Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware / Browser Hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 22nd, 2011, 3:14 pm

This is my eset scan:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251


These are the threats that it noticed:
C:\Documents and Settings\Eric Grafnitz\Application Data\Sun\eidbkzw.dll a variant of Win32/AutoRun.Spy.Ambler.CR worm
C:\WINDOWS\wistap.dll Win32/Cimag.DU trojan
C:\_OTL\MovedFiles\04222011_102633\C_WINDOWS\system32\itlnfw32.dll a variant of Win32/Koblu.A trojan
Operating memory a variant of Win32/AutoRun.Spy.Ambler.CR worm

and when i restarted my computer, i got the malware XP Anti-Spyware popping up left and right.
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm
Advertisement
Register to Remove

Re: Malware / Browser Hijack

Unread postby Gary R » April 22nd, 2011, 3:36 pm

OK, don't try to fix anything yourself at this point, otherwise you may remove information I need to diagnose what is causing your problem.

Run another scan with OTL for me using the instructions below ....

  • Double click OTL.exe to launch the programme.
  • Check the following.
    • Scan all users.
    • Standard Output.
    • Lop check.
    • Purity check.
  • Under Extra Registry section, select Use SafeList
  • Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  • When finished it will produce two logs.
    • OTL.txt (open on your desktop).
    • Extras.txt (minimised in your taskbar)
  • Please post me both logs.

Next

Download TDSSKiller.zip and extract it to your Desktop.
  • Double click on TDSSKiller.exe to launch it.
    • If using Vista or Windows7, when prompted by UAC allow the prompt.
  • Click on Start Scan
  • The scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • Post the contents in your next reply please.
  • DO NOT TRY TO FIX ANYTHING AT THIS POINT

Summary of the logs I need from you in your next post:
  • OTL.txt
  • Extras.txt
  • TDSSKiller log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 22nd, 2011, 6:52 pm

otl

OTL logfile created on: 4/22/2011 5:28:26 PM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Eric Grafnitz\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 293.37 Gb Total Space | 270.61 Gb Free Space | 92.24% Space Free | Partition Type: NTFS

Computer Name: ERIC | User Name: Eric Grafnitz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/22 17:26:25 | 000,352,256 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe
PRC - [2011/04/22 17:21:00 | 000,059,964 | ---- | M] (Macrovision Europe Ltd.) -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Temp\clclean.0001
PRC - [2011/04/20 19:15:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric Grafnitz\Desktop\OTL.exe
PRC - [2011/03/19 18:27:07 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/19 19:58:26 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PRC - [2010/09/21 16:21:44 | 000,024,424 | ---- | M] () -- C:\Program Files\Veetle\Player\player.exe
PRC - [2008/06/10 18:18:10 | 000,785,520 | ---- | M] (The Weather Channel Interactive, Inc.) -- C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 16:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/07 16:41:44 | 000,419,840 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
PRC - [2006/11/07 16:41:44 | 000,102,400 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
PRC - [2006/10/20 23:45:40 | 000,069,632 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2006/07/16 21:29:54 | 000,389,120 | ---- | M] (Gteko Ltd.) -- C:\Program Files\Dell Support\DSAgnt.exe
PRC - [2006/07/06 07:15:00 | 000,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/07/06 07:14:30 | 000,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2006/06/01 16:25:00 | 000,180,224 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe
PRC - [2006/05/16 23:15:10 | 000,071,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
PRC - [2006/01/02 17:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2005/10/31 10:51:52 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
PRC - [2005/09/08 05:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2004/01/12 15:29:28 | 000,102,400 | ---- | M] (Wild Tangent) -- C:\Program Files\AIM\AIMWDInstall.exe


========== Modules (SafeList) ==========

MOD - [2011/04/20 19:15:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric Grafnitz\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (itlperf)
SRV - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/10/20 23:45:40 | 000,069,632 | ---- | M] (Creative Labs) [Auto | Running] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2006/07/06 07:14:30 | 000,090,112 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2006/06/01 16:25:00 | 000,180,224 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe -- (ELService) Intel(R)


========== Driver Services (SafeList) ==========

DRV - [2010/09/22 14:19:02 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2008/04/13 13:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2007/09/27 00:58:54 | 000,461,952 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Mrvw245.sys -- (MRVW245)
DRV - [2006/08/01 15:03:36 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)
DRV - [2006/08/01 15:03:36 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctusfsyn.sys -- (CTUSFSYN)
DRV - [2006/08/01 15:03:36 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2006/08/01 15:03:36 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2006/07/24 10:20:00 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/06/07 15:08:58 | 001,580,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/05/09 15:36:44 | 000,009,728 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ELacpi.sys -- (ELacpi)
DRV - [2006/05/09 15:36:42 | 000,007,040 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Elmon.sys -- (ELmon)
DRV - [2006/05/09 15:36:22 | 000,006,912 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Elkbd.sys -- (ELkbd)
DRV - [2006/05/09 15:36:20 | 000,006,400 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Elmou.sys -- (ELmou)
DRV - [2006/05/09 15:36:18 | 000,010,112 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Elhid.sys -- (ELhid)
DRV - [2006/01/10 12:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/01/03 19:58:00 | 000,269,952 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinavrr.sys -- (ATIAVPCI)
DRV - [2005/09/08 05:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 05:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 05:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 05:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 05:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 05:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 05:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 12:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 12:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/03/17 07:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)
DRV - [2005/03/17 07:50:36 | 000,165,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/03/17 07:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/10/19 09:07:22 | 000,009,728 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PfModNT.sys -- (PfModNT)
DRV - [2004/06/09 09:29:56 | 000,006,977 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DDMI2.sys -- (SDDMI2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=1061020
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=del ... bd=1061020


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=1061020
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=1061020
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=1061020
IE - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/reader/view/?hl=en&tab=wy#overview-page"
FF - prefs.js..extensions.enabledItems: foxyproxy@eric.h.jung:2.22.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: afurladvisor@anchorfree.com:1.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/16 20:46:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/16 20:46:21 | 000,000,000 | ---D | M]

[2008/06/18 00:40:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric Grafnitz\Application Data\Mozilla\Extensions
[2011/04/22 14:59:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eric Grafnitz\Application Data\Mozilla\Firefox\Profiles\tpzzymco.default\extensions
[2011/04/22 11:41:30 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Eric Grafnitz\Application Data\Mozilla\Firefox\Profiles\tpzzymco.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/04/22 14:59:24 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Eric Grafnitz\Application Data\Mozilla\Firefox\Profiles\tpzzymco.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/01/21 19:49:35 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Documents and Settings\Eric Grafnitz\Application Data\Mozilla\Firefox\Profiles\tpzzymco.default\extensions\foxyproxy@eric.h.jung
[2011/04/22 14:57:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/22 10:25:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/04/16 20:46:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
[2010/10/06 21:00:16 | 000,000,000 | ---D | M] (Move Media Player) -- C:\DOCUMENTS AND SETTINGS\ERIC GRAFNITZ\APPLICATION DATA\MOVE NETWORKS
[2011/04/22 10:24:58 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/09/07 22:04:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/04/22 10:24:57 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2006/11/20 20:38:19 | 000,226,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npdrmv2.dll
[2004/08/10 05:00:00 | 000,364,544 | ---- | M] (Microsoft Corporation (written by Digital Renaissance Inc.)) -- C:\Program Files\Mozilla Firefox\plugins\npdsplay.dll
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
[2004/08/10 05:00:00 | 000,010,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npwmsdrm.dll

Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O4 - HKLM..\Run: [AIMWDInstallFilename] C:\Program Files\AIM\AIMWDInstall.exe (Wild Tangent)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [MBMon] C:\WINDOWS\System32\CTMBHA.DLL ()
O4 - HKLM..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [VoiceCenter] C:\Program Files\Creative\VoiceCenter\AndreaVC.exe (Andrea Electronics Corporation)
O4 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe (The Weather Channel Interactive, Inc.)
O4 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006..\Run: [SetDefaultMIDI] C:\WINDOWS\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} https://securera-pilot.edwardjones.com/ ... ,1218,2305 (OPSWAT AntiViruses Class)
O16 - DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} https://securera-pilot.edwardjones.com/ ... ,1218,2305 (OPSWAT FireWalls Class)
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} http://i.dell.com/images/global/js/scan ... ProExe.cab (Scanner.SysScanner)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} http://dl.tvunetworks.com/TVUAx.cab (CTVUAxCtrl Object)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://securera-pilot.edwardjones.com/ ... 9,327,1558 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} C:\DOCUME~1\ERICGR~1\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab (F5 Networks Auto Update)
O16 - DPF: {49EC7987-E331-44E3-B170-748B58A268B9} https://securera-pilot.edwardjones.com/ ... ,1218,2305 (OPSWAT ProcessesScanner Class)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} https://securera-pilot.edwardjones.com/ ... ,0327,1547 (F5 Networks Policy Agent Host Class)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} https://securera-pilot.edwardjones.com/ ... 5,2,3790,0 (Microsoft RDP Client Control (redist))
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://securera-pilot.edwardjones.com/ ... 9,327,1548 (F5 Networks Host Control)
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} https://securera-pilot.edwardjones.com/ ... ,0327,1557 (F5 Networks OS Policy Agent)
O16 - DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} https://securera-pilot.edwardjones.com/ ... ,1218,2305 (F5 Networks OPSWAT Helper Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.77.134 68.87.72.134
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 04:43:04 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
O35 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006..exefile [open] -- "C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe" -a "%1" %* (Microsoft Corporation)
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
O37 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\...exe [@ = exefile] -- "C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe" -a "%1" %* (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/04/22 17:26:25 | 000,352,256 | -HS- | C] (Microsoft Corporation) -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe
[2011/04/22 13:56:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/04/22 13:56:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/22 11:30:19 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/22 11:30:10 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Eric Grafnitz\Desktop\esetsmartinstaller_enu.exe
[2011/04/22 10:26:33 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/22 10:25:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/04/22 10:25:08 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/04/22 10:25:08 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/04/22 10:25:08 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/04/22 10:25:08 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/04/22 10:24:39 | 016,754,464 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Eric Grafnitz\Desktop\jre-6u24-windows-i586-s.exe
[2011/04/22 10:24:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/20 20:09:37 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eric Grafnitz\Desktop\OTL.exe
[2011/04/19 17:41:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2011/04/19 17:41:26 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Eric Grafnitz\Desktop\MGADiag.exe
[2011/04/16 20:46:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2011/04/16 20:15:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/16 18:43:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/16 06:53:16 | 012,817,352 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Eric Grafnitz\Desktop\windows-kb890830-v3.18.exe
[2011/04/14 22:47:11 | 008,579,448 | ---- | C] (Mozilla) -- C:\Documents and Settings\Eric Grafnitz\Desktop\Firefox Setup 3.6.16.exe
[2011/04/14 18:40:54 | 000,470,912 | ---- | C] (Marvell Semiconductor, Inc) -- C:\WINDOWS\System32\Mrvw243.sys
[2011/04/14 18:40:54 | 000,470,912 | ---- | C] (Marvell Semiconductor, Inc) -- C:\WINDOWS\System32\drivers\Mrvw243.sys
[2011/04/14 18:40:54 | 000,461,952 | ---- | C] (Marvell Semiconductor, Inc) -- C:\WINDOWS\System32\Mrvw245.sys
[2011/04/14 18:40:54 | 000,461,952 | ---- | C] (Marvell Semiconductor, Inc) -- C:\WINDOWS\System32\drivers\Mrvw245.sys
[2011/04/14 18:40:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Linksys Wireless-N USB Network Adapter WUSB300N
[2011/04/14 18:40:49 | 000,000,000 | ---D | C] -- C:\Program Files\Linksys
[2011/04/14 18:40:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Grafnitz\Application Data\InstallShield
[2011/04/14 18:32:46 | 000,000,000 | ---D | C] -- C:\Linksys Driver
[2011/04/14 18:08:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eric Grafnitz\Recent
[2011/04/13 22:32:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/13 19:49:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Grafnitz\Application Data\Malwarebytes
[2011/04/13 19:49:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/13 19:49:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/13 19:48:57 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/13 19:48:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/13 19:48:23 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Eric Grafnitz\Desktop\mbam-setup.exe
[2011/04/13 18:42:51 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/04/07 20:50:15 | 000,000,000 | ---D | C] -- C:\Program Files\Safari
[2011/04/07 20:45:27 | 035,623,720 | ---- | C] (Apple Inc.) -- C:\Documents and Settings\Eric Grafnitz\Desktop\SafariSetup.exe
[2011/03/30 18:08:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/28 19:27:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric Grafnitz\Desktop\Wiz Khalifa - Rolling Papers

========== Files - Modified Within 30 Days ==========

[2011/04/22 17:28:22 | 000,014,312 | -HS- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\0p2qn556s0rgj5dd5gix5mv4o34sc6v01l
[2011/04/22 17:28:22 | 000,014,312 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0p2qn556s0rgj5dd5gix5mv4o34sc6v01l
[2011/04/22 17:26:25 | 000,352,256 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe
[2011/04/22 17:21:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/22 17:20:58 | 000,000,300 | -HS- | M] () -- C:\WINDOWS\tasks\jwccakvf.job
[2011/04/22 17:20:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/22 17:20:51 | 3219,165,184 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/22 17:03:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-542624359-4108094095-3092757597-1006UA.job
[2011/04/22 16:17:35 | 000,013,744 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\id5r608u0y766487y835r86i12c32u8
[2011/04/22 14:27:47 | 000,106,496 | RHS- | M] () -- C:\WINDOWS\System32\dosxt.dll
[2011/04/22 14:19:37 | 000,002,205 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Application Data\Microsoft\Internet Explorer\Quick Launch\Safari.lnk
[2011/04/22 14:12:48 | 000,013,784 | -HS- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\id5r608u0y766487y835r86i12c32u8
[2011/04/22 14:11:55 | 000,013,650 | -HS- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\393291625
[2011/04/22 14:11:55 | 000,013,650 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\168794355
[2011/04/22 14:11:15 | 000,439,120 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\malware.JPG
[2011/04/22 14:06:28 | 000,013,788 | -HS- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\168794355
[2011/04/22 14:06:05 | 000,013,772 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\393291625
[2011/04/22 13:55:58 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/22 11:30:13 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Eric Grafnitz\Desktop\esetsmartinstaller_enu.exe
[2011/04/22 10:24:56 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/04/22 10:24:56 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/04/22 10:24:56 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/04/22 10:24:56 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/04/22 10:24:56 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/04/22 10:09:28 | 016,754,464 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Eric Grafnitz\Desktop\jre-6u24-windows-i586-s.exe
[2011/04/20 20:03:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-542624359-4108094095-3092757597-1006Core.job
[2011/04/20 19:17:26 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\nznfq0zd.exe
[2011/04/20 19:15:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric Grafnitz\Desktop\OTL.exe
[2011/04/19 18:00:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\prvlcl.dat
[2011/04/19 17:39:44 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Eric Grafnitz\Desktop\MGADiag.exe
[2011/04/16 22:32:50 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\dds.scr
[2011/04/16 20:46:23 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/16 20:46:23 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/16 06:53:19 | 012,817,352 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Eric Grafnitz\Desktop\windows-kb890830-v3.18.exe
[2011/04/16 04:30:07 | 000,017,406 | -HS- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\7mcx1ti20p1542c5h7ji1p1410efrfj
[2011/04/16 04:30:07 | 000,017,406 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\7mcx1ti20p1542c5h7ji1p1410efrfj
[2011/04/15 21:02:40 | 006,771,101 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Contract.pdf
[2011/04/15 21:02:40 | 000,098,005 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\1920x1200-OBOYBG.jpg
[2011/04/15 21:02:40 | 000,090,130 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\1600x1200-OBOYBG.jpg
[2011/04/15 21:02:40 | 000,081,966 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Sticker.jpg
[2011/04/15 21:02:40 | 000,038,054 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Mobile-OBOYBG.jpg
[2011/04/15 20:02:54 | 004,926,738 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\SponsorshipKit.zip
[2011/04/15 17:58:24 | 000,442,774 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/15 17:58:24 | 000,071,882 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/15 17:46:13 | 000,319,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/14 23:07:20 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/14 22:47:39 | 008,579,448 | ---- | M] (Mozilla) -- C:\Documents and Settings\Eric Grafnitz\Desktop\Firefox Setup 3.6.16.exe
[2011/04/14 18:40:47 | 000,001,044 | ---- | M] () -- C:\WINDOWS\System32\WLAN.INI
[2011/04/14 17:59:28 | 000,000,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18472756
[2011/04/13 21:16:52 | 000,000,275 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Shortcut to iExplore.lnk
[2011/04/13 21:03:46 | 000,504,657 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\unhide.exe
[2011/04/13 19:49:01 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/04/13 19:46:14 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Eric Grafnitz\Desktop\mbam-setup.exe
[2011/04/13 19:35:26 | 001,006,778 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\rkill.exe
[2011/04/13 18:04:28 | 000,000,128 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18472756r
[2011/04/13 18:03:27 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18472756
[2011/04/07 20:47:04 | 035,623,720 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\Eric Grafnitz\Desktop\SafariSetup.exe
[2011/03/30 18:22:42 | 000,000,209 | RHS- | M] () -- C:\boot.ini
[2011/03/30 18:08:32 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\cd.dat
[2011/03/28 19:19:59 | 085,582,706 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Wiz_Khalifa-Rolling_Papers-(RapGodFathers.info).zip

========== Files Created - No Company Name ==========

[2011/04/22 17:26:25 | 000,014,312 | -HS- | C] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\0p2qn556s0rgj5dd5gix5mv4o34sc6v01l
[2011/04/22 17:26:25 | 000,014,312 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0p2qn556s0rgj5dd5gix5mv4o34sc6v01l
[2011/04/22 14:27:48 | 000,000,300 | -HS- | C] () -- C:\WINDOWS\tasks\jwccakvf.job
[2011/04/22 14:27:47 | 000,106,496 | RHS- | C] () -- C:\WINDOWS\System32\dosxt.dll
[2011/04/22 14:11:15 | 000,439,120 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\malware.JPG
[2011/04/22 14:05:58 | 000,013,788 | -HS- | C] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\168794355
[2011/04/22 14:05:53 | 000,013,650 | -HS- | C] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\393291625
[2011/04/22 14:05:53 | 000,013,650 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\168794355
[2011/04/22 14:05:34 | 000,013,784 | -HS- | C] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\id5r608u0y766487y835r86i12c32u8
[2011/04/22 14:05:34 | 000,013,772 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\393291625
[2011/04/22 13:56:23 | 000,013,744 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\id5r608u0y766487y835r86i12c32u8
[2011/04/22 13:56:23 | 000,013,744 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\id5r608u0y766487y835r86i12c32u8
[2011/04/20 20:09:41 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\nznfq0zd.exe
[2011/04/20 20:08:17 | 3219,165,184 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/16 22:32:51 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\dds.scr
[2011/04/16 20:46:23 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/16 20:46:23 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/16 19:58:20 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/16 04:27:58 | 000,017,406 | -HS- | C] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\7mcx1ti20p1542c5h7ji1p1410efrfj
[2011/04/16 04:27:58 | 000,017,406 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\7mcx1ti20p1542c5h7ji1p1410efrfj
[2011/04/15 20:03:11 | 006,771,101 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Contract.pdf
[2011/04/15 20:03:11 | 000,098,005 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\1920x1200-OBOYBG.jpg
[2011/04/15 20:03:11 | 000,090,130 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\1600x1200-OBOYBG.jpg
[2011/04/15 20:03:11 | 000,081,966 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Sticker.jpg
[2011/04/15 20:03:11 | 000,038,054 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Mobile-OBOYBG.jpg
[2011/04/15 20:02:47 | 004,926,738 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\SponsorshipKit.zip
[2011/04/14 18:40:54 | 000,011,042 | ---- | C] () -- C:\WINDOWS\System32\mrvw245.cat
[2011/04/14 18:40:54 | 000,011,042 | ---- | C] () -- C:\WINDOWS\System32\drivers\mrvw245.cat
[2011/04/14 18:40:47 | 000,001,044 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2011/04/13 21:16:52 | 000,000,275 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Shortcut to iExplore.lnk
[2011/04/13 21:08:44 | 000,504,657 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\unhide.exe
[2011/04/13 19:49:01 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/04/13 19:46:28 | 001,006,778 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\rkill.exe
[2011/04/13 18:04:28 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18472756r
[2011/04/13 18:04:28 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18472756
[2011/04/13 18:03:27 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18472756
[2011/04/09 11:28:58 | 000,002,205 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Application Data\Microsoft\Internet Explorer\Quick Launch\Safari.lnk
[2011/04/07 20:50:21 | 000,002,193 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Safari.lnk
[2011/03/30 18:08:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\cd.dat
[2011/03/28 19:08:41 | 085,582,706 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\Wiz_Khalifa-Rolling_Papers-(RapGodFathers.info).zip
[2011/01/30 18:13:09 | 005,889,712 | ---- | C] () -- C:\Program Files\HSS-1.57-install-anchorfree-232-expatshield.exe
[2010/11/17 15:52:03 | 000,068,952 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/09/09 14:53:53 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\prvlcl.dat
[2008/01/30 18:10:46 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2007/10/31 11:39:54 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2007/10/01 20:14:39 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2007/05/17 15:58:10 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2006/12/04 14:00:43 | 000,033,280 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/27 21:44:49 | 000,000,124 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Application Data\iScrobbler.ini
[2006/10/25 18:56:30 | 000,001,743 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/10/24 20:42:35 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/24 19:10:13 | 000,003,485 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/10/24 19:06:53 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/10/24 18:55:13 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\fusioncache.dat
[2006/10/20 23:57:51 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/10/20 23:53:46 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/20 23:48:35 | 000,000,325 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/10/20 23:46:38 | 000,022,629 | ---- | C] () -- C:\WINDOWS\System32\CiFilter.ini
[2006/10/20 23:45:54 | 000,010,820 | ---- | C] () -- C:\WINDOWS\System32\CTSBMB.INI
[2006/10/20 23:45:41 | 000,000,040 | ---- | C] () -- C:\WINDOWS\System32\mes2046.dll
[2006/10/20 23:45:15 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\Elusetup.exe
[2006/10/20 23:23:17 | 001,355,042 | ---- | C] () -- C:\WINDOWS\System32\CTMBHA.DLL
[2006/10/20 23:23:03 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/10/20 23:22:59 | 000,129,112 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/10/20 23:22:00 | 000,000,393 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 01:38:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 04:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/16 04:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/16 04:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/16 04:27:59 | 000,319,544 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/16 04:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/16 04:18:33 | 001,287,680 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2005/08/16 04:18:33 | 000,442,774 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/16 04:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/16 04:18:33 | 000,071,882 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/16 04:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/16 04:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/16 04:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/16 04:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/16 04:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/16 04:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/16 04:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/16 04:18:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll

========== LOP Check ==========

[2011/03/14 18:19:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/12/02 10:44:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2008/01/09 23:27:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Otto
[2007/01/16 19:48:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/09/08 16:29:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/03/02 20:34:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\Also
[2007/01/17 19:56:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\JAMS
[2006/11/27 23:01:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\Leadertech
[2006/11/28 21:07:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\Musicmatch
[2010/09/13 15:34:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\OpenOffice.org
[2008/01/09 23:27:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\Otto
[2006/10/24 19:10:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\Thunderbird
[2008/07/07 22:22:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\Viewpoint
[2011/03/02 19:32:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\Xuilc
[2011/04/22 17:20:58 | 000,000,300 | -HS- | M] () -- C:\WINDOWS\Tasks\jwccakvf.job

========== Purity Check ==========



< End of report >
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 22nd, 2011, 6:54 pm

Extras

OTL Extras logfile created on: 4/22/2011 5:28:26 PM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Eric Grafnitz\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 293.37 Gb Total Space | 270.61 Gb Free Space | 92.24% Space Free | Partition Type: NTFS

Computer Name: ERIC | User Name: Eric Grafnitz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*

[HKEY_USERS\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde
htmlfile [print] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
"C:\Program Files\Common Files\AOL\1161741437\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1161741437\ee\aolsoftware.exe:*:Enabled:AOL Services
"C:\Program Files\Common Files\AOL\1161741437\ee\aim6.exe" = C:\Program Files\Common Files\AOL\1161741437\ee\aim6.exe:*:Enabled:AIM
"C:\Program Files\Soulseek\slsk.exe" = C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek
"C:\Program Files\Last.fm\LastFM.exe" = C:\Program Files\Last.fm\LastFM.exe:*:Enabled:Last.fm
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM
"C:\WINDOWS\Downloaded Program Files\TunnelServer.exe" = C:\WINDOWS\Downloaded Program Files\TunnelServer.exe:*:Enabled:TunnelServer -- ()
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" = C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe:*:Enabled:Google Chrome -- (Google Inc.)
"C:\Program Files\Boxee\BOXEE.exe" = C:\Program Files\Boxee\BOXEE.exe:*:Enabled:Boxee
"C:\Documents and Settings\Eric Grafnitz\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = C:\Documents and Settings\Eric Grafnitz\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel(R) PRO Network Connections
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD Plus
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java(TM) 6 Update 24
"{2CA41BA1-9842-4819-8ABB-76FDC14AB9EA}" = ATI Catalyst Control Center
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3846E811-639D-4DE1-844B-30491C0A6C0C}" = Dell Support 3.2
"{390FF986-468D-4CA9-8830-2C4B313F447F}" = ATI Parental Control
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Sonic Advanced Decoder
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{7EAB1D85-7BA3-47C1-BBF7-A0EBC241DB94}" = Intel® Viiv™ Software
"{81463B08-A929-4125-A5F4-1B053AC35A09}" = Microsoft IntelliType Pro 5.0
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2AE3F6-79DF-423C-91CB-389F6FB5837B}" = Andrea VoiceCenter
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C73F2967-062E-48F2-A462-D335B8950183}" = Safari
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF6E7481-4487-46D3-810A-F73EEA232CE0}" = Microsoft IntelliPoint 5.0
"{DCD3471D-4DDA-4DC2-8B9F-A662D0C362AC}" = Linksys Wireless-N USB Network Adapter WUSB300N
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{E8C06CB3-5DB2-4689-B1DC-4A0220DEA96C}" = Consumer Complete Care Services Agreement
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"ATI Display Driver" = ATI Display Driver
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Creative Audio Pack" = Creative Audio Pack
"EL" = Intel(R) Quick Resume Technology Drivers
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ESET Online Scanner" = ESET Online Scanner v3
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{390FF986-468D-4CA9-8830-2C4B313F447F}" = ATI Parental Control
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SAMB_ADVMB_FILTER_DRV" = Sound Blaster ADVANCED MB Drivers
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Soulseek2" = SoulSeek Client 157 test 11
"Sound Blaster Audigy ADVANCED MB Product Registration" = Sound Blaster Audigy ADVANCED MB Product Registration
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"Veetle TV" = Veetle TV 0.9.18
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 22nd, 2011, 6:56 pm

I can not use TDSSkiller for some reason,. this is what happens when i run it. see attached.
You do not have the required permissions to view the files attached to this post.
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 23rd, 2011, 5:11 am

OK, lets try running another tool instead of TDSSKiller.

  • Download aswMBR.exe to your desktop.
  • Double click aswMBR.exe to run it
Image
  • Click the SCAN button to start the scan.
Image
  • On completion of the scan click SAVE LOG and save it to your desktop.
  • Post the log contents in your next reply please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 23rd, 2011, 9:45 am

aswmbr:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-23 08:41:14
-----------------------------
08:41:14.140 OS Version: Windows 5.1.2600 Service Pack 3
08:41:14.140 Number of processors: 2 586 0xF06
08:41:14.140 ComputerName: ERIC UserName:
08:41:14.968 Initialize success
08:41:27.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:41:27.687 Disk 0 Vendor: ST332063 3.AD Size: 305245MB BusType: 3
08:41:27.687 Disk 0 MBR read error
08:41:27.687 Disk 0 MBR scan
08:41:27.687 MBR BIOS signature not found 0
08:41:27.687 Disk 0 scanning sectors +625137345
08:41:27.687 Disk 0 scanning C:\WINDOWS\system32\drivers
08:41:33.609 Service scanning
08:41:34.640 Disk 0 trace - called modules:
08:41:34.640 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a6f14e7]<<
08:41:34.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b024660]
08:41:34.640 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a698f18]
08:41:34.640 \Driver\iastor[0x8b034bc0] -> IRP_MJ_CREATE -> 0x8a6f14e7
08:41:34.640 Scan finished successfully
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 23rd, 2011, 10:04 am

Looks like you might have one of the TDL Rootkits. We may or may not be able to clear it using aswMBR, some of the versions cannot be removed by it and we'll have to use a different method then, but first we'll try the simple way.

First

Before we attempt to fix things I'd like to make a backup of your Master Boot Record (MBR) so we can restore it if anything goes wrong.

  • Download MBRFix and extract it to your Desktop.
  • Copy MBRFix.exe to the C:\ folder.
  • Click Start > Run type cmd in the :Open box then hit Enter.
    • This will open a Command box.
    • Now type the following command C:\MBRFix /drive 0 savembr C:\Backup_MBR_0.bin hit Enter
    • Exit the command window.
    • Check to make sure there is a file Backup_MBR_0.bin in your C:\ folder.
    • Let me know if you have any problems, or if the file is not created.

DO NOT FOLLOW THE INSTRUCTIONS BELOW IF YOU ARE UNABLE TO MAKE A BACKUP OF YOUR MBR.

Next

  • Double click aswMBR.exe to run it
  • Click SCAN to start the scan.
  • On completion of the scan ...
Image
  • Click the FIX button
  • On completion of the fix click the SAVE LOG, and save it to your desktop.
  • Post the log contents in your next reply please.

Next

Reboot your computer.

Then

Run a scan with Malwarebytes Anti-Malware

  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
      • Click Check for Updates and allow the programme to download the latest definitions.
    • Click the Scanner tab.
      • Check Perform Quick Scan.
      • Click Scan and wait for the scan to complete.
      • When the scan is complete, click OK, then Show Results.
      • Check all items except items in the C:\System Volume Information folder and click on Remove Selected.
        • A box will pop-up telling you that files have been quarantined.
        • A log will pop-up.
      • Post the log in your next reply please.

You can also access the log by doing the following
  • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open

Then

Please download Rootkit Unhooker and extract it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply please.

Summary of the logs I need from you in your next post:
  • aswMBR log
  • MBAM log
  • Rootkit Unhooker log
  • Let me know if you're still being re-directed.


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 23rd, 2011, 12:07 pm

i have the back up .bin file set up, when i run aswmbr.exe the fix option is not clickable. I did not do any other instructions
You do not have the required permissions to view the files attached to this post.
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 23rd, 2011, 1:48 pm

My mistake, this infection requires you to use the FIX MBR button not the Fix one.

  • Double click aswMBR.exe to run it
  • Click SCAN to start the scan.
  • On completion of the scan ...
Image
  • Click the FIX MBR button.
  • On completion of the fix click the SAVE LOG, and save it to your desktop.
  • Post the log contents in your next reply please.

Once you've done that, follow the rest of the instructions in my last post.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 23rd, 2011, 2:32 pm

I ran aswmbr and got to the fix mbr, and it had a fix error. i ran it again and still got a fix error.

here is the log:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-23 13:03:20
-----------------------------
13:03:21.000 OS Version: Windows 5.1.2600 Service Pack 3
13:03:21.000 Number of processors: 2 586 0xF06
13:03:21.000 ComputerName: ERIC UserName:
13:03:21.546 Initialize success
13:03:36.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:03:36.750 Disk 0 Vendor: ST332063 3.AD Size: 305245MB BusType: 3
13:03:36.750 Disk 0 MBR read error
13:03:36.750 Disk 0 MBR scan
13:03:36.750 MBR BIOS signature not found 0
13:03:36.750 Disk 0 scanning sectors +625137345
13:03:36.750 Disk 0 scanning C:\WINDOWS\system32\drivers
13:03:42.703 Service scanning
13:03:43.578 Disk 0 trace - called modules:
13:03:43.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a6fe4e7]<<
13:03:43.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b027660]
13:03:43.578 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a6aa248]
13:03:43.578 \Driver\iastor[0x8b07bbc0] -> IRP_MJ_CREATE -> 0x8a6fe4e7
13:03:43.578 Scan finished successfully
13:03:46.828 Disk 0 MBR fix error
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-23 13:09:17
-----------------------------
13:09:17.859 OS Version: Windows 5.1.2600 Service Pack 3
13:09:17.859 Number of processors: 2 586 0xF06
13:09:17.859 ComputerName: ERIC UserName:
13:09:18.843 Initialize success
13:09:20.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:09:20.687 Disk 0 Vendor: ST332063 3.AD Size: 305245MB BusType: 3
13:09:20.687 Disk 0 MBR read error
13:09:20.687 Disk 0 MBR scan
13:09:20.687 MBR BIOS signature not found 0
13:09:20.687 Disk 0 scanning sectors +625137345
13:09:20.687 Disk 0 scanning C:\WINDOWS\system32\drivers
13:09:30.968 Service scanning
13:09:32.343 Disk 0 trace - called modules:
13:09:32.343 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a6f04e7]<<
13:09:32.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b036568]
13:09:32.343 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a68beb0]
13:09:32.343 \Driver\iastor[0x8b00aa10] -> IRP_MJ_CREATE -> 0x8a6f04e7
13:09:32.343 Scan finished successfully
13:09:34.906 Disk 0 MBR fix error


Before i ran this, I started having other problems as well. About half the time i start up the infected computer, it just shows by background image. no inons, start menu, toolbar, nothing.

Now i have a new problem of no .exe working. here is an example of what i get, as an attachment
You do not have the required permissions to view the files attached to this post.
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 23rd, 2011, 5:13 pm

Right click on combofix.exe by sUBs and select Save Target As (Internet Explorer) or Save Link As (in Firefox)

Save as FredFix.com to your Desktop (it must be in that location)

Save as type All files or it won't work.

Do not download it and then re-name it

  • Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes here.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install Microsoft Windows Recovery Console.

**Please note: If Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 23rd, 2011, 5:50 pm

I couldnt actually open MS Security Essentials in order to verify if it was indeed disabled. With that said, here is the log:

ComboFix 11-04-23.01 - Eric Grafnitz 04/23/2011 16:32:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2659 [GMT -5:00]
Running from: c:\documents and settings\Eric Grafnitz\Desktop\FredFix.com
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Eric Grafnitz\Application Data\Sun\lfmt.txt
c:\documents and settings\Eric Grafnitz\Application Data\Sun\mxd1.txt
c:\documents and settings\Eric Grafnitz\Local Settings\Application Data\grk.exe
c:\windows\system32\Data
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))
.
.
2011-04-22 19:27 . 2011-04-22 19:27 106496 --sha-r- c:\windows\system32\dosxt.dll
2011-04-22 18:56 . 2011-04-22 18:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-22 16:30 . 2011-04-22 16:30 -------- d-----w- c:\program files\ESET
2011-04-22 15:26 . 2011-04-22 15:26 -------- d-----w- C:\_OTL
2011-04-22 15:25 . 2011-04-22 15:25 -------- d-----w- c:\program files\Common Files\Java
2011-04-22 15:25 . 2011-04-22 15:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-19 22:41 . 2011-04-19 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-04-17 01:29 . 2011-04-17 01:29 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{440FC379-D04D-4042-AF9D-CF98A0C185A2}\MpKsl496bdef4.sys
2011-04-16 09:19 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{440FC379-D04D-4042-AF9D-CF98A0C185A2}\mpengine.dll
2011-04-15 22:49 . 2011-04-15 22:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-14 23:40 . 2007-09-27 06:00 470912 ----a-w- c:\windows\system32\Mrvw243.sys
2011-04-14 23:40 . 2007-09-27 06:00 470912 ----a-w- c:\windows\system32\drivers\Mrvw243.sys
2011-04-14 23:40 . 2007-09-27 05:58 461952 ----a-w- c:\windows\system32\Mrvw245.sys
2011-04-14 23:40 . 2007-09-27 05:58 461952 ----a-w- c:\windows\system32\drivers\Mrvw245.sys
2011-04-14 23:40 . 2011-04-14 23:40 -------- d-----w- c:\program files\Linksys
2011-04-14 23:40 . 2011-04-14 23:40 -------- d-----w- c:\documents and settings\Eric Grafnitz\Application Data\InstallShield
2011-04-14 23:32 . 2011-04-14 23:32 -------- d-----w- C:\Linksys Driver
2011-04-14 00:49 . 2011-04-14 00:49 -------- d-----w- c:\documents and settings\Eric Grafnitz\Application Data\Malwarebytes
2011-04-14 00:49 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 00:49 . 2011-04-14 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-14 00:48 . 2011-04-14 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 00:48 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-13 23:26 . 2011-04-13 23:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-04-13 23:25 . 2011-04-13 23:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-04-08 01:50 . 2011-04-08 01:50 -------- d-----w- c:\program files\Safari
2011-03-26 21:41 . 2011-03-26 21:41 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-22 15:24 . 2010-09-13 19:55 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-15 04:05 . 2010-04-16 15:09 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2005-08-16 09:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2005-08-16 09:18 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2005-08-16 09:18 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2005-08-16 09:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2005-08-16 09:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2005-08-16 09:18 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2005-08-16 09:18 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2005-08-16 09:18 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-03-23 04:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2005-08-16 09:18 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 13:33 . 2005-08-16 09:18 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2005-08-16 09:18 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-04 23:48 . 2005-08-16 09:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 23:48 . 2005-08-16 09:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 09:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-30 23:13 . 2011-01-30 23:13 5889712 ----a-w- c:\program files\HSS-1.57-install-anchorfree-232-expatshield.exe
2011-01-27 11:57 . 2005-08-16 09:37 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-11-07 8192]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 02:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 15:20 282624 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\TunnelServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Eric Grafnitz\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/14/2007 12:37 PM 24652]
S1 MpKsl43daddbb;MpKsl43daddbb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7561ED23-D702-48AE-A507-0CE9E723D71D}\MpKsl43daddbb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7561ED23-D702-48AE-A507-0CE9E723D71D}\MpKsl43daddbb.sys [?]
S1 MpKsled0fceeb;MpKsled0fceeb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FFE1E20-1976-47A6-B20B-7E488D3E49DE}\MpKsled0fceeb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FFE1E20-1976-47A6-B20B-7E488D3E49DE}\MpKsled0fceeb.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-542624359-4108094095-3092757597-1006Core.job
- c:\documents and settings\Eric Grafnitz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-24 19:53]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-542624359-4108094095-3092757597-1006UA.job
- c:\documents and settings\Eric Grafnitz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-24 19:53]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://securera-pilot.edwardjones.com/ ... ,1218,2305
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://securera-pilot.edwardjones.com/ ... ,1218,2305
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://securera-pilot.edwardjones.com/ ... ,1218,2305
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://securera-pilot.edwardjones.com/ ... ,1218,2305
FF - ProfilePath - c:\documents and settings\Eric Grafnitz\Application Data\Mozilla\Firefox\Profiles\tpzzymco.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/reader/view/?hl=e ... rview-page
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Eric Grafnitz\Application Data\Move Networks
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Notify-itlntfy - itlnfw32.dll
AddRemove-12133444-BF36-4d4e-B7FB-A3424C645DE4 - c:\program files\GemMaster\uninstallgemmaster.exe
AddRemove-Soulseek2 - c:\program files\Soulseek-Test\uninstall.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Eric Grafnitz\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-23 16:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(912)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3620)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
c:\windows\system32\Rundll32.exe
c:\progra~1\AIM\AIMWDI~1.EXE
c:\docume~1\ERICGR~1\LOCALS~1\Temp\clclean.0001
c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2011-04-23 16:46:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-23 21:46
.
Pre-Run: 290,418,376,704 bytes free
Post-Run: 290,399,105,024 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - EEFB13F58BF745A1308B0F56181F176B
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » April 24th, 2011, 1:59 am

  • Double click OTL.exe to launch the programme. If it won't run, rename it OTL.com and then try.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
c:\windows\system32\dosxt.dll
C:\Documents and Settings\Eric Grafnitz\Application Data\Sun\eidbkzw.dll 
C:\WINDOWS\wistap.dll
c:\docume~1\ERICGR~1\LOCALS~1\Temp\clclean.0001
ipconfig /flushdns /c

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000

:OTL
DRV - [2010/09/22 14:19:02 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
FF - prefs.js..extensions.enabledItems: afurladvisor@anchorfree.com:1.0
[2011/04/16 20:46:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
Hosts file not found
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
O35 - HKLM\..exefile [open] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
O35 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006..exefile [open] -- "C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe" -a "%1" %* (Microsoft Corporation)
O37 - HKLM\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %*
O37 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\...exe [@ = exefile] -- "C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe" -a "%1" %* (Microsoft Corporation)
[2011/04/22 17:26:25 | 000,352,256 | -HS- | C] (Microsoft Corporation) -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe
[2011/04/22 17:28:22 | 000,014,312 | -HS- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\0p2qn556s0rgj5dd5gix5mv4o34sc6v01l
[2011/04/22 17:28:22 | 000,014,312 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0p2qn556s0rgj5dd5gix5mv4o34sc6v01l
[2011/04/22 17:26:25 | 000,352,256 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe
[2011/04/22 17:20:58 | 000,000,300 | -HS- | M] () -- C:\WINDOWS\tasks\jwccakvf.job
[2011/04/22 16:17:35 | 000,013,744 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\id5r608u0y766487y835r86i12c32u8
[2011/04/22 14:12:48 | 000,013,784 | -HS- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\id5r608u0y766487y835r86i12c32u8
[2011/04/22 14:11:55 | 000,013,650 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\168794355
[2011/04/22 14:06:28 | 000,013,788 | -HS- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\168794355
[2011/04/20 19:17:26 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Eric Grafnitz\Desktop\nznfq0zd.exe
[2011/04/16 04:30:07 | 000,017,406 | -HS- | M] () -- C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\7mcx1ti20p1542c5h7ji1p1410efrfj
[2011/04/16 04:30:07 | 000,017,406 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\7mcx1ti20p1542c5h7ji1p1410efrfj
[2011/04/14 17:59:28 | 000,000,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18472756
[2011/03/02 19:32:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric Grafnitz\Application Data\Xuilc

:Commands
[resethosts]
[emptytemp]
[emptyflash]


  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Next

Run a new scan with Malwarebytes Anti-Malware and post me the log from that please (don't forget to update before you scan).

Next

Please download Rootkit Unhooker and extract it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Summary of the logs I need from you in your next post:
  • OTL log
  • MBAM log
  • RKU log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 24th, 2011, 12:32 pm

All processes killed
========== FILES ==========
c:\windows\system32\dosxt.dll moved successfully.
File\Folder C:\Documents and Settings\Eric Grafnitz\Application Data\Sun\eidbkzw.dll not found.
C:\WINDOWS\wistap.dll moved successfully.
c:\docume~1\ERICGR~1\LOCALS~1\Temp\clclean.0001 moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Eric Grafnitz\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Eric Grafnitz\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\AvgUninstallURL deleted successfully.
HKEY_LOCAL_MACHINE\software\microsoft\security center\\"AntiVirusOverride"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\security center\\"FirewallOverride"|dword:00000000 /E : value set successfully!
Unable to set value : HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\\"EnableFirewall"|dword:00000001 /E!
Unable to set value : HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\\"DisableNotifications"|dword:00000000 /E!
========== OTL ==========
Service taphss stopped successfully!
Service taphss deleted successfully!
C:\WINDOWS\system32\drivers\taphss.sys moved successfully.
Prefs.js: afurladvisor@anchorfree.com:1.0 removed from extensions.enabledItems
C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\itlntfy\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\'' updated successfully.
File "C:\Documents and Settings\NetworkService\Local Settings\Application Data\fix.exe" -a "%1" %* not found.
Registry value HKEY_USERS\S-1-5-21-542624359-4108094095-3092757597-1006_Classes\exefile\shell\open\command\\'' updated successfully.
File "C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe" -a "%1" %* not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\shell\open\command\\|"%1" %* /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\exefile\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-18\Software\Classes\.exe\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Classes\exefile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-542624359-4108094095-3092757597-1006_Classes\.exe\ not found.
Registry key HKEY_USERS\S-1-5-21-542624359-4108094095-3092757597-1006_Classes\exefile\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
File C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe not found.
C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\0p2qn556s0rgj5dd5gix5mv4o34sc6v01l moved successfully.
C:\Documents and Settings\All Users\Application Data\0p2qn556s0rgj5dd5gix5mv4o34sc6v01l moved successfully.
File C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\grk.exe not found.
File C:\WINDOWS\tasks\jwccakvf.job not found.
C:\Documents and Settings\All Users\Application Data\id5r608u0y766487y835r86i12c32u8 moved successfully.
C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\id5r608u0y766487y835r86i12c32u8 moved successfully.
C:\Documents and Settings\All Users\Application Data\168794355 moved successfully.
C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\168794355 moved successfully.
C:\Documents and Settings\Eric Grafnitz\Desktop\nznfq0zd.exe moved successfully.
C:\Documents and Settings\Eric Grafnitz\Local Settings\Application Data\7mcx1ti20p1542c5h7ji1p1410efrfj moved successfully.
C:\Documents and Settings\All Users\Application Data\7mcx1ti20p1542c5h7ji1p1410efrfj moved successfully.
C:\Documents and Settings\All Users\Application Data\~18472756 moved successfully.
C:\Documents and Settings\Eric Grafnitz\Application Data\Xuilc folder moved successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Eric Grafnitz
->Temp folder emptied: 1580972 bytes
->Temporary Internet Files folder emptied: 2514739 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 48806019 bytes
->Google Chrome cache emptied: 6099312 bytes
->Apple Safari cache emptied: 14336 bytes
->Flash cache emptied: 18671 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 655494 bytes
->Flash cache emptied: 1362 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6317066 bytes
->Java cache emptied: 841 bytes
->Flash cache emptied: 7941 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2281517 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 65.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Eric Grafnitz
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04242011_085309

Files\Folders moved on Reboot...
C:\Documents and Settings\Eric Grafnitz\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp moved successfully.
C:\Documents and Settings\Eric Grafnitz\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp moved successfully.

Registry entries deleted on Reboot...
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware