfs.sys
0xB9D77000 NDIS.sys
0xB9D5D000 Mup.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9008000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB8FF4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8FBB000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8F97000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3D0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8F6F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8F3B000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB8F18000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8E19000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB8D72000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA3D8000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA3E0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA208000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA218000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8D43000 \SystemRoot\system32\DRIVERS\agnfilt.sys
0xBA69B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA228000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9CBA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8D2C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA238000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA248000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8D1B000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA258000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA268000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA408000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5CC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8CBD000 \SystemRoot\system32\DRIVERS\update.sys
0xB9CAA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB6445000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB6425000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA640000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB076D000 \SystemRoot\system32\drivers\sthda.sys
0xB0749000 \SystemRoot\system32\drivers\portcls.sys
0xB6415000 \SystemRoot\system32\drivers\drmk.sys
0xB6C0F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA644000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB3CD9000 \SystemRoot\System32\Drivers\Null.SYS
0xBA646000 \SystemRoot\System32\Drivers\Beep.SYS
0xB6BFF000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB6BF7000 \SystemRoot\System32\drivers\vga.sys
0xBA648000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA64A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB63B0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB63A8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB6616000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB05FE000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB05A5000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB610F000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xAF3C4000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB60BF000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB4220000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAF39C000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAF37A000 \SystemRoot\System32\drivers\afd.sys
0xB60AF000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAF34F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAF2DF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB609F000 \SystemRoot\System32\Drivers\Fips.SYS
0xAF2B8000 \SystemRoot\System32\Drivers\aswSP.SYS
0xB4210000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xABE69000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAB6E0000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAB5CD000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xABE65000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAB9C4000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAA9B2000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAB9A0000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xAB5C5000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xAA8FB000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xAB38E000 \SystemRoot\System32\drivers\Dxapi.sys
0xAB5B5000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA77E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF3CF000 \SystemRoot\System32\ATMFD.DLL
0xB9CA6000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xB41D8000 \SystemRoot\system32\DRIVERS\agnwifi.sys
0xB6163000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA984D000 \SystemRoot\system32\drivers\wdmaud.sys
0xB838D000 \SystemRoot\system32\drivers\sysaudio.sys
0xB6FCE000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9639000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA95FA000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA967E000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA9552000 \SystemRoot\system32\DRIVERS\srv.sys
0xA968A000 \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
0xA91A1000 \SystemRoot\System32\Drivers\HTTP.sys
0xAAA18000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 30):
0 System Idle Process
4 System
852 C:\WINDOWS\system32\smss.exe
912 csrss.exe
936 C:\WINDOWS\system32\winlogon.exe
980 C:\WINDOWS\system32\services.exe
992 C:\WINDOWS\system32\lsass.exe
1164 C:\WINDOWS\system32\svchost.exe
1256 svchost.exe
1380 C:\WINDOWS\system32\svchost.exe
1584 svchost.exe
1680 svchost.exe
1860 C:\WINDOWS\system32\spoolsv.exe
220 C:\WINDOWS\explorer.exe
332 C:\WINDOWS\stsystra.exe
348 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
356 C:\WINDOWS\system32\ctfmon.exe
568 svchost.exe
628 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
664 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
704 C:\Program Files\Java\jre6\bin\jqs.exe
816 C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
1200 C:\Program Files\AT&T Global Network Client\NetClientSvc.exe
1292 C:\WINDOWS\system32\nvsvc32.exe
1436 C:\WINDOWS\system32\svchost.exe
1516 C:\Program Files\UPHClean\uphclean.exe
1900 C:\WINDOWS\system32\wuauclt.exe
2648 alg.exe
3244 wmiprvse.exe
3372 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3500630AS, Rev: 3.AAE

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

The text: "465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644Aâ€
Is in green.

â€œ465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644Aâ€

What does it mean?

MBR is master boot records right? Can I assume that Windows XP code should be there?

Also, in the meantime, can I run the above steps (all) on the 2 flash drives that had the threat on them? They are "clean" according to both avast! and Trend but I want to make certain.

ADDENDUM:I just downloaded and ran aswMBR.exe again (version 9.x)
Here are the results from just now.
aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-12 13:06:47
-----------------------------
13:06:47.031 OS Version: Windows 5.1.2600 Service Pack 3
13:06:47.031 Number of processors: 2 586 0xF02
13:06:47.031 ComputerName: OMA-CD95D1A96E7 UserName: Owner
13:06:47.937 AVAST engine 5.0.545 defs: 11061201
13:06:47.937 Initialize success
13:06:52.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:06:52.812 Disk 0 Vendor: ST350063 3.AA Size: 476940MB BusType: 3
13:06:52.828 Disk 0 MBR read successfully
13:06:52.828 Disk 0 MBR scan
13:06:52.828 Disk 0 Windows XP default MBR code
13:06:52.828 Disk 0 scanning sectors +976752000
13:06:52.843 Disk 0 scanning C:\WINDOWS\system32\drivers
13:06:57.828 Service scanning
13:06:58.812 Disk 0 trace - called modules:
13:06:58.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
13:06:58.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a604030]
13:06:58.828 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a0d3030]
13:06:58.828 AVAST engine scan C:\WINDOWS\system32
13:07:51.234 Scan finished successfully
13:08:52.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat "
13:08:52.687 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt "

Searching for the following:
"find" TDL4/3, MBRoot, Sinowal, Root, kit, and whistler are negative.
"find" for "MBR" -> does not show anything ominous (assuming MBR is "Master Boot Records "

Line 10 shows this:
"13:06:52.828 Disk 0 Windows XP default MBR code "
is this equivalent to the "465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A "
On the other scans: (including today's before downloading the same(?)) that I just ran....?

In addition, there is a "MBR.dat" file which I cannot open... Should I open it and post it?

Thanks!
Tanya

broni · 2011/06/12

Is there a Web site that explains how to interpret the log results for:
DDS.txt
and
attach.txt?
Click to expand...

No. Those are special tools and we don't want bad guys to see, what this is all about.

Pretty much the same regarding your other questions.
I simply can't explain every single line in every log.
All I can say is, if it looks good, or not.
So far, all looks good.

I still need both logs from my reply #2.

tanya · 2011/06/12

Hi and Thanks

"broni said: ↑

I simply can't explain every single line in every log.
Click to expand...

To clarify I certainly did not mean every line

I'd just wanted to know whether line 10 (from aswMBR version 0.9.6.399)
"13:06:52.828 Disk 0 Windows XP default MBR code "
indicates that this line:
"465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A"
(from MBRCheck, version 1.2.3) is nothing to worry about....
(I.E. I just wanted to compare them)

I still need both logs from my reply #2.
Click to expand...

Okay.
Thanks

broni · 2011/06/12

Your MBR is fine.

tanya · 2011/06/14

"broni said: ↑

Your MBR is fine.
Click to expand...

Good...

Question at very bottom:

Here is the report from RKUnhookerLE.exe:

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3919872 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 82.68 )
0xB901E000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3584000 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 82.68 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB0A42000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0xB8E2F000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xAABE2000 C:\WINDOWS\System32\Drivers\dump_iastor.sys 749568 bytes
0xB9E92000 iaStor.sys 749568 bytes (Intel Corporation, Intel Matrix Storage Manager driver)
0xB8D88000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9DA4000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAF5F0000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8CD3000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB0942000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA9861000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF3CF000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA9460000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB8FD1000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 233472 bytes (Intel Corporation, Intel(R) PRO/1000 Adapter NDIS 5.2 deserialized driver)
0xB8F51000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xB8D59000 C:\WINDOWS\system32\DRIVERS\agnfilt.sys 192512 bytes (AT&T, Net Firewall)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA9920000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9D77000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAF660000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB8F85000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAF740000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xAF5C9000 C:\WINDOWS\System32\Drivers\aswSP.SYS 159744 bytes (ALWIL Software, avast! self protection module)
0xB08F4000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAAC99000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB0A1E000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8FAD000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8F2E000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAF68B000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E5A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9D5D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9E7A000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xA9909000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (ALWIL Software, avast! File System Filter Driver for Windows XP)
0xB9E31000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8D42000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA9B34000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB900A000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB099B000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9E48000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8D31000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA198000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA208000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB6434000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA218000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBA1C8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB6444000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA228000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA248000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB60C2000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA238000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB6142000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (ALWIL Software, avast! TDI Filter Driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB6454000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA268000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA318000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xABB57000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA258000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB60D2000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB6122000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA330000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xBA3D8000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xB638D000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xAB8E7000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB6BEE000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xAB8DF000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xB637D000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB45DB000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (ALWIL Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xBA400000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB639D000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xAACCF000 C:\WINDOWS\system32\DRIVERS\agnwifi.sys 20480 bytes (AT&T, Wi-Fi Driver)
0xB8236000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (ALWIL Software, avast! TDI RDR Driver)
0xB6BFE000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xB6395000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA328000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xAB8CF000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xABCD3000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9CBC000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xBA5A0000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xABCCF000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xB091E000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (ALWIL Software, avast! File System Access Blocking Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xAB689000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xAC1BC000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA9979000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xAC1B8000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9CC8000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB640E000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA9825000 C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 12288 bytes
0xBA64E000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA64C000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA650000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA652000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5CE000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA648000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA783000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA692000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB3E7E000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================

NOTE:
Before downloading / installing / running Combofix.exe:

I want to make sure it is only going to generate a report, and not do anything else aside from disconnecting from the internet?

Thanks

tanya · 2011/06/14

Addendum
broni:
I'll clarify my Combofix question:

"tanya said: ↑

NOTE:
Before downloading / installing / running Combofix.exe:

I want to make sure it is only going to generate a report, and not do anything else aside from disconnecting from the internet?

Thanks
Click to expand...

What is the purpose of Combofix?

Thank you!
Tanya

broni · 2011/06/14

It's another antimalware scanning tool.

tanya · 2011/06/14

"broni said: ↑

It's another antimalware scanning tool.
Click to expand...

ComboFix 11-06-14.01 - Owner 06/14/2011 20:11:15.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1576 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\1028_DELL_XPS_Dell DM061 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DM061 .MRK
.
.
((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp "= "stsystra.exe" [2006-03-20 282624]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-30 02:54 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2008-03-03 16:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-03-10 16:20 689488 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2009-12-10 14:49 53600 ----a-w- c:\program files\AT&T Global Network Client\NetSP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\AT&T Global Network Client\\NetClient.exe "=
"c:\\Program Files\\AT&T Global Network Client\\SwiApiMux.exe "=
"c:\\WINDOWS\\system32\\fxsclnt.exe "=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/30/2009 12:53 AM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/30/2009 12:53 AM 19024]
R2 NetClientSvc;AT&T Global Network Client Service;c:\program files\AT&T Global Network Client\NetClientSvc.exe [12/10/2009 10:49 AM 342368]
R3 NetLogSvc;NetLogSvc;c:\progra~1\AT&TGL~1\NETLOG~1.EXE [12/10/2009 10:49 AM 75616]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.71.255.198
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2idq41eq.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-14 20:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-583907252-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(936)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2011-06-14 20:14:27
ComboFix-quarantined-files.txt 2011-06-15 00:14
.
Pre-Run: 475,459,637,248 bytes free
Post-Run: 475,554,668,544 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 5911479F2E4967546313C33330BFF2F3

broni · 2011/06/14

Looks good

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

tanya · 2011/06/18

Closing

broni · 2011/06/18

Huh?..

Log in or Sign up

Inactive Isolated Positive Findings (Trend and Avast!)

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Isolated Positive Findings (Trend and Avast!)

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

tanya Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches