1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved win32:vundo-HU and HW trojans

Discussion in 'Malware and Virus Removal Archive' started by rthompson, 2010/03/30.

Page 2 of 2
  1. 2010/04/01
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    retry

    Yes, teatimer was disabled, ran hjt again, same results. Computer seems to run quicker, start up leaves a little to be desired.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:51:28 AM, on 4/2/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\log77\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
    O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 3944 bytes
     
    Last edited: 2010/04/01
    rthompson,
    #21
  2. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #22


  3. to hide this advert.

  4. 2010/04/02
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    otl logs

    otl.txt:

    OTL logfile created on: 4/2/2010 1:20:11 AM - Run 1
    OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\log77\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    766.00 Mb Total Physical Memory | 460.00 Mb Available Physical Memory | 60.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.24 Gb Total Space | 32.76 Gb Free Space | 87.95% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: LOG77
    Current User Name: log77
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    PRC - [2010/03/24 11:57:39 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2010/03/09 06:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    PRC - [2009/08/18 12:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    PRC - [2004/10/19 18:45:14 | 000,131,072 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
    PRC - [2004/08/04 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Yahoo "
    FF - prefs.js..browser.search.order.1: "Yahoo "
    FF - prefs.js..browser.search.order.2: " "
    FF - prefs.js..browser.search.selectedEngine: "Google "
    FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/ "
    FF - prefs.js..extensions.enabledItems: {bff829b6-b433-42ce-9a19-e459d3e4e483}:3.6.0
    FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.7.3
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q= "


    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/24 22:59:26 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/01 17:57:19 | 000,000,000 | ---D | M]

    [2009/09/26 18:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Mozilla\Extensions
    [2010/04/01 21:47:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions
    [2010/04/01 21:47:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/03/03 18:39:19 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    [2010/04/01 21:44:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2009/12/16 00:24:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{bff829b6-b433-42ce-9a19-e459d3e4e483}

    O1 HOSTS File: ([2010/03/31 12:46:47 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - No CLSID value found.
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
    O4 - HKCU..\Run: [DBISQL9] C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe (iAnywhere Solutions, Inc.)
    O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\log77\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\log77\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/02/05 19:55:34 | 000,000,018 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/03/21 20:17:39 | 000,000,000 | ---D | M]
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found
    Unable to start service SrService!

    ========== Files/Folders - Created Within 14 Days ==========

    [2010/04/02 01:17:36 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    [2010/04/01 21:42:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Desktop\backups
    [2010/04/01 21:26:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
    [2010/04/01 21:26:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/04/01 21:25:24 | 000,000,000 | ---D | C] -- C:\Program Files\Java
    [2010/04/01 18:01:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
    [2010/04/01 17:56:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\Sun
    [2010/04/01 17:21:24 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\TFC.exe
    [2010/04/01 15:46:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/04/01 14:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\Malwarebytes
    [2010/04/01 14:28:03 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/04/01 14:28:00 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/04/01 14:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/04/01 14:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/04/01 14:18:02 | 005,918,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\log77\Desktop\mbam-setup.exe
    [2010/04/01 09:43:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010/03/31 12:42:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/03/31 12:41:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/03/31 12:37:54 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\log77\Desktop\HijackThis.exe
    [2010/03/30 02:53:05 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
    [2010/03/30 02:53:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\IObit
    [2010/03/30 01:01:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/03/30 00:46:17 | 000,026,698 | ---- | C] (D-Link Corporation) -- C:\WINDOWS\System32\drivers\DLH5XND5.sys
    [2010/03/30 00:46:17 | 000,026,698 | ---- | C] (D-Link Corporation) -- C:\WINDOWS\System32\dllcache\dlh5xnd5.sys
    [2010/03/29 23:58:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\My Documents\Downloads
    [2010/01/02 13:48:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
    [2009/12/23 12:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
    [2009/12/23 12:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
    [2006/03/21 20:22:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
    [2006/03/21 20:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
    [2006/03/21 20:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

    ========== Files - Modified Within 14 Days ==========

    [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    [2010/04/02 00:50:22 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\log77\NTUSER.DAT
    [2010/04/02 00:50:17 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\log77\ntuser.ini
    [2010/04/02 00:50:13 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/04/02 00:49:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/04/02 00:49:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/04/01 21:42:54 | 006,929,908 | -H-- | M] () -- C:\Documents and Settings\log77\Local Settings\Application Data\IconCache.db
    [2010/04/01 17:21:24 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\TFC.exe
    [2010/04/01 14:28:05 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/04/01 14:18:05 | 005,918,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\log77\Desktop\mbam-setup.exe
    [2010/04/01 09:41:11 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/03/31 12:46:47 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/03/31 12:42:38 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2010/03/31 12:37:54 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\log77\Desktop\HijackThis.exe
    [2010/03/30 03:15:02 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\log77\Desktop\dds.scr
    [2010/03/30 02:53:13 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/03/30 01:02:30 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/03/30 01:02:28 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/03/21 22:21:14 | 000,453,936 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/03/21 22:21:14 | 000,073,056 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/03/21 22:21:13 | 000,536,902 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/03/19 09:17:19 | 000,038,605 | R--- | M] () -- C:\Documents and Settings\log77\My Documents\03-18-10_1802.jpg

    ========== Files Created - No Company Name ==========

    [2010/04/01 14:28:05 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/03/31 12:42:38 | 000,000,213 | ---- | C] () -- C:\Boot.bak
    [2010/03/31 12:42:35 | 000,260,272 | ---- | C] () -- C:\cmldr
    [2010/03/30 03:15:02 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\log77\Desktop\dds.scr
    [2010/03/30 02:53:13 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/03/30 01:02:30 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/03/19 09:17:29 | 000,038,605 | R--- | C] () -- C:\Documents and Settings\log77\My Documents\03-18-10_1802.jpg
    [2009/09/28 17:13:00 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
    [2009/09/25 21:51:55 | 000,017,937 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\ozizigep.com
    [2009/09/25 21:51:55 | 000,017,455 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\epycurolu.scr
    [2009/09/25 21:51:55 | 000,015,729 | ---- | C] () -- C:\WINDOWS\yvyxihy.sys
    [2009/09/25 21:51:55 | 000,012,448 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\izysexyl.lib
    [2009/09/25 21:51:55 | 000,011,051 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\gubihyvu._sy
    [2009/09/25 19:35:35 | 000,019,926 | ---- | C] () -- C:\Documents and Settings\log77\Local Settings\Application Data\cyhavydeka._sy
    [2009/09/25 19:35:35 | 000,016,573 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\vadogun.dll
    [2009/09/25 19:35:35 | 000,016,502 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\yfevomiw._dl
    [2009/09/25 19:35:35 | 000,015,544 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sowaq.db
    [2009/09/25 19:35:35 | 000,015,495 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\tafisoluf.ban
    [2009/09/25 19:35:35 | 000,011,841 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\kuwojynuwu._sy
    [2009/09/25 19:35:35 | 000,010,042 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\uroh._sy
    [2009/09/25 19:35:34 | 000,016,334 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\wemetewaba._dl
    [2009/09/25 19:35:34 | 000,015,462 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\wylevogywy.lib
    [2009/09/25 19:35:34 | 000,012,111 | ---- | C] () -- C:\Documents and Settings\log77\Local Settings\Application Data\vubar.ban
    [2007/11/16 15:08:13 | 000,000,149 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2004/08/04 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

    ========== LOP Check ==========

    [2010/03/30 01:01:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2009/12/23 17:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Road Runner
    [2009/12/11 18:21:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star
    [2009/12/11 18:25:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star Shared
    [2009/10/27 22:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/12/16 00:25:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno
    [2009/10/04 22:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\3M
    [2009/10/04 22:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\GetRightToGo
    [2010/03/30 03:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\IObit
    [2009/12/23 17:02:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Road Runner
    [2009/12/11 18:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Simple Star
    [2009/12/16 00:27:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\WeatherBug

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
    [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys

    < MD5 for: ATAPI.SYS >
    [2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
    [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
    [2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
    [2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
    [2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
    [2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

    < MD5 for: EVENTLOG.DLL >
    [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
    [2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
    [2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
    [2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

    < MD5 for: IASTOR.SYS >
    [2005/04/25 11:28:14 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\WINDOWS\dell\iastor\iastor.sys

    < MD5 for: NETLOGON.DLL >
    [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
    [2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
    [2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SoftwareDistribution\Download\8cb3a5dc2e5ce55afbfdfd38e49058d5\backup\sp2qfe\netlogon.dll
    [2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
    [2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

    < MD5 for: NVATABUS.SYS >
    [2005/05/17 18:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
    [2005/05/17 18:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

    < MD5 for: SCECLI.DLL >
    [2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
    [2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
    [2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
    [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /lockedfiles >

    < %systemroot%\System32\config\*.sav >
    [2006/03/21 11:59:46 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2006/03/21 11:59:46 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2006/03/21 11:59:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 842 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35E5AF34
    < End of report >

    extras.txt

    OTL Extras logfile created on: 4/2/2010 1:20:11 AM - Run 1
    OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\log77\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    766.00 Mb Total Physical Memory | 460.00 Mb Available Physical Memory | 60.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.24 Gb Total Space | 32.76 Gb Free Space | 87.95% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: LOG77
    Current User Name: log77
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1 "
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" = C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe:*:Enabled:Adaptive Server Anywhere ISQL -- (iAnywhere Solutions, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java(TM) 6 Update 19
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F653AB56-DB37-415B-8DDD-EF5BC1982150}" = SQL Anywhere Studio 9, Software
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Advanced SystemCare 3_is1" = Advanced SystemCare 3
    "avast5" = avast! Free Antivirus
    "HijackThis" = HijackThis 2.0.2
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.2)" = Mozilla Firefox (3.6.2)
    "MSNINST" = MSN
    "PROSet" = Intel(R) PRO Ethernet Adapter and Software
    "WIC" = Windows Imaging Component

    ========== Last 10 Event Log Errors ==========

    [ Antivirus Events ]
    Error - 11/5/2009 7:36:59 PM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    Error - 11/6/2009 12:29:51 AM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    Error - 11/7/2009 1:06:14 PM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    Error - 11/8/2009 7:53:44 PM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    Error - 11/9/2009 1:23:23 AM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    Error - 11/9/2009 5:15:49 PM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    Error - 11/21/2009 11:41:41 PM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    Error - 11/22/2009 8:34:04 PM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    Error - 11/22/2009 8:34:04 PM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    Error - 1/7/2010 3:54:48 PM | Computer Name = LOG77 | Source = avast! | ID = 33554522
    Description =

    [ Application Events ]
    Error - 4/1/2010 10:32:07 PM | Computer Name = LOG77 | Source = ESENT | ID = 490
    Description = svchost (1092) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb "
    for read / write access failed with system error 32 (0x00000020): "The process
    cannot access the file because it is being used by another process. ". The open
    file operation will fail with error -1032 (0xfffffbf8).

    Error - 4/1/2010 10:32:08 PM | Computer Name = LOG77 | Source = ESENT | ID = 490
    Description = svchost (1092) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb "
    for read / write access failed with system error 32 (0x00000020): "The process
    cannot access the file because it is being used by another process. ". The open
    file operation will fail with error -1032 (0xfffffbf8).

    Error - 4/1/2010 10:34:10 PM | Computer Name = LOG77 | Source = ESENT | ID = 490
    Description = svchost (1092) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb "
    for read / write access failed with system error 32 (0x00000020): "The process
    cannot access the file because it is being used by another process. ". The open
    file operation will fail with error -1032 (0xfffffbf8).

    Error - 4/1/2010 10:35:07 PM | Computer Name = LOG77 | Source = ESENT | ID = 490
    Description = svchost (1092) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb "
    for read / write access failed with system error 32 (0x00000020): "The process
    cannot access the file because it is being used by another process. ". The open
    file operation will fail with error -1032 (0xfffffbf8).

    Error - 4/1/2010 10:37:08 PM | Computer Name = LOG77 | Source = ESENT | ID = 490
    Description = svchost (1092) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb "
    for read / write access failed with system error 32 (0x00000020): "The process
    cannot access the file because it is being used by another process. ". The open
    file operation will fail with error -1032 (0xfffffbf8).

    Error - 4/1/2010 11:48:36 PM | Computer Name = LOG77 | Source = ESENT | ID = 490
    Description = svchost (1092) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb "
    for read / write access failed with system error 32 (0x00000020): "The process
    cannot access the file because it is being used by another process. ". The open
    file operation will fail with error -1032 (0xfffffbf8).

    Error - 4/1/2010 11:48:37 PM | Computer Name = LOG77 | Source = ESENT | ID = 490
    Description = svchost (1092) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb "
    for read / write access failed with system error 32 (0x00000020): "The process
    cannot access the file because it is being used by another process. ". The open
    file operation will fail with error -1032 (0xfffffbf8).

    Error - 4/1/2010 11:50:37 PM | Computer Name = LOG77 | Source = ESENT | ID = 490
    Description = svchost (1092) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb "
    for read / write access failed with system error 32 (0x00000020): "The process
    cannot access the file because it is being used by another process. ". The open
    file operation will fail with error -1032 (0xfffffbf8).

    Error - 4/2/2010 12:49:50 AM | Computer Name = LOG77 | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 4/2/2010 12:50:51 AM | Computer Name = LOG77 | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    [ System Events ]
    Error - 4/1/2010 10:24:39 PM | Computer Name = LOG77 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 15 minutes. NtpClient has no source of accurate
    time.

    Error - 4/1/2010 10:24:39 PM | Computer Name = LOG77 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 4/1/2010 10:27:46 PM | Computer Name = LOG77 | Source = NETLOGON | ID = 5719
    Description = No Domain Controller is available for domain DCS due to the following:
    %%1311. Make sure that the computer is connected to the network and try again. If
    the problem persists, please contact your domain administrator.

    Error - 4/1/2010 10:27:48 PM | Computer Name = LOG77 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 15 minutes. NtpClient has no source of accurate
    time.

    Error - 4/1/2010 10:27:48 PM | Computer Name = LOG77 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 4/1/2010 10:42:49 PM | Computer Name = LOG77 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 3 minutes. NtpClient has no source of accurate
    time.

    Error - 4/2/2010 12:49:50 AM | Computer Name = LOG77 | Source = NETLOGON | ID = 5719
    Description = No Domain Controller is available for domain DCS due to the following:
    %%1311. Make sure that the computer is connected to the network and try again. If
    the problem persists, please contact your domain administrator.

    Error - 4/2/2010 12:49:54 AM | Computer Name = LOG77 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 4/2/2010 12:49:54 AM | Computer Name = LOG77 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 4/2/2010 1:04:55 AM | Computer Name = LOG77 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 29 minutes. NtpClient has no source of accurate
    time.


    < End of report >
     
    rthompson,
    #23
  5. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - No CLSID value found.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[resethosts]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
    broni,
    #24
  6. 2010/04/02
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    otl log

    OTL logfile created on: 4/2/2010 1:56:28 AM - Run 2
    OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\log77\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    766.00 Mb Total Physical Memory | 496.00 Mb Available Physical Memory | 65.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 87.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.24 Gb Total Space | 32.92 Gb Free Space | 88.40% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: LOG77
    Current User Name: log77
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    PRC - [2010/03/09 06:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    PRC - [2009/08/18 12:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    PRC - [2007/03/15 18:17:08 | 000,336,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
    PRC - [2004/10/19 18:45:14 | 000,131,072 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
    PRC - [2004/08/04 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Yahoo "
    FF - prefs.js..browser.search.order.1: "Yahoo "
    FF - prefs.js..browser.search.order.2: " "
    FF - prefs.js..browser.search.selectedEngine: "Google "
    FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/ "
    FF - prefs.js..extensions.enabledItems: {bff829b6-b433-42ce-9a19-e459d3e4e483}:3.6.0
    FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.7.3
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q= "


    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/24 22:59:26 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/01 17:57:19 | 000,000,000 | ---D | M]

    [2009/09/26 18:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Mozilla\Extensions
    [2010/04/01 21:47:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions
    [2010/04/01 21:47:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/03/03 18:39:19 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    [2010/04/01 21:44:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2009/12/16 00:24:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{bff829b6-b433-42ce-9a19-e459d3e4e483}

    O1 HOSTS File: ([2010/04/02 01:54:48 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - No CLSID value found.
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
    O4 - HKCU..\Run: [DBISQL9] C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe (iAnywhere Solutions, Inc.)
    O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\log77\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\log77\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/02/05 19:55:34 | 000,000,018 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 14 Days ==========

    [2010/04/02 01:54:23 | 000,000,000 | ---D | C] -- C:\_OTL
    [2010/04/02 01:17:36 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    [2010/04/01 21:42:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Desktop\backups
    [2010/04/01 21:26:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
    [2010/04/01 21:26:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/04/01 21:25:24 | 000,000,000 | ---D | C] -- C:\Program Files\Java
    [2010/04/01 18:01:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
    [2010/04/01 17:56:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\Sun
    [2010/04/01 17:21:24 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\TFC.exe
    [2010/04/01 15:46:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/04/01 14:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\Malwarebytes
    [2010/04/01 14:28:03 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/04/01 14:28:00 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/04/01 14:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/04/01 14:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/04/01 14:18:02 | 005,918,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\log77\Desktop\mbam-setup.exe
    [2010/04/01 09:43:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010/03/31 12:42:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/03/31 12:41:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/03/31 12:37:54 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\log77\Desktop\HijackThis.exe
    [2010/03/30 02:53:05 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
    [2010/03/30 02:53:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\IObit
    [2010/03/30 01:01:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/03/30 00:46:17 | 000,026,698 | ---- | C] (D-Link Corporation) -- C:\WINDOWS\System32\drivers\DLH5XND5.sys
    [2010/03/30 00:46:17 | 000,026,698 | ---- | C] (D-Link Corporation) -- C:\WINDOWS\System32\dllcache\dlh5xnd5.sys
    [2010/03/29 23:58:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\My Documents\Downloads
    [2010/01/02 13:48:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
    [2009/12/23 12:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
    [2009/12/23 12:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
    [2006/03/21 20:22:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
    [2006/03/21 20:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
    [2006/03/21 20:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

    ========== Files - Modified Within 14 Days ==========

    [2010/04/02 01:55:13 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\log77\NTUSER.DAT
    [2010/04/02 01:55:03 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\log77\ntuser.ini
    [2010/04/02 01:54:48 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
    [2010/04/02 01:54:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/04/02 01:54:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    [2010/04/02 00:50:13 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/04/01 21:42:54 | 006,929,908 | -H-- | M] () -- C:\Documents and Settings\log77\Local Settings\Application Data\IconCache.db
    [2010/04/01 17:21:24 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\TFC.exe
    [2010/04/01 14:28:05 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/04/01 14:18:05 | 005,918,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\log77\Desktop\mbam-setup.exe
    [2010/04/01 09:41:11 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/03/31 12:42:38 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2010/03/31 12:37:54 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\log77\Desktop\HijackThis.exe
    [2010/03/30 03:15:02 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\log77\Desktop\dds.scr
    [2010/03/30 02:53:13 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/03/30 01:02:30 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/03/30 01:02:28 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/03/21 22:21:14 | 000,453,936 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/03/21 22:21:14 | 000,073,056 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/03/21 22:21:13 | 000,536,902 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/03/19 09:17:19 | 000,038,605 | R--- | M] () -- C:\Documents and Settings\log77\My Documents\03-18-10_1802.jpg

    ========== Files Created - No Company Name ==========

    [2010/04/01 14:28:05 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/03/31 12:42:38 | 000,000,213 | ---- | C] () -- C:\Boot.bak
    [2010/03/31 12:42:35 | 000,260,272 | ---- | C] () -- C:\cmldr
    [2010/03/30 03:15:02 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\log77\Desktop\dds.scr
    [2010/03/30 02:53:13 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/03/30 01:02:30 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/03/19 09:17:29 | 000,038,605 | R--- | C] () -- C:\Documents and Settings\log77\My Documents\03-18-10_1802.jpg
    [2009/09/28 17:13:00 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
    [2009/09/25 21:51:55 | 000,017,937 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\ozizigep.com
    [2009/09/25 21:51:55 | 000,017,455 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\epycurolu.scr
    [2009/09/25 21:51:55 | 000,015,729 | ---- | C] () -- C:\WINDOWS\yvyxihy.sys
    [2009/09/25 21:51:55 | 000,012,448 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\izysexyl.lib
    [2009/09/25 21:51:55 | 000,011,051 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\gubihyvu._sy
    [2009/09/25 19:35:35 | 000,019,926 | ---- | C] () -- C:\Documents and Settings\log77\Local Settings\Application Data\cyhavydeka._sy
    [2009/09/25 19:35:35 | 000,016,573 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\vadogun.dll
    [2009/09/25 19:35:35 | 000,016,502 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\yfevomiw._dl
    [2009/09/25 19:35:35 | 000,015,544 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sowaq.db
    [2009/09/25 19:35:35 | 000,015,495 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\tafisoluf.ban
    [2009/09/25 19:35:35 | 000,011,841 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\kuwojynuwu._sy
    [2009/09/25 19:35:35 | 000,010,042 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\uroh._sy
    [2009/09/25 19:35:34 | 000,016,334 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\wemetewaba._dl
    [2009/09/25 19:35:34 | 000,015,462 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\wylevogywy.lib
    [2009/09/25 19:35:34 | 000,012,111 | ---- | C] () -- C:\Documents and Settings\log77\Local Settings\Application Data\vubar.ban
    [2007/11/16 15:08:13 | 000,000,149 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2004/08/04 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

    ========== LOP Check ==========

    [2010/03/30 01:01:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2009/12/23 17:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Road Runner
    [2009/12/11 18:21:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star
    [2009/12/11 18:25:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star Shared
    [2009/10/27 22:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/12/16 00:25:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno
    [2009/10/04 22:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\3M
    [2009/10/04 22:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\GetRightToGo
    [2010/03/30 03:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\IObit
    [2009/12/23 17:02:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Road Runner
    [2009/12/11 18:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Simple Star
    [2009/12/16 00:27:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\WeatherBug

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 842 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35E5AF34
    < End of report >
     
    rthompson,
    #25
  7. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    After you run my script, a pop-up Notepad window should open with the results. I need to see the content of that log.

    Make sure, you copy EVERYTHING from my code box. It looks to me, like maybe you missed something, most likely, the colon ":" in front of "OTL "

    Try again, please.
     
    broni,
    #26
  8. 2010/04/02
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    otl log 2

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e68fa15-6915-425e-8519-ec29f0e7ef8c}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e68fa15-6915-425e-8519-ec29f0e7ef8c}\ not found.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\Domain| /E : value set successfully!
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: log77
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 15930095 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 15.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.1.37.3 log created on 04022010_021302

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...


    quick scan

    OTL logfile created on: 4/2/2010 2:17:46 AM - Run 3
    OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\log77\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    766.00 Mb Total Physical Memory | 377.00 Mb Available Physical Memory | 49.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 80.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.24 Gb Total Space | 32.92 Gb Free Space | 88.38% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: LOG77
    Current User Name: log77
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    PRC - [2010/03/24 11:57:39 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2010/03/09 06:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    PRC - [2009/08/18 12:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    PRC - [2007/03/15 18:17:08 | 000,336,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
    PRC - [2004/10/19 18:45:14 | 000,131,072 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
    PRC - [2004/08/04 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Yahoo "
    FF - prefs.js..browser.search.order.1: "Yahoo "
    FF - prefs.js..browser.search.order.2: " "
    FF - prefs.js..browser.search.selectedEngine: "Google "
    FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/ "
    FF - prefs.js..extensions.enabledItems: {bff829b6-b433-42ce-9a19-e459d3e4e483}:3.6.0
    FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.7.3
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q= "


    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/24 22:59:26 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/01 17:57:19 | 000,000,000 | ---D | M]

    [2009/09/26 18:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Mozilla\Extensions
    [2010/04/01 21:47:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions
    [2010/04/01 21:47:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/03/03 18:39:19 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    [2010/04/01 21:44:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2009/12/16 00:24:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{bff829b6-b433-42ce-9a19-e459d3e4e483}

    O1 HOSTS File: ([2010/04/02 02:13:03 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - No CLSID value found.
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
    O4 - HKCU..\Run: [DBISQL9] C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe (iAnywhere Solutions, Inc.)
    O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\log77\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\log77\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/02/05 19:55:34 | 000,000,018 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 14 Days ==========

    [2010/04/02 01:54:23 | 000,000,000 | ---D | C] -- C:\_OTL
    [2010/04/02 01:17:36 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    [2010/04/01 21:42:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Desktop\backups
    [2010/04/01 21:26:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
    [2010/04/01 21:26:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/04/01 21:25:24 | 000,000,000 | ---D | C] -- C:\Program Files\Java
    [2010/04/01 18:01:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
    [2010/04/01 17:56:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\Sun
    [2010/04/01 17:21:24 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\TFC.exe
    [2010/04/01 15:46:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/04/01 14:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\Malwarebytes
    [2010/04/01 14:28:03 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/04/01 14:28:00 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/04/01 14:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/04/01 14:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/04/01 14:18:02 | 005,918,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\log77\Desktop\mbam-setup.exe
    [2010/04/01 09:43:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010/03/31 12:42:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/03/31 12:41:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/03/31 12:37:54 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\log77\Desktop\HijackThis.exe
    [2010/03/30 02:53:05 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
    [2010/03/30 02:53:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\IObit
    [2010/03/30 01:01:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/03/30 00:46:17 | 000,026,698 | ---- | C] (D-Link Corporation) -- C:\WINDOWS\System32\drivers\DLH5XND5.sys
    [2010/03/30 00:46:17 | 000,026,698 | ---- | C] (D-Link Corporation) -- C:\WINDOWS\System32\dllcache\dlh5xnd5.sys
    [2010/03/29 23:58:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\My Documents\Downloads
    [2010/01/02 13:48:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
    [2009/12/23 12:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
    [2009/12/23 12:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
    [2006/03/21 20:22:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
    [2006/03/21 20:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
    [2006/03/21 20:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

    ========== Files - Modified Within 14 Days ==========

    [2010/04/02 02:14:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/04/02 02:13:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/04/02 02:13:12 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\log77\NTUSER.DAT
    [2010/04/02 02:13:12 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\log77\ntuser.ini
    [2010/04/02 02:13:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/04/02 02:13:03 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
    [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    [2010/04/01 21:42:54 | 006,929,908 | -H-- | M] () -- C:\Documents and Settings\log77\Local Settings\Application Data\IconCache.db
    [2010/04/01 17:21:24 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\TFC.exe
    [2010/04/01 14:28:05 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/04/01 14:18:05 | 005,918,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\log77\Desktop\mbam-setup.exe
    [2010/04/01 09:41:11 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/03/31 12:42:38 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2010/03/31 12:37:54 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\log77\Desktop\HijackThis.exe
    [2010/03/30 03:15:02 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\log77\Desktop\dds.scr
    [2010/03/30 02:53:13 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/03/30 01:02:30 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/03/30 01:02:28 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/03/21 22:21:14 | 000,453,936 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/03/21 22:21:14 | 000,073,056 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/03/21 22:21:13 | 000,536,902 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/03/19 09:17:19 | 000,038,605 | R--- | M] () -- C:\Documents and Settings\log77\My Documents\03-18-10_1802.jpg

    ========== Files Created - No Company Name ==========

    [2010/04/01 14:28:05 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/03/31 12:42:38 | 000,000,213 | ---- | C] () -- C:\Boot.bak
    [2010/03/31 12:42:35 | 000,260,272 | ---- | C] () -- C:\cmldr
    [2010/03/30 03:15:02 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\log77\Desktop\dds.scr
    [2010/03/30 02:53:13 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/03/30 01:02:30 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/03/19 09:17:29 | 000,038,605 | R--- | C] () -- C:\Documents and Settings\log77\My Documents\03-18-10_1802.jpg
    [2009/09/28 17:13:00 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
    [2009/09/25 21:51:55 | 000,017,937 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\ozizigep.com
    [2009/09/25 21:51:55 | 000,017,455 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\epycurolu.scr
    [2009/09/25 21:51:55 | 000,015,729 | ---- | C] () -- C:\WINDOWS\yvyxihy.sys
    [2009/09/25 21:51:55 | 000,012,448 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\izysexyl.lib
    [2009/09/25 21:51:55 | 000,011,051 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\gubihyvu._sy
    [2009/09/25 19:35:35 | 000,019,926 | ---- | C] () -- C:\Documents and Settings\log77\Local Settings\Application Data\cyhavydeka._sy
    [2009/09/25 19:35:35 | 000,016,573 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\vadogun.dll
    [2009/09/25 19:35:35 | 000,016,502 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\yfevomiw._dl
    [2009/09/25 19:35:35 | 000,015,544 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sowaq.db
    [2009/09/25 19:35:35 | 000,015,495 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\tafisoluf.ban
    [2009/09/25 19:35:35 | 000,011,841 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\kuwojynuwu._sy
    [2009/09/25 19:35:35 | 000,010,042 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\uroh._sy
    [2009/09/25 19:35:34 | 000,016,334 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\wemetewaba._dl
    [2009/09/25 19:35:34 | 000,015,462 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\wylevogywy.lib
    [2009/09/25 19:35:34 | 000,012,111 | ---- | C] () -- C:\Documents and Settings\log77\Local Settings\Application Data\vubar.ban
    [2007/11/16 15:08:13 | 000,000,149 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2004/08/04 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

    ========== LOP Check ==========

    [2010/03/30 01:01:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2009/12/23 17:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Road Runner
    [2009/12/11 18:21:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star
    [2009/12/11 18:25:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star Shared
    [2009/10/27 22:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/12/16 00:25:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno
    [2009/10/04 22:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\3M
    [2009/10/04 22:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\GetRightToGo
    [2010/03/30 03:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\IObit
    [2009/12/23 17:02:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Road Runner
    [2009/12/11 18:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Simple Star
    [2009/12/16 00:27:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\WeatherBug

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 842 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35E5AF34
    < End of report >
     
    rthompson,
    #27
  9. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK.
    I don't like what I see, so let me review your initial OTL log...hold on.
     
    broni,
    #28
  10. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm going to bed, but, if you still have time.....


    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - No CLSID value found.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
[2009/09/25 21:51:55 | 000,017,937 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\ozizigep.com
[2009/09/25 21:51:55 | 000,017,455 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\epycurolu.scr
[2009/09/25 21:51:55 | 000,015,729 | ---- | C] () -- C:\WINDOWS\yvyxihy.sys
[2009/09/25 21:51:55 | 000,012,448 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\izysexyl.lib
[2009/09/25 21:51:55 | 000,011,051 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\gubihyvu._sy
[2009/09/25 19:35:35 | 000,019,926 | ---- | C] () -- C:\Documents and Settings\log77\Local Settings\Application Data\cyhavydeka._sy
[2009/09/25 19:35:35 | 000,016,573 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\vadogun.dll
[2009/09/25 19:35:35 | 000,016,502 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\yfevomiw._dl
[2009/09/25 19:35:35 | 000,015,544 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sowaq.db
[2009/09/25 19:35:35 | 000,015,495 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\tafisoluf.ban
[2009/09/25 19:35:35 | 000,011,841 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\kuwojynuwu._sy
[2009/09/25 19:35:35 | 000,010,042 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\uroh._sy
[2009/09/25 19:35:34 | 000,016,334 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\wemetewaba._dl
[2009/09/25 19:35:34 | 000,015,462 | ---- | C] () -- C:\Documents and Settings\log77\Application Data\wylevogywy.lib
[2009/09/25 19:35:34 | 000,012,111 | ---- | C] () -- C:\Documents and Settings\log77\Local Settings\Application Data\vubar.ban


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[resethosts]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
    broni,
    #29
  11. 2010/04/02
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    holding

    OK, is it bad?
     
    rthompson,
    #30
  12. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I found some bad files through OTL, so let's see, if my latest script will help.
    I'll be back tomorrow :)
     
    broni,
    #31
  13. 2010/04/02
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    new otl logs

    OK Broni, have a good night, we'll finish up tomorrow.

    fix

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e68fa15-6915-425e-8519-ec29f0e7ef8c}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e68fa15-6915-425e-8519-ec29f0e7ef8c}\ not found.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\Domain| /E : value set successfully!
    C:\Documents and Settings\log77\Application Data\ozizigep.com moved successfully.
    C:\Documents and Settings\All Users\Application Data\epycurolu.scr moved successfully.
    C:\WINDOWS\yvyxihy.sys moved successfully.
    C:\Documents and Settings\log77\Application Data\izysexyl.lib moved successfully.
    C:\Documents and Settings\log77\Application Data\gubihyvu._sy moved successfully.
    C:\Documents and Settings\log77\Local Settings\Application Data\cyhavydeka._sy moved successfully.
    C:\Documents and Settings\log77\Application Data\vadogun.dll moved successfully.
    C:\Documents and Settings\log77\Application Data\yfevomiw._dl moved successfully.
    C:\Documents and Settings\All Users\Application Data\sowaq.db moved successfully.
    C:\Documents and Settings\All Users\Application Data\tafisoluf.ban moved successfully.
    C:\Documents and Settings\log77\Application Data\kuwojynuwu._sy moved successfully.
    C:\Documents and Settings\log77\Application Data\uroh._sy moved successfully.
    C:\Documents and Settings\log77\Application Data\wemetewaba._dl moved successfully.
    C:\Documents and Settings\log77\Application Data\wylevogywy.lib moved successfully.
    C:\Documents and Settings\log77\Local Settings\Application Data\vubar.ban moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: log77
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 16160990 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 15.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.1.37.3 log created on 04022010_023958

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...

    quick scan

    OTL logfile created on: 4/2/2010 2:42:36 AM - Run 4
    OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\log77\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    766.00 Mb Total Physical Memory | 488.00 Mb Available Physical Memory | 64.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 87.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.24 Gb Total Space | 32.92 Gb Free Space | 88.40% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: LOG77
    Current User Name: log77
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    PRC - [2010/03/09 06:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    PRC - [2009/08/18 12:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    PRC - [2007/03/15 18:17:08 | 000,336,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
    PRC - [2004/10/19 18:45:14 | 000,131,072 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
    PRC - [2004/08/04 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Yahoo "
    FF - prefs.js..browser.search.order.1: "Yahoo "
    FF - prefs.js..browser.search.order.2: " "
    FF - prefs.js..browser.search.selectedEngine: "Google "
    FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/ "
    FF - prefs.js..extensions.enabledItems: {bff829b6-b433-42ce-9a19-e459d3e4e483}:3.6.0
    FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.7.3
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q= "


    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/24 22:59:26 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/01 17:57:19 | 000,000,000 | ---D | M]

    [2009/09/26 18:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Mozilla\Extensions
    [2010/04/01 21:47:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions
    [2010/04/01 21:47:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/03/03 18:39:19 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    [2010/04/01 21:44:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2009/12/16 00:24:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{bff829b6-b433-42ce-9a19-e459d3e4e483}

    O1 HOSTS File: ([2010/04/02 02:40:00 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - No CLSID value found.
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
    O4 - HKCU..\Run: [DBISQL9] C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe (iAnywhere Solutions, Inc.)
    O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\log77\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\log77\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/02/05 19:55:34 | 000,000,018 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 14 Days ==========

    [2010/04/02 01:54:23 | 000,000,000 | ---D | C] -- C:\_OTL
    [2010/04/02 01:17:36 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    [2010/04/01 21:42:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Desktop\backups
    [2010/04/01 21:26:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
    [2010/04/01 21:26:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/04/01 21:25:24 | 000,000,000 | ---D | C] -- C:\Program Files\Java
    [2010/04/01 18:01:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
    [2010/04/01 17:56:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\Sun
    [2010/04/01 17:21:24 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\TFC.exe
    [2010/04/01 15:46:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/04/01 14:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\Malwarebytes
    [2010/04/01 14:28:03 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/04/01 14:28:00 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/04/01 14:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/04/01 14:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/04/01 14:18:02 | 005,918,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\log77\Desktop\mbam-setup.exe
    [2010/04/01 09:43:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010/03/31 12:42:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/03/31 12:41:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/03/31 12:37:54 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\log77\Desktop\HijackThis.exe
    [2010/03/30 02:53:05 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
    [2010/03/30 02:53:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\Application Data\IObit
    [2010/03/30 01:01:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/03/30 00:46:17 | 000,026,698 | ---- | C] (D-Link Corporation) -- C:\WINDOWS\System32\drivers\DLH5XND5.sys
    [2010/03/30 00:46:17 | 000,026,698 | ---- | C] (D-Link Corporation) -- C:\WINDOWS\System32\dllcache\dlh5xnd5.sys
    [2010/03/29 23:58:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\log77\My Documents\Downloads
    [2010/01/02 13:48:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
    [2009/12/23 12:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
    [2009/12/23 12:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
    [2006/03/21 20:22:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
    [2006/03/21 20:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
    [2006/03/21 20:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

    ========== Files - Modified Within 14 Days ==========

    [2010/04/02 02:41:05 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/04/02 02:41:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/04/02 02:40:23 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\log77\NTUSER.DAT
    [2010/04/02 02:40:12 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\log77\ntuser.ini
    [2010/04/02 02:40:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/04/02 02:40:00 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
    [2010/04/02 01:17:36 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\OTL.exe
    [2010/04/01 21:42:54 | 006,929,908 | -H-- | M] () -- C:\Documents and Settings\log77\Local Settings\Application Data\IconCache.db
    [2010/04/01 17:21:24 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\log77\Desktop\TFC.exe
    [2010/04/01 14:28:05 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/04/01 14:18:05 | 005,918,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\log77\Desktop\mbam-setup.exe
    [2010/04/01 09:41:11 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/03/31 12:42:38 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2010/03/31 12:37:54 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\log77\Desktop\HijackThis.exe
    [2010/03/30 03:15:02 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\log77\Desktop\dds.scr
    [2010/03/30 02:53:13 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/03/30 01:02:30 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/03/30 01:02:28 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/03/21 22:21:14 | 000,453,936 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/03/21 22:21:14 | 000,073,056 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/03/21 22:21:13 | 000,536,902 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/03/19 09:17:19 | 000,038,605 | R--- | M] () -- C:\Documents and Settings\log77\My Documents\03-18-10_1802.jpg

    ========== Files Created - No Company Name ==========

    [2010/04/01 14:28:05 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/03/31 12:42:38 | 000,000,213 | ---- | C] () -- C:\Boot.bak
    [2010/03/31 12:42:35 | 000,260,272 | ---- | C] () -- C:\cmldr
    [2010/03/30 03:15:02 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\log77\Desktop\dds.scr
    [2010/03/30 02:53:13 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/03/30 01:02:30 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/03/19 09:17:29 | 000,038,605 | R--- | C] () -- C:\Documents and Settings\log77\My Documents\03-18-10_1802.jpg
    [2009/09/28 17:13:00 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
    [2007/11/16 15:08:13 | 000,000,149 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2004/08/04 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

    ========== LOP Check ==========

    [2010/03/30 01:01:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2009/12/23 17:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Road Runner
    [2009/12/11 18:21:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star
    [2009/12/11 18:25:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star Shared
    [2009/10/27 22:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/12/16 00:25:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno
    [2009/10/04 22:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\3M
    [2009/10/04 22:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\GetRightToGo
    [2010/03/30 03:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\IObit
    [2009/12/23 17:02:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Road Runner
    [2009/12/11 18:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\Simple Star
    [2009/12/16 00:27:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\log77\Application Data\WeatherBug

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 842 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35E5AF34
    < End of report >
     
    rthompson,
    #32
  14. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

    ===================================================================

    Please download Profiles by noahdfear.

    * Save it to your desktop.
    * Double-click profiles.exe and post its log when you reply.
     
    broni,
    #33
  15. 2010/04/02
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    logs

    tdsskiller

    18:54:43:038 0684 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
    18:54:43:038 0684 ================================================================================
    18:54:43:038 0684 SystemInfo:

    18:54:43:038 0684 OS Version: 5.1.2600 ServicePack: 2.0
    18:54:43:038 0684 Product type: Workstation
    18:54:43:038 0684 ComputerName: LOG77
    18:54:43:038 0684 UserName: log77
    18:54:43:038 0684 Windows directory: C:\WINDOWS
    18:54:43:038 0684 Processor architecture: Intel x86
    18:54:43:038 0684 Number of processors: 1
    18:54:43:038 0684 Page size: 0x1000
    18:54:43:038 0684 Boot type: Normal boot
    18:54:43:038 0684 ================================================================================
    18:54:43:053 0684 UnloadDriverW: NtUnloadDriver error 2
    18:54:43:053 0684 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    18:54:43:131 0684 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    18:54:43:131 0684 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    18:54:43:131 0684 wfopen_ex: Trying to KLMD file open
    18:54:43:131 0684 wfopen_ex: File opened ok (Flags 2)
    18:54:43:131 0684 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    18:54:43:131 0684 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    18:54:43:131 0684 wfopen_ex: Trying to KLMD file open
    18:54:43:131 0684 wfopen_ex: File opened ok (Flags 2)
    18:54:43:131 0684 Initialize success
    18:54:43:131 0684
    18:54:43:131 0684 Scanning Services ...
    18:54:43:631 0684 Raw services enum returned 309 services
    18:54:43:647 0684
    18:54:43:647 0684 Scanning Kernel memory ...
    18:54:43:647 0684 Devices to scan: 2
    18:54:43:647 0684
    18:54:43:647 0684 Driver Name: Disk
    18:54:43:647 0684 IRP_MJ_CREATE : F75DDC30
    18:54:43:647 0684 IRP_MJ_CREATE_NAMED_PIPE : 804FB8DE
    18:54:43:647 0684 IRP_MJ_CLOSE : F75DDC30
    18:54:43:647 0684 IRP_MJ_READ : F75D7D9B
    18:54:43:647 0684 IRP_MJ_WRITE : F75D7D9B
    18:54:43:647 0684 IRP_MJ_QUERY_INFORMATION : 804FB8DE
    18:54:43:647 0684 IRP_MJ_SET_INFORMATION : 804FB8DE
    18:54:43:647 0684 IRP_MJ_QUERY_EA : 804FB8DE
    18:54:43:647 0684 IRP_MJ_SET_EA : 804FB8DE
    18:54:43:647 0684 IRP_MJ_FLUSH_BUFFERS : F75D8366
    18:54:43:647 0684 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8DE
    18:54:43:647 0684 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8DE
    18:54:43:647 0684 IRP_MJ_DIRECTORY_CONTROL : 804FB8DE
    18:54:43:647 0684 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8DE
    18:54:43:647 0684 IRP_MJ_DEVICE_CONTROL : F75D844D
    18:54:43:647 0684 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75DBFC3
    18:54:43:647 0684 IRP_MJ_SHUTDOWN : F75D8366
    18:54:43:647 0684 IRP_MJ_LOCK_CONTROL : 804FB8DE
    18:54:43:647 0684 IRP_MJ_CLEANUP : 804FB8DE
    18:54:43:647 0684 IRP_MJ_CREATE_MAILSLOT : 804FB8DE
    18:54:43:647 0684 IRP_MJ_QUERY_SECURITY : 804FB8DE
    18:54:43:647 0684 IRP_MJ_SET_SECURITY : 804FB8DE
    18:54:43:647 0684 IRP_MJ_POWER : F75D9EF3
    18:54:43:647 0684 IRP_MJ_SYSTEM_CONTROL : F75DEA24
    18:54:43:647 0684 IRP_MJ_DEVICE_CHANGE : 804FB8DE
    18:54:43:647 0684 IRP_MJ_QUERY_QUOTA : 804FB8DE
    18:54:43:647 0684 IRP_MJ_SET_QUOTA : 804FB8DE
    18:54:43:678 0684 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    18:54:43:678 0684
    18:54:43:678 0684 Driver Name: atapi
    18:54:43:678 0684 IRP_MJ_CREATE : F74E4572
    18:54:43:678 0684 IRP_MJ_CREATE_NAMED_PIPE : 804FB8DE
    18:54:43:678 0684 IRP_MJ_CLOSE : F74E4572
    18:54:43:678 0684 IRP_MJ_READ : 804FB8DE
    18:54:43:678 0684 IRP_MJ_WRITE : 804FB8DE
    18:54:43:678 0684 IRP_MJ_QUERY_INFORMATION : 804FB8DE
    18:54:43:678 0684 IRP_MJ_SET_INFORMATION : 804FB8DE
    18:54:43:678 0684 IRP_MJ_QUERY_EA : 804FB8DE
    18:54:43:678 0684 IRP_MJ_SET_EA : 804FB8DE
    18:54:43:678 0684 IRP_MJ_FLUSH_BUFFERS : 804FB8DE
    18:54:43:678 0684 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8DE
    18:54:43:678 0684 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8DE
    18:54:43:678 0684 IRP_MJ_DIRECTORY_CONTROL : 804FB8DE
    18:54:43:678 0684 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8DE
    18:54:43:678 0684 IRP_MJ_DEVICE_CONTROL : F74E4592
    18:54:43:678 0684 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74E07B4
    18:54:43:678 0684 IRP_MJ_SHUTDOWN : 804FB8DE
    18:54:43:678 0684 IRP_MJ_LOCK_CONTROL : 804FB8DE
    18:54:43:678 0684 IRP_MJ_CLEANUP : 804FB8DE
    18:54:43:678 0684 IRP_MJ_CREATE_MAILSLOT : 804FB8DE
    18:54:43:678 0684 IRP_MJ_QUERY_SECURITY : 804FB8DE
    18:54:43:678 0684 IRP_MJ_SET_SECURITY : 804FB8DE
    18:54:43:678 0684 IRP_MJ_POWER : F74E45BC
    18:54:43:678 0684 IRP_MJ_SYSTEM_CONTROL : F74EB164
    18:54:43:678 0684 IRP_MJ_DEVICE_CHANGE : 804FB8DE
    18:54:43:678 0684 IRP_MJ_QUERY_QUOTA : 804FB8DE
    18:54:43:678 0684 IRP_MJ_SET_QUOTA : 804FB8DE
    18:54:43:694 0684 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
    18:54:43:694 0684
    18:54:43:694 0684 Completed
    18:54:43:694 0684
    18:54:43:694 0684 Results:
    18:54:43:694 0684 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    18:54:43:694 0684 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    18:54:43:694 0684 File objects infected / cured / cured on reboot: 0 / 0 / 0
    18:54:43:694 0684
    18:54:43:694 0684 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    18:54:43:694 0684 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    18:54:44:288 0684 KLMD(ARK) unloaded successfully


    profiles


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    DefaultUserProfile REG_SZ Default User
    AllUsersProfile REG_SZ All Users

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1715567821-1647877149-839522115-1003
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\log77

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1715567821-1647877149-839522115-500
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

    SystemRoot REG_SZ C:\WINDOWS
     
    rthompson,
    #34
  16. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #35
  17. 2010/04/02
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    logs

    Combofix

    ComboFix 10-04-01.02 - log77 04/02/2010 20:28:04.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.454 [GMT -4:00]
    Running from: c:\documents and settings\log77\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
    .

    2010-04-02 05:54 . 2010-04-02 05:54 -------- d-----w- C:\_OTL
    2010-04-02 01:26 . 2010-04-02 01:26 -------- d-----w- c:\program files\Common Files\Java
    2010-04-02 01:25 . 2010-04-02 01:25 503808 ----a-w- c:\documents and settings\log77\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40d4935c-n\msvcp71.dll
    2010-04-02 01:25 . 2010-04-02 01:25 499712 ----a-w- c:\documents and settings\log77\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40d4935c-n\jmc.dll
    2010-04-02 01:25 . 2010-04-02 01:25 348160 ----a-w- c:\documents and settings\log77\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40d4935c-n\msvcr71.dll
    2010-04-02 01:25 . 2010-04-02 01:25 61440 ----a-w- c:\documents and settings\log77\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-396b99f2-n\decora-sse.dll
    2010-04-02 01:25 . 2010-04-02 01:25 12800 ----a-w- c:\documents and settings\log77\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-396b99f2-n\decora-d3d.dll
    2010-04-02 01:25 . 2010-04-02 01:25 -------- d-----w- c:\program files\Java
    2010-04-01 22:01 . 2010-04-01 22:01 -------- d-----w- c:\windows\Sun
    2010-04-01 21:57 . 2010-04-02 01:25 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-01 18:28 . 2010-04-01 18:28 -------- d-----w- c:\documents and settings\log77\Application Data\Malwarebytes
    2010-04-01 18:28 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-01 18:28 . 2010-04-01 18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-01 18:28 . 2010-04-01 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-01 18:28 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-30 06:53 . 2010-03-30 07:07 -------- d-----w- c:\documents and settings\log77\Application Data\IObit
    2010-03-30 06:53 . 2010-03-30 06:53 -------- d-----w- c:\program files\IObit
    2010-03-30 05:01 . 2010-03-30 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-03-30 04:46 . 2001-08-17 16:11 26698 -c--a-w- c:\windows\system32\dllcache\dlh5xnd5.sys
    2010-03-30 04:46 . 2001-08-17 16:11 26698 ----a-w- c:\windows\system32\drivers\DLH5XND5.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-30 05:02 . 2009-09-26 21:03 -------- d-----w- c:\program files\Alwil Software
    2010-03-09 10:24 . 2009-09-26 21:03 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-03-09 10:24 . 2009-09-26 21:03 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-03-09 10:12 . 2009-09-26 21:04 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-03-09 10:12 . 2009-09-26 21:03 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-03-09 10:09 . 2009-09-26 21:04 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-03-09 10:08 . 2009-09-26 21:03 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-03-09 10:08 . 2009-09-26 21:03 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-03-09 10:08 . 2009-09-26 21:03 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-03-09 10:08 . 2009-09-26 21:04 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-03-04 23:08 . 2010-03-30 04:09 239786 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
    2010-02-23 00:13 . 2010-03-03 22:39 52224 ----a-w- c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-02-23 00:13 . 2010-03-03 22:39 101376 ----a-w- c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-02-09 23:41 . 2009-06-11 00:18 -------- d-----w- c:\program files\Google
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DBISQL9 "= "c:\program files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-10-19 131072]
    "SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
    "avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD "= 1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe "=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/26/2009 5:03 PM 162640]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/26/2009 5:03 PM 19024]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KLMD21
    *Deregistered* - klmd21
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    FF - ProfilePath - c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
    FF - component: c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\log77\Application Data\Mozilla\Firefox\Profiles\jvbx3phe.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
    AddRemove-HijackThis - c:\documents and settings\log77\My Documents\Downloads\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-02 20:31
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3420)
    c:\windows\system32\msls31.dll
    c:\windows\system32\shdoclc.dll
    c:\windows\system32\msimtf.dll
    c:\windows\system32\MSCTF.dll
    .
    Completion time: 2010-04-02 20:34:01
    ComboFix-quarantined-files.txt 2010-04-03 00:33
    ComboFix2.txt 2010-04-01 13:43

    Pre-Run: 35,210,502,144 bytes free
    Post-Run: 35,184,160,768 bytes free

    - - End Of File - - 6FBD3EBFB45D17C8FCBD76CC9FCC8689

    Hijack This

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:39:13 PM, on 4/2/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\log77\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q=mozilla&toolbar=BLP
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
    O1 - Hosts: ÿþ127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4e68fa15-6915-425e-8519-ec29f0e7ef8c} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dcs.local
    O17 - HKLM\Software\..\Telephony: DomainName = dcs.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dcs.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dcs.local
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 4177 bytes
     
    rthompson,
    #36
  18. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Honestly, I have no idea where those O17 entries come from, but none of the scans we ran shows anything malicious, so I don't think we have a reason to worry.
    Those entries may be connected to SQL Anywhere 9, but I can't say for sure.
    I think, we can safely declare your computer as being clean.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ================================================================

    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator ")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.

    ===============================================================

    When done....


    Your computer is clean :)

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #37
  19. 2010/04/02
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    Thank you

    Great Job as always Broni, until next time.
     
    rthompson,
    #38
  20. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't want to see you here anymore....just kidding :)
    Stay safe :)
     
    broni,
    #39
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...