Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hand-Me-Down Laptop Infected *Almost Clean*

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby Spawn » June 11th, 2011, 1:50 pm

I got this laptop from my older brother when he moved away. But it was crawling with viruses, I don't wanna know what he did with it. I have been trying for a while now to clean it. I downloaded many anti-virus programs and ran them all. I then uninstalled everything. Then I went through every folder on the computer and deleted everything. I also ran CCleaner. I have left Ad-Aware and Kaspersky, Ad-Aware could not find the last few viruses and Kaspersky was only a trial and so would not delete them. There were about 6 problem viruses left. So I looked for each one manually and deleted them. I have only a few problems left:

Links (especially all from Google) redirect to spam sites.

I cannot download any programs, they stop as soon as they start. If I restart them they download (some progress, before they wouldn't even do that) but vanish when they finish.

Opera has similar problems, IE8 just redirects all websites to 'http:///' and "address not valid".

On startup I get two error messages:
The first:
Windows cannot find 'C:\DOCUME-1\Hawk\LOCALS-1\Temp\csrss.exe'. Make sure you types the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

And when I cancel it I get another:
Could not load or run 'C:\DOCUME-1\Hawk\LOCALS-1\Temp\csrss.exe' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.

I had a third but I guess the registry cleaning on CCleaner took care of it, I wonder why it didn't fix this one.
It's searching for csrss.exe the file that Kaspersky told me was infected and that I deleted.

This probably means some other program is searching for it. Task Manager shows some strange programs (I don't recognize any and they have random letters for names) that I cannot stop or delete.

My Logs:




DDS.txt

.
DDS (Ver_2011-06-11.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Hawk at 13:11:20 on 2011-06-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.584 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:51636
mWinlogon: Userinit=c:\windows\system32\userinit.exe
uWindows: Load=c:\docume~1\hawk\locals~1\temp\csrss.exe
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: {75e6f3c0-a80f-43ab-fcae-61b3387961a6} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
mExplorerRun: [flkxx] c:\docume~1\hawk\locals~1\temp\4ilrkwl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/sh ... wflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8A20633A-4319-4881-B6D9-D8A895B631FE} : DhcpNameServer = 192.168.1.1
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hawk\application data\mozilla\firefox\profiles\1pz6loem.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... 2786678&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51636
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-4-1 64512]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-1 475736]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-1 2151128]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-14 14336]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232]
.
=============== Created Last 30 ================
.
2011-06-10 16:05:36 -------- d-----w- c:\program files\CCleaner
2011-06-10 15:55:54 -------- d-----w- c:\documents and settings\hawk\local settings\application data\Mozilla
2011-06-10 15:44:24 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2011-06-10 15:44:16 -------- d-----w- c:\program files\msn gaming zone
2011-06-10 15:44:16 -------- d-----w- c:\program files\common files\speechengines
2011-06-10 15:44:16 -------- d-----w- c:\program files\common files\mssoap
2011-06-01 14:41:31 221184 ----a-w- c:\windows\system32\wmpns.dll
.
==================== Find3M ====================
.
2011-04-07 07:59:03 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-05 03:33:20 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-04 21:13:05 0 ----a-w- c:\windows\Uzisezup.bin
2011-04-02 01:17:13 1519 ---h--w- c:\windows\fonts\mlog
2011-04-01 21:57:32 40 ----a-w- c:\windows\system32\service.sys
2011-04-01 21:54:13 90112 --sha-r- c:\windows\system32\d3d9W.dll
2011-04-01 07:22:02 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
.
============= FINISH: 13:12:01.34 ===============












Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-11.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/8/2010 7:05:49 PM
System Uptime: 6/11/2011 12:56:50 PM (1 hours ago)
.
Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards
Processor: Genuine Intel(R) CPU T2050 @ 1.60GHz | U1 | 1595/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 71.715 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_27A2&SUBSYS_FF101179&REV_03\3&B1BFB68&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_27A2&SUBSYS_FF101179&REV_03\3&B1BFB68&0&10
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_27A6&SUBSYS_FF101179&REV_03\3&B1BFB68&0&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_27A6&SUBSYS_FF101179&REV_03\3&B1BFB68&0&11
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_11C1&DEV_3026&SUBSYS_11790001&REV_1007\4&1E09AF89&0&0101
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_11C1&DEV_3026&SUBSYS_11790001&REV_1007\4&1E09AF89&0&0101
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_FF101179&REV_00\4&6B16D5B&0&32F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_FF101179&REV_00\4&6B16D5B&0&32F0
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1092&SUBSYS_FF101179&REV_02\4&6B16D5B&0&40F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1092&SUBSYS_FF101179&REV_02\4&6B16D5B&0&40F0
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_FF101179&REV_02\3&B1BFB68&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_FF101179&REV_02\3&B1BFB68&0&FB
Service:
.
==== System Restore Points ===================
.
RP1: 4/1/2011 8:03:27 PM - System Checkpoint
RP2: 4/1/2011 10:18:53 PM - Restore Operation
RP3: 4/1/2011 10:26:17 PM - Installed Kaspersky Anti-Virus 2011.
RP4: 4/2/2011 10:41:27 AM - Removed MrvlUsgTracking
RP5: 4/2/2011 10:49:28 AM - Software Distribution Service 3.0
RP6: 4/3/2011 2:13:39 AM - Software Distribution Service 3.0
RP7: 4/4/2011 5:44:32 PM - System Checkpoint
RP8: 4/5/2011 9:33:03 PM - System Checkpoint
RP9: 4/6/2011 11:05:53 PM - System Checkpoint
RP10: 4/8/2011 10:49:07 PM - System Checkpoint
RP11: 4/9/2011 11:55:00 PM - System Checkpoint
RP12: 4/11/2011 2:03:38 PM - System Checkpoint
RP13: 4/12/2011 6:54:00 PM - System Checkpoint
RP14: 4/13/2011 7:38:09 PM - System Checkpoint
RP15: 4/13/2011 11:02:20 PM - Software Distribution Service 3.0
RP16: 4/15/2011 9:35:55 PM - System Checkpoint
RP17: 4/16/2011 10:50:32 PM - System Checkpoint
RP18: 4/17/2011 11:55:04 PM - System Checkpoint
RP19: 4/19/2011 12:02:05 AM - System Checkpoint
RP20: 4/20/2011 11:26:10 AM - System Checkpoint
RP21: 4/22/2011 12:19:33 AM - System Checkpoint
RP22: 4/23/2011 12:23:51 AM - System Checkpoint
RP23: 4/24/2011 12:40:37 AM - System Checkpoint
RP24: 4/25/2011 8:11:30 PM - System Checkpoint
RP25: 4/26/2011 11:18:26 PM - Software Distribution Service 3.0
RP26: 4/27/2011 11:46:05 PM - System Checkpoint
RP27: 4/29/2011 6:18:59 PM - System Checkpoint
RP28: 4/30/2011 7:38:58 PM - System Checkpoint
RP29: 5/1/2011 8:44:03 PM - System Checkpoint
RP30: 5/10/2011 7:57:30 PM - System Checkpoint
RP31: 5/13/2011 11:18:26 PM - System Checkpoint
RP32: 5/14/2011 1:51:23 AM - Software Distribution Service 3.0
RP33: 5/15/2011 5:06:12 PM - System Checkpoint
RP34: 5/21/2011 8:57:08 PM - System Checkpoint
RP35: 5/22/2011 8:57:44 PM - System Checkpoint
RP36: 5/24/2011 8:38:35 PM - System Checkpoint
RP37: 5/25/2011 9:39:35 PM - System Checkpoint
RP38: 5/27/2011 8:57:52 PM - System Checkpoint
RP39: 5/28/2011 10:24:18 PM - System Checkpoint
RP40: 5/29/2011 10:41:44 PM - System Checkpoint
RP41: 5/31/2011 12:06:07 AM - System Checkpoint
RP42: 6/1/2011 12:19:15 PM - System Checkpoint
RP43: 6/2/2011 2:34:12 PM - System Checkpoint
RP44: 6/4/2011 9:35:33 AM - System Checkpoint
RP45: 6/5/2011 9:36:47 PM - System Checkpoint
RP46: 6/6/2011 10:26:08 PM - System Checkpoint
RP47: 6/7/2011 11:16:57 PM - System Checkpoint
RP48: 6/10/2011 9:41:35 AM - Removed Ask Toolbar.
RP49: 6/10/2011 10:17:17 AM - Removed System Requirements Lab CYRI
RP50: 6/10/2011 10:18:55 AM - Removed HPCarePackCore
RP51: 6/10/2011 10:25:17 AM - Removed HPSSupply
RP52: 6/10/2011 10:25:45 AM - Removed MSXML 4.0 SP2 (KB954430)
RP53: 6/10/2011 10:28:52 AM - Removed MSXML 4.0 SP2 (KB973688)
RP54: 6/10/2011 11:54:53 AM - Software Distribution Service 3.0
RP55: 6/11/2011 12:05:45 PM - System Checkpoint
.
==== Installed Programs ======================
.
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
CCleaner
Foxit Reader
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP LaserJet P1000 series
HPCarePackProducts
Intel(R) PROSet/Wireless Software
Java Auto Updater
Java(TM) 6 Update 20
Kaspersky Anti-Virus 2011
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
mIWA
mLogView
mMHouse
Mozilla Firefox (3.6.17)
mPfMgr
mPfWiz
mProSafe
mWlsSafe
mXML
mZConfig
NVIDIA Drivers
OpenOffice.org 3.2
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows XP (KB923789)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.7
WebFldrs XP
Windows Internet Explorer 8
WinRAR 4.00 beta 2 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
6/10/2011 9:38:18 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
6/10/2011 9:38:18 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\HP\Dfawep\bin\MFC80U.DLL. Reference error message: The operation completed successfully. .
6/10/2011 9:38:18 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
6/10/2011 9:26:44 AM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The system cannot find the file specified.
6/10/2011 9:26:44 AM, error: Service Control Manager [7023] - The Intel CPU service terminated with the following error: The specified module could not be found.
6/10/2011 9:26:44 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Kaspersky Anti-Virus Service service to connect.
6/10/2011 9:26:44 AM, error: Service Control Manager [7000] - The Kaspersky Anti-Virus Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/10/2011 11:45:43 AM, error: Dhcp [1002] - The IP address lease 192.168.1.4 for the Network Card with network address 001302D0BF80 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
6/10/2011 11:19:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/10/2011 11:14:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/10/2011 11:14:46 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/10/2011 11:13:55 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec kl2 KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
6/10/2011 11:13:55 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/10/2011 11:13:55 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/10/2011 11:13:55 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/10/2011 11:13:55 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/10/2011 10:19:02 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================
Spawn
Regular Member
 
Posts: 47
Joined: February 1st, 2009, 3:43 pm
Location: The United States of America
Advertisement
Register to Remove

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby deltalima » June 14th, 2011, 2:30 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby deltalima » June 14th, 2011, 2:40 pm

Hi Spawn,

multiple Anti Virus programs

  • It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:
    Lavasoft Ad-Watch Live! Anti-Virus
    Kaspersky Anti-Virus
  • Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer.
  • Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
  • Please remove one of them. then reboot

CKScanner

  • Please download CKScanner from here to your Desktop.
  • Make sure that CKScanner.exe is on the your Desktop before running the application!
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved
  • Double-click on the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Next

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby Spawn » June 15th, 2011, 4:08 pm

Hello deltalima,

You don't need the MGADiag and CK Scanner logs?



OTL
----


OTL logfile created on: 6/15/2011 1:35:02 PM - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Hawk\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.98 Mb Total Physical Memory | 521.11 Mb Available Physical Memory | 51.39% Memory free
2.39 Gb Paging File | 2.08 Gb Available in Paging File | 86.98% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 71.72 Gb Free Space | 64.16% Space Free | Partition Type: NTFS

Computer Name: SERPENTINE | User Name: Hawk | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Hawk\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft Limited)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE (Software 2000 Limited)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (Intel Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Hawk\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (itlperf) -- File not found
SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)


========== Driver Services (SafeList) ==========

DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51636

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: " "
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.bing.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 51636
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\extensions\\{C0CBEED6-8E87-468B-ABF2-CC69A9E1523F}: C:\Documents and Settings\Hawk\Local Settings\Application Data\{C0CBEED6-8E87-468B-ABF2-CC69A9E1523F}
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/17 22:31:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/17 22:31:43 | 000,000,000 | ---D | M]

[2010/12/02 21:04:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Extensions
[2011/06/15 13:14:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\extensions
[2011/03/20 18:49:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/01 22:19:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
[2011/04/01 22:19:36 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\extensions\engine@conduit.com
[2011/03/20 19:02:04 | 000,000,863 | ---- | M] () -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\searchplugins\conduit.xml
[2011/03/22 12:59:32 | 000,001,597 | ---- | M] () -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\searchplugins\the-pirate-bay.xml
[2011/06/15 13:14:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/11 19:55:59 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/01/11 19:55:49 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/01/11 19:55:48 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/04/01 22:45:40 | 000,000,779 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com
O2 - BHO: (no name) - {75e6f3c0-a80f-43ab-fcae-61b3387961a6} - No CLSID value found.
O3 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
F3 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004 WinNT: Load - (C:\DOCUME~1\Hawk\LOCALS~1\Temp\csrss.exe) - File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: flkxx = C:\DOCUME~1\Hawk\LOCALS~1\Temp\4ilrkwl.exe
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/sh ... wflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\itlnfw32: DllName - itlnfw32.dll - File not found
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/11/08 20:03:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/15 13:32:59 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Hawk\Desktop\OTL.exe
[2011/06/15 13:30:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2011/06/15 13:30:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2011/06/15 13:28:21 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Hawk\Desktop\MGADiag.exe
[2011/06/15 12:50:32 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/06/11 13:41:18 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Hawk\PrivacIE
[2011/06/11 13:11:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2011/06/11 13:11:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Hawk\Start Menu\Programs\Administrative Tools
[2011/06/11 13:07:52 | 000,607,249 | R--- | C] (Swearware) -- C:\Documents and Settings\Hawk\Desktop\dds.scr
[2011/06/10 14:11:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Hawk\Recent
[2011/06/10 12:19:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Application Data\Macromedia
[2011/06/10 12:19:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Application Data\Adobe
[2011/06/10 12:05:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/06/10 12:05:36 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/06/10 11:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Local Settings\Application Data\Mozilla
[2011/06/10 11:55:16 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/06/10 11:52:17 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Hawk\Desktop\HijackThis.exe
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files\system
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files\speechengines
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\outlook express
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\netmeeting
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files\mssoap
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\movie maker
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files\microsoft shared
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files
[2011/06/10 11:09:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Desktop\CKDV
[2011/05/21 16:50:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Desktop\Docs
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/15 13:32:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Hawk\Desktop\OTL.exe
[2011/06/15 13:30:09 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/15 13:28:22 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Hawk\Desktop\MGADiag.exe
[2011/06/15 13:26:13 | 000,453,632 | ---- | M] () -- C:\Documents and Settings\Hawk\Desktop\CKScanner.exe
[2011/06/15 13:23:00 | 000,000,244 | -H-- | M] () -- C:\WINDOWS\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
[2011/06/15 12:55:40 | 000,000,328 | -HS- | M] () -- C:\WINDOWS\tasks\MYDINU.job
[2011/06/15 12:55:36 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/06/15 12:55:35 | 000,000,294 | -HS- | M] () -- C:\WINDOWS\tasks\VGDUSHJ.job
[2011/06/15 12:55:35 | 000,000,278 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2011/06/15 12:55:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/15 12:43:23 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/06/15 12:43:23 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/06/11 21:36:27 | 000,000,117 | ---- | M] () -- C:\Documents and Settings\Hawk\Desktop\MalWare Removal • View forum - Malware Removal.URL
[2011/06/11 21:36:00 | 000,000,088 | ---- | M] () -- C:\Documents and Settings\Hawk\Desktop\MalWare Removal • View topic - Hand-Me-Down Laptop Infected Almost Clean.URL
[2011/06/11 16:41:57 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/11 14:09:01 | 000,012,800 | ---- | M] () -- C:\Documents and Settings\Hawk\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/11 13:06:58 | 000,607,249 | R--- | M] (Swearware) -- C:\Documents and Settings\Hawk\Desktop\dds.scr
[2011/06/11 12:39:00 | 000,000,314 | ---- | M] () -- C:\WINDOWS\tasks\HP WEP.job
[2011/06/10 12:05:37 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/06/10 12:01:23 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Hawk\Desktop\HijackThis.exe
[2011/06/01 10:41:37 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Hawk\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/15 13:26:14 | 000,453,632 | ---- | C] () -- C:\Documents and Settings\Hawk\Desktop\CKScanner.exe
[2011/06/11 21:36:27 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Hawk\Desktop\MalWare Removal • View forum - Malware Removal.URL
[2011/06/11 21:36:00 | 000,000,088 | ---- | C] () -- C:\Documents and Settings\Hawk\Desktop\MalWare Removal • View topic - Hand-Me-Down Laptop Infected Almost Clean.URL
[2011/06/10 22:13:13 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Hawk\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/10 12:05:37 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/06/10 09:38:19 | 000,000,314 | ---- | C] () -- C:\WINDOWS\tasks\HP WEP.job
[2011/06/01 10:41:37 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Hawk\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/04/22 23:10:32 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/04/22 23:10:32 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/04/01 23:33:04 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/04/01 17:57:32 | 000,000,040 | ---- | C] () -- C:\WINDOWS\System32\service.sys
[2011/04/01 17:57:14 | 000,000,206 | ---- | C] () -- C:\WINDOWS\System32\winset.ini
[2011/04/01 17:57:08 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Bjufejukozehujoj.dat
[2011/04/01 17:57:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Uzisezup.bin
[2011/04/01 17:54:13 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\d3d9W.dll
[2011/03/14 19:47:33 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/01/11 23:57:45 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2010/12/14 21:06:53 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/02 21:04:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/11/28 12:55:39 | 000,000,533 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2010/11/11 20:21:50 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTHDAEQ1.dat
[2010/11/11 20:21:50 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTHDAEQ0.dat
[2010/11/11 20:21:46 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2010/11/11 20:21:46 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/11/08 20:05:55 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/11/08 20:00:23 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/11/08 14:22:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/11/08 14:20:46 | 000,135,664 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 08:00:00 | 000,441,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 08:00:00 | 000,071,462 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/14 08:00:00 | 000,000,009 | ---- | C] () -- C:\WINDOWS\System32\comsats.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Hawk\Desktop\HijackThis.exe:SummaryInformation

< End of report >











Extras
------

OTL Extras logfile created on: 6/15/2011 1:35:02 PM - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Hawk\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.98 Mb Total Physical Memory | 521.11 Mb Available Physical Memory | 51.39% Memory free
2.39 Gb Paging File | 2.08 Gb Available in Paging File | 86.98% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 71.72 Gb Free Space | 64.16% Space Free | Partition Type: NTFS

Computer Name: SERPENTINE | User Name: Hawk | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-746137067-1326574676-1417001333-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\Paradox\Crusader Kings Deus Vult\Crusaders.exe" = C:\Program Files\Paradox\Crusader Kings Deus Vult\Crusaders.exe:*:Enabled:Crusader Kings
"C:\Documents and Settings\Hawk\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Hawk\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox
"C:\Program Files\Dyyno\Dyyno Broadcaster\dppm_source.exe" = C:\Program Files\Dyyno\Dyyno Broadcaster\dppm_source.exe:*:Enabled:Dyyno Broadcaster
"C:\Program Files\Dyyno\Dyyno Broadcaster\dgcsrv.exe" = C:\Program Files\Dyyno\Dyyno Broadcaster\dgcsrv.exe:*:Enabled:Dyyno Broadcaster
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{90CC4231-94AC-45CD-991A-0253BFAC0650}" = mDrWiFi
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{ECA31632-C2AD-4774-A3CA-2813D47E4DD0}" = HPCarePackProducts
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"Foxit Reader" = Foxit Reader
"HP LaserJet P1000 series" = HP LaserJet P1000 series
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel(R) PROSet/Wireless Software
"VLC media player" = VLC media player 1.1.7
"WinRAR archiver" = WinRAR 4.00 beta 2 (32-bit)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/10/2011 12:17:07 PM | Computer Name = SERPENTINE | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll
. Error code = 0x80131047

Error - 6/10/2011 12:17:07 PM | Computer Name = SERPENTINE | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll
. Error code = 0x80131047

Error - 6/10/2011 12:17:08 PM | Computer Name = SERPENTINE | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll
. Error code = 0x80131047

Error - 6/10/2011 10:12:41 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/11/2011 8:36:26 AM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/11/2011 12:55:33 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/11/2011 1:00:18 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/11/2011 6:41:33 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/15/2011 12:43:22 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/15/2011 12:43:43 PM | Computer Name = SERPENTINE | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ System Events ]
Error - 6/11/2011 12:57:27 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%2

Error - 6/11/2011 12:57:27 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 6/11/2011 6:41:16 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%2

Error - 6/11/2011 6:41:16 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 6/15/2011 12:43:16 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%2

Error - 6/15/2011 12:43:16 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 6/15/2011 12:53:44 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%2

Error - 6/15/2011 12:53:44 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 6/15/2011 12:55:35 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%2

Error - 6/15/2011 12:55:35 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126


< End of report >







GMER
-----

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-15 15:11:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541612J9SA00 rev.SBDOC70P
Running: vtszeemk.exe; Driver: C:\DOCUME~1\Hawk\LOCALS~1\Temp\uxliaaoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76B887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76B8BFE]

---- EOF - GMER 1.0.15 ----
Spawn
Regular Member
 
Posts: 47
Joined: February 1st, 2009, 3:43 pm
Location: The United States of America

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby deltalima » June 15th, 2011, 4:14 pm

You don't need the MGADiag and CK Scanner logs?


Yes, please post them.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby Spawn » June 15th, 2011, 7:06 pm

CK Scanner
-----------

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----





MGADiag
............

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-X7RCG-2BKXH-FTYFG
Windows Product Key Hash: E85RbmAMHKDeD6Q/OXShIoF4zfU=
Windows Product ID: 76477-OEM-2152783-71526
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {68456F8A-EE3D-4CC9-858C-3687F81C9FB6}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-7001_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_78155E4D-232-80004005
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: http=127.0.0.1:51636
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{68456F8A-EE3D-4CC9-858C-3687F81C9FB6}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-FTYFG</PKey><PID>76477-OEM-2152783-71526</PID><PIDType>3</PIDType><SID>S-1-5-21-746137067-1326574676-1417001333</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Satellite A105</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>1.90 </Version><SMBIOSVersion major="2" minor="31"/><Date>20060705000000.000000+000</Date></BIOS><HWID>6E353A07018400EE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 80EE:HITACHI, Ltd|80EE:HITACHI, Ltd|80EE:HITACHI, Ltd|1297D:Semp Toshiba Informatica Ltda|1297D:TOSHIBA CORPORATION
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
Spawn
Regular Member
 
Posts: 47
Joined: February 1st, 2009, 3:43 pm
Location: The United States of America

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby deltalima » June 16th, 2011, 4:07 am

Hi Spawn,

Your copy of Windows has not been validated.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    killallprocesses
    :otl
    IE - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51636
    :commands
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Now use Internet Explorer to visit here

Follow the instructions to validate Windows and install all available security updates.

Next run a new scan with MGADiag and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby Spawn » June 16th, 2011, 11:57 am

OTL
----

========== PROCESSES ==========
All processes killed
========== OTL ==========
HKU\S-1-5-21-746137067-1326574676-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-21-746137067-1326574676-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.24.0 log created on 06162011_112254

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...






MGADiag
--------

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-X7RCG-2BKXH-FTYFG
Windows Product Key Hash: E85RbmAMHKDeD6Q/OXShIoF4zfU=
Windows Product ID: 76477-OEM-2152783-71526
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {68456F8A-EE3D-4CC9-858C-3687F81C9FB6}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{68456F8A-EE3D-4CC9-858C-3687F81C9FB6}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-FTYFG</PKey><PID>76477-OEM-2152783-71526</PID><PIDType>3</PIDType><SID>S-1-5-21-746137067-1326574676-1417001333</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Satellite A105</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>1.90 </Version><SMBIOSVersion major="2" minor="31"/><Date>20060705000000.000000+000</Date></BIOS><HWID>6E353A07018400EE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 80EE:HITACHI, Ltd|80EE:HITACHI, Ltd|80EE:HITACHI, Ltd|1297D:Semp Toshiba Informatica Ltda|1297D:TOSHIBA CORPORATION
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
Spawn
Regular Member
 
Posts: 47
Joined: February 1st, 2009, 3:43 pm
Location: The United States of America

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby deltalima » June 16th, 2011, 2:01 pm

Hi Spawn,

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    killallprocesses
    :otl
    SRV - (itlperf) -- File not found
    SRV - (HidServ) -- File not found
    SRV - (AppMgmt) -- File not found
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}"
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q="
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 51636
    FF - prefs.js..network.proxy.type: 4
    O1 - Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com
    O2 - BHO: (no name) - {75e6f3c0-a80f-43ab-fcae-61b3387961a6} - No CLSID value found.
    O3 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: flkxx = C:\DOCUME~1\Hawk\LOCALS~1\Temp\4ilrkwl.exe
    F3 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004 WinNT: Load - (C:\DOCUME~1\Hawk\LOCALS~1\Temp\csrss.exe) - File not found
    O20 - Winlogon\Notify\itlnfw32: DllName - itlnfw32.dll - File not found
    O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Hawk\Desktop\HijackThis.exe:SummaryInformation
    :commands
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Malwarebytes Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby Spawn » June 16th, 2011, 4:09 pm

Hello deltalima,

The error messages are all gone.
Malwarebytes is amazing though. None of the other scanners found any more malware. MBAM found 9!

Internet Explorer works again. But Firefox and now Internet Explorer both have the same problems. Links redirect to spam and I can't download anything. But everything else seems fine.

Should I uninstall FF and reinstall? Since both are doing it it doesn't seem like its a browser problem though.




All processes killed
========== PROCESSES ==========
========== OTL ==========
Service itlperf stopped successfully!
Service itlperf deleted successfully!
File File not found not found.
Service HidServ stopped successfully!
Service HidServ deleted successfully!
File File not found not found.
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
File File not found not found.
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=" removed from keyword.URL
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 51636 removed from network.proxy.http_port
Prefs.js: 4 removed from network.proxy.type
173.192.170.88 drghwaweg45j4i6u3q32fg2h.com removed from HOSTS file successfully
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75e6f3c0-a80f-43ab-fcae-61b3387961a6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75e6f3c0-a80f-43ab-fcae-61b3387961a6}\ not found.
Registry value HKEY_USERS\S-1-5-21-746137067-1326574676-1417001333-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\flkxx deleted successfully.
Registry value HKEY_USERS\S-1-5-21-746137067-1326574676-1417001333-1004\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Load:C:\DOCUME~1\Hawk\LOCALS~1\Temp\csrss.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\itlnfw32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\itlntfy\ deleted successfully.
ADS C:\Documents and Settings\Hawk\Desktop\HijackThis.exe:SummaryInformation deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Hawk
->Temp folder emptied: 902659 bytes
->Temporary Internet Files folder emptied: 2284870 bytes
->Java cache emptied: 7020 bytes
->FireFox cache emptied: 43925584 bytes
->Flash cache emptied: 2297 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3874892 bytes
->Flash cache emptied: 1211 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 56717015 bytes
->Flash cache emptied: 32826 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 90936162 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 192.00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: Hawk
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.24.0 log created on 06162011_145451

Files\Folders moved on Reboot...
C:\Documents and Settings\Hawk\Local Settings\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Hawk\Local Settings\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Hawk\Local Settings\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Hawk\Local Settings\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Hawk\Local Settings\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Hawk\Local Settings\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...










Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6872

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/16/2011 3:50:59 PM
mbam-log-2011-06-16 (15-50-59).txt

Scan type: Quick scan
Objects scanned: 138402
Time elapsed: 9 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Q8PS7ZCLN6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\guyik45hbh.txt (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\comsats.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\service.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
Spawn
Regular Member
 
Posts: 47
Joined: February 1st, 2009, 3:43 pm
Location: The United States of America

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby deltalima » June 16th, 2011, 4:21 pm

Hi Spawn,

Should I uninstall FF and reinstall? Since both are doing it it doesn't seem like its a browser problem though.


No, don't uninstall FF. The computer is still not clean, we need to go further.

Run Combofix

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby Spawn » June 16th, 2011, 5:22 pm

Hello deltalima,
I forgot to mention, about how the system is, task manager still show tons of strange programs running.
I know we're not done, just wanted to let you know.



ComboFix 11-06-16.01 - Hawk 06/16/2011 17:02:18.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.733 [GMT -4:00]
Running from: c:\documents and settings\Hawk\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Hawk\ComboFix.exe
c:\windows\Fonts\mlog
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-16 19:35 . 2011-06-16 19:35 -------- d-----w- c:\documents and settings\Hawk\Application Data\Malwarebytes
2011-06-16 19:35 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-16 19:35 . 2011-06-16 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-16 19:35 . 2011-06-16 19:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-16 19:35 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-16 15:22 . 2011-06-16 15:22 -------- d-----w- C:\_OTL
2011-06-15 17:30 . 2011-06-15 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-06-11 17:41 . 2011-06-11 17:41 -------- d-sh--w- c:\documents and settings\Hawk\PrivacIE
2011-06-10 16:05 . 2011-06-10 16:05 -------- d-----w- c:\program files\CCleaner
2011-06-10 15:55 . 2011-06-10 15:55 -------- d-----w- c:\documents and settings\Hawk\Local Settings\Application Data\Mozilla
2011-06-10 15:55 . 2011-06-10 15:55 -------- d-----w- c:\program files\Reference Assemblies
2011-06-10 15:44 . 2011-06-10 15:44 -------- d-----w- c:\program files\microsoft frontpage
2011-06-01 14:41 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:31 . 2010-11-09 00:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-14 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-18 10:23 . 2011-04-02 03:33 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-05 03:33 . 2011-04-05 03:33 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-01 07:22 . 2011-04-02 03:09 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 16206848]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/1/2011 11:09 PM 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/1/2011 3:22 AM 2151128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/1/2011 3:22 AM 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/16/2011 3:35 PM 39984]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-01 09:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}\Ad-Aware90Install.exe
AddRemove-HP LaserJet P1000 series - c:\program files\Avago-HP\{c7341326-cfab-4936-bf41-faf82b958e55}\uninstall.exe
AddRemove-{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} - c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}\Ad-Aware90Install.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-16 17:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1868)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\RTHDCPL.EXE
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2011-06-16 17:17:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-16 21:16
.
Pre-Run: 76,811,923,456 bytes free
Post-Run: 76,716,199,936 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 2789F25612673018CE6A283B48FB197F
Spawn
Regular Member
 
Posts: 47
Joined: February 1st, 2009, 3:43 pm
Location: The United States of America

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby deltalima » June 16th, 2011, 5:40 pm

Hi Spawn,

task manager still show tons of strange programs running


Lets's see what those programs are.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, a Notepad file will open.

Please post the contents of the Notepad file in your next reply.

TDSSKiller

  • Please Download TDSSKiller.zip and save it on your desktop.
  • Extract (unzip) its contents to your Desktop.
  • Double-click the TDSSKiller Folder on your desktop.
  • Right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Important!: Run this fix once and once only.
  • Double click the TDSSKiller icon on you're desktop then click Start scan.
  • A box will appear saying System scan completed.
  • If any Malicious objects are found click Cure > Continue > Reboot now.
  • A log file should be created on your C: drive named something like TDSSKiller.2.4.0.0 24.07.2010.
  • To find the log click Start > Computer > C:.
  • Please post the contents of that log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby Spawn » June 16th, 2011, 6:05 pm

OTL logfile created on: 6/16/2011 5:55:42 PM - Run 2
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Hawk\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.98 Mb Total Physical Memory | 497.85 Mb Available Physical Memory | 49.10% Memory free
2.39 Gb Paging File | 2.08 Gb Available in Paging File | 87.32% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 71.46 Gb Free Space | 63.93% Space Free | Partition Type: NTFS

Computer Name: SERPENTINE | User Name: Hawk | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Hawk\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft Limited)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE (Software 2000 Limited)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (Intel Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Hawk\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- File not found
DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: " "
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.bing.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\extensions\\{C0CBEED6-8E87-468B-ABF2-CC69A9E1523F}: C:\Documents and Settings\Hawk\Local Settings\Application Data\{C0CBEED6-8E87-468B-ABF2-CC69A9E1523F}
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/17 22:31:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/17 22:31:43 | 000,000,000 | ---D | M]

[2010/12/02 21:04:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Extensions
[2011/06/15 13:14:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\extensions
[2011/03/20 18:49:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/01 22:19:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
[2011/04/01 22:19:36 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\extensions\engine@conduit.com
[2011/03/20 19:02:04 | 000,000,863 | ---- | M] () -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\searchplugins\conduit.xml
[2011/03/22 12:59:32 | 000,001,597 | ---- | M] () -- C:\Documents and Settings\Hawk\Application Data\Mozilla\Firefox\Profiles\1pz6loem.default\searchplugins\the-pirate-bay.xml
[2011/06/16 15:10:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/11 19:55:59 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/01/11 19:55:49 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/01/11 19:55:48 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/06/16 17:11:09 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-746137067-1326574676-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/sh ... wflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/11/08 20:03:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/16 17:56:13 | 001,441,584 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Hawk\Desktop\TDSSKiller.exe
[2011/06/16 16:58:03 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/06/16 16:55:20 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/06/16 16:55:20 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/06/16 16:55:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/06/16 16:55:20 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/06/16 16:55:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/06/16 16:55:05 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/16 16:38:44 | 004,129,649 | R--- | C] (Swearware) -- C:\Documents and Settings\Hawk\Desktop\ComboFix.exe
[2011/06/16 15:35:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Application Data\Malwarebytes
[2011/06/16 15:35:34 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/16 15:35:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/16 15:35:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/06/16 15:35:28 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/06/16 15:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/16 15:26:21 | 009,435,312 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Hawk\Desktop\mbam-setup-1.51.0.1200.exe
[2011/06/16 11:22:54 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/15 13:32:59 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Hawk\Desktop\OTL.exe
[2011/06/15 13:30:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2011/06/15 13:30:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2011/06/15 13:28:21 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Hawk\Desktop\MGADiag.exe
[2011/06/15 12:50:32 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/06/11 13:41:18 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Hawk\PrivacIE
[2011/06/11 13:11:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2011/06/11 13:11:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Hawk\Start Menu\Programs\Administrative Tools
[2011/06/11 13:07:52 | 000,607,249 | R--- | C] (Swearware) -- C:\Documents and Settings\Hawk\Desktop\dds.scr
[2011/06/10 14:11:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Hawk\Recent
[2011/06/10 12:19:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Application Data\Macromedia
[2011/06/10 12:19:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Application Data\Adobe
[2011/06/10 12:05:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/06/10 12:05:36 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/06/10 11:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Local Settings\Application Data\Mozilla
[2011/06/10 11:55:16 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/06/10 11:52:17 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Hawk\Desktop\HijackThis.exe
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files\system
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files\speechengines
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\outlook express
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\netmeeting
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files\mssoap
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\movie maker
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files\microsoft shared
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2011/06/10 11:44:16 | 000,000,000 | ---D | C] -- C:\Program Files\common files
[2011/06/10 11:09:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Desktop\CKDV
[2011/05/21 16:50:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hawk\Desktop\Docs

========== Files - Modified Within 30 Days ==========

[2011/06/16 17:11:09 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/06/16 17:10:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/16 16:58:15 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/06/16 16:40:10 | 004,129,649 | R--- | M] (Swearware) -- C:\Documents and Settings\Hawk\Desktop\ComboFix.exe
[2011/06/16 15:35:34 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/16 15:34:12 | 009,435,312 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Hawk\Desktop\mbam-setup-1.51.0.1200.exe
[2011/06/16 15:28:52 | 001,441,584 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Hawk\Desktop\TDSSKiller.exe
[2011/06/16 11:54:49 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/16 11:39:47 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/06/16 11:25:58 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/06/16 11:23:25 | 000,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\userinit.exe
[2011/06/16 11:23:13 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/06/16 11:23:13 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/06/15 21:09:41 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/15 13:37:44 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Hawk\Desktop\vtszeemk.exe
[2011/06/15 13:32:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Hawk\Desktop\OTL.exe
[2011/06/15 13:28:22 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Hawk\Desktop\MGADiag.exe
[2011/06/15 13:26:13 | 000,453,632 | ---- | M] () -- C:\Documents and Settings\Hawk\Desktop\CKScanner.exe
[2011/06/11 21:36:27 | 000,000,117 | ---- | M] () -- C:\Documents and Settings\Hawk\Desktop\MalWare Removal • View forum - Malware Removal.URL
[2011/06/11 21:36:00 | 000,000,088 | ---- | M] () -- C:\Documents and Settings\Hawk\Desktop\MalWare Removal • View topic - Hand-Me-Down Laptop Infected Almost Clean.URL
[2011/06/11 14:09:01 | 000,012,800 | ---- | M] () -- C:\Documents and Settings\Hawk\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/11 13:06:58 | 000,607,249 | R--- | M] (Swearware) -- C:\Documents and Settings\Hawk\Desktop\dds.scr
[2011/06/10 12:05:37 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/06/10 12:01:23 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Hawk\Desktop\HijackThis.exe
[2011/06/01 10:41:37 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Hawk\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/05/30 18:19:48 | 005,964,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2011/06/16 16:58:15 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/06/16 16:58:08 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/06/16 16:55:20 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/06/16 16:55:20 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/06/16 16:55:20 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/06/16 16:55:20 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/06/16 16:55:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/06/16 15:35:34 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/16 11:39:12 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/06/15 13:37:44 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Hawk\Desktop\vtszeemk.exe
[2011/06/15 13:26:14 | 000,453,632 | ---- | C] () -- C:\Documents and Settings\Hawk\Desktop\CKScanner.exe
[2011/06/11 21:36:27 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Hawk\Desktop\MalWare Removal • View forum - Malware Removal.URL
[2011/06/11 21:36:00 | 000,000,088 | ---- | C] () -- C:\Documents and Settings\Hawk\Desktop\MalWare Removal • View topic - Hand-Me-Down Laptop Infected Almost Clean.URL
[2011/06/10 22:13:13 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Hawk\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/10 12:05:37 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/06/01 10:41:37 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Hawk\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/04/22 23:10:32 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/04/22 23:10:32 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/04/01 23:33:04 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/04/01 17:57:08 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Bjufejukozehujoj.dat
[2011/04/01 17:57:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Uzisezup.bin
[2011/04/01 17:54:13 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\d3d9W.dll
[2011/03/14 19:47:33 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/01/11 23:57:45 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2010/12/14 21:06:53 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/02 21:04:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/11/28 12:55:39 | 000,000,533 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2010/11/11 20:21:50 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTHDAEQ1.dat
[2010/11/11 20:21:50 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTHDAEQ0.dat
[2010/11/11 20:21:46 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2010/11/11 20:21:46 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/11/08 20:05:55 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/11/08 20:00:23 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/11/08 14:22:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/11/08 14:20:46 | 000,135,664 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 08:00:00 | 000,441,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 08:00:00 | 000,071,462 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >








OTL Extras logfile created on: 6/16/2011 5:55:42 PM - Run 2
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Hawk\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.98 Mb Total Physical Memory | 497.85 Mb Available Physical Memory | 49.10% Memory free
2.39 Gb Paging File | 2.08 Gb Available in Paging File | 87.32% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 71.46 Gb Free Space | 63.93% Space Free | Partition Type: NTFS

Computer Name: SERPENTINE | User Name: Hawk | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-746137067-1326574676-1417001333-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{90CC4231-94AC-45CD-991A-0253BFAC0650}" = mDrWiFi
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{ECA31632-C2AD-4774-A3CA-2813D47E4DD0}" = HPCarePackProducts
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"Foxit Reader" = Foxit Reader
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel(R) PROSet/Wireless Software
"VLC media player" = VLC media player 1.1.7
"WinRAR archiver" = WinRAR 4.00 beta 2 (32-bit)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/10/2011 12:17:07 PM | Computer Name = SERPENTINE | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll
. Error code = 0x80131047

Error - 6/10/2011 12:17:07 PM | Computer Name = SERPENTINE | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll
. Error code = 0x80131047

Error - 6/10/2011 12:17:08 PM | Computer Name = SERPENTINE | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll
. Error code = 0x80131047

Error - 6/10/2011 10:12:41 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/11/2011 8:36:26 AM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/11/2011 12:55:33 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/11/2011 1:00:18 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/11/2011 6:41:33 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/15/2011 12:43:22 PM | Computer Name = SERPENTINE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 6/15/2011 12:43:43 PM | Computer Name = SERPENTINE | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ System Events ]
Error - 6/16/2011 12:06:30 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%2

Error - 6/16/2011 12:06:30 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 6/16/2011 2:54:51 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7034
Description = The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly.
It has done this 1 time(s).

Error - 6/16/2011 2:55:02 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7034
Description = The Intel(R) PROSet/Wireless Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 6/16/2011 2:55:02 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 6/16/2011 2:55:02 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7034
Description = The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 6/16/2011 2:55:02 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 6/16/2011 3:00:05 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%2

Error - 6/16/2011 3:54:47 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%2

Error - 6/16/2011 4:51:00 PM | Computer Name = SERPENTINE | Source = Service Control Manager | ID = 7023
Description = The Network Security service terminated with the following error:
%%2


< End of report >











2011/06/16 18:01:13.0203 3612 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/16 18:01:13.0546 3612 ================================================================================
2011/06/16 18:01:13.0546 3612 SystemInfo:
2011/06/16 18:01:13.0546 3612
2011/06/16 18:01:13.0546 3612 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/16 18:01:13.0546 3612 Product type: Workstation
2011/06/16 18:01:13.0546 3612 ComputerName: SERPENTINE
2011/06/16 18:01:13.0546 3612 UserName: Hawk
2011/06/16 18:01:13.0546 3612 Windows directory: C:\WINDOWS
2011/06/16 18:01:13.0546 3612 System windows directory: C:\WINDOWS
2011/06/16 18:01:13.0546 3612 Processor architecture: Intel x86
2011/06/16 18:01:13.0546 3612 Number of processors: 2
2011/06/16 18:01:13.0546 3612 Page size: 0x1000
2011/06/16 18:01:13.0546 3612 Boot type: Normal boot
2011/06/16 18:01:13.0546 3612 ================================================================================
2011/06/16 18:01:15.0328 3612 Initialize success
2011/06/16 18:01:29.0359 0624 ================================================================================
2011/06/16 18:01:29.0359 0624 Scan started
2011/06/16 18:01:29.0359 0624 Mode: Manual;
2011/06/16 18:01:29.0359 0624 ================================================================================
2011/06/16 18:01:34.0078 0624 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/16 18:01:34.0468 0624 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/06/16 18:01:35.0171 0624 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/16 18:01:35.0578 0624 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/06/16 18:01:36.0015 0624 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/06/16 18:01:37.0984 0624 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/06/16 18:01:39.0250 0624 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/16 18:01:39.0640 0624 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/16 18:01:40.0312 0624 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/16 18:01:40.0671 0624 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/16 18:01:41.0046 0624 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/16 18:01:41.0437 0624 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/16 18:01:42.0046 0624 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/16 18:01:42.0390 0624 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/16 18:01:42.0750 0624 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/16 18:01:43.0421 0624 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/06/16 18:01:44.0062 0624 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/06/16 18:01:45.0359 0624 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/16 18:01:46.0109 0624 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/16 18:01:46.0937 0624 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/16 18:01:47.0281 0624 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/16 18:01:47.0656 0624 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/16 18:01:48.0281 0624 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/16 18:01:48.0734 0624 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/16 18:01:49.0125 0624 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/06/16 18:01:49.0453 0624 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/16 18:01:49.0843 0624 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/06/16 18:01:50.0250 0624 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/06/16 18:01:50.0609 0624 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/16 18:01:50.0984 0624 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/16 18:01:51.0359 0624 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/16 18:01:51.0781 0624 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/06/16 18:01:52.0703 0624 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/16 18:01:53.0796 0624 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/16 18:01:54.0125 0624 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/16 18:01:57.0265 0624 IntcAzAudAddService (7c09d605fcae64e3cb11ebf90fb1e3a1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/06/16 18:02:00.0843 0624 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/16 18:02:01.0187 0624 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/06/16 18:02:01.0531 0624 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/16 18:02:01.0859 0624 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/16 18:02:02.0265 0624 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/16 18:02:02.0687 0624 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/16 18:02:03.0062 0624 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/16 18:02:03.0437 0624 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/16 18:02:03.0765 0624 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/16 18:02:04.0187 0624 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/16 18:02:04.0640 0624 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/16 18:02:04.0812 0624 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/06/16 18:02:05.0234 0624 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/06/16 18:02:05.0921 0624 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/06/16 18:02:06.0562 0624 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/16 18:02:06.0906 0624 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/16 18:02:07.0281 0624 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/16 18:02:07.0609 0624 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/16 18:02:08.0296 0624 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/16 18:02:08.0953 0624 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/16 18:02:09.0593 0624 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/16 18:02:10.0015 0624 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/16 18:02:10.0468 0624 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/16 18:02:10.0781 0624 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/16 18:02:11.0140 0624 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/16 18:02:11.0578 0624 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/16 18:02:12.0046 0624 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/16 18:02:12.0453 0624 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/16 18:02:12.0781 0624 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/16 18:02:13.0125 0624 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/16 18:02:13.0500 0624 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/16 18:02:13.0875 0624 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/16 18:02:14.0296 0624 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/16 18:02:15.0671 0624 NETw3x32 (50f5de54e1d1646c02078f3eddc15a8e) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
2011/06/16 18:02:16.0921 0624 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/06/16 18:02:17.0281 0624 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/16 18:02:17.0890 0624 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/16 18:02:18.0531 0624 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/16 18:02:18.0859 0624 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/16 18:02:19.0171 0624 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/16 18:02:19.0546 0624 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/06/16 18:02:19.0921 0624 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/06/16 18:02:20.0296 0624 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/16 18:02:20.0609 0624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/16 18:02:20.0953 0624 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/16 18:02:21.0562 0624 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/06/16 18:02:21.0937 0624 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/06/16 18:02:24.0187 0624 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/16 18:02:24.0531 0624 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/16 18:02:24.0875 0624 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/16 18:02:26.0828 0624 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/16 18:02:27.0171 0624 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/16 18:02:27.0515 0624 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/16 18:02:27.0828 0624 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/16 18:02:28.0250 0624 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/16 18:02:28.0671 0624 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/16 18:02:29.0093 0624 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/16 18:02:29.0500 0624 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/16 18:02:29.0906 0624 s24trans (2862adb14481ac28f98105ff33a99eb0) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/06/16 18:02:30.0375 0624 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/06/16 18:02:30.0687 0624 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/16 18:02:31.0078 0624 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/06/16 18:02:31.0437 0624 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/16 18:02:32.0390 0624 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/16 18:02:32.0812 0624 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/16 18:02:33.0328 0624 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/16 18:02:33.0828 0624 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/16 18:02:34.0187 0624 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/16 18:02:35.0812 0624 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/16 18:02:36.0343 0624 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/16 18:02:36.0859 0624 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/16 18:02:37.0171 0624 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/16 18:02:37.0531 0624 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/16 18:02:38.0296 0624 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/16 18:02:39.0093 0624 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/16 18:02:39.0640 0624 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/16 18:02:40.0078 0624 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/16 18:02:40.0687 0624 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/16 18:02:41.0046 0624 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/16 18:02:41.0421 0624 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/16 18:02:41.0765 0624 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/16 18:02:42.0437 0624 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/16 18:02:42.0812 0624 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/16 18:02:43.0500 0624 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/16 18:02:43.0765 0624 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/06/16 18:02:44.0015 0624 ================================================================================
2011/06/16 18:02:44.0015 0624 Scan finished
2011/06/16 18:02:44.0015 0624 ================================================================================
2011/06/16 18:02:44.0062 3124 Detected object count: 0
2011/06/16 18:02:44.0062 3124 Actual detected object count: 0
2011/06/16 18:03:46.0468 1836 Deinitialize success
Spawn
Regular Member
 
Posts: 47
Joined: February 1st, 2009, 3:43 pm
Location: The United States of America

Re: Hand-Me-Down Laptop Infected *Almost Clean*

Unread postby deltalima » June 17th, 2011, 4:02 am

Hi Spawn,

Firefox and now Internet Explorer both have the same problems. Links redirect to spam and I can't download anything


Do you still have the problem with Firefox and Internet Explorer?

Are you connected to the Internet via a router?

Do any other computers in your house have the same issue?

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 64 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware