Jump to content


Photo
- - - - -

Ramnit.b, search redirect, etc.


  • This topic is locked This topic is locked
12 replies to this topic

#1 Scott Gray

Scott Gray

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Mid-Missouri

Posted 20 August 2010 - 03:45 PM

I've apparently been bitten by the Ramnit.b bug; at least that's what the Microsoft Forefront Client Security claims it is; MFCS and Antivir are the only things I've found that recognize it, but they can't get rid of it. They SAY they do, but then things show up as infected again just a few seconds later.

I've followed the steps listed here and it's still present, so here are the requested log files and my plea for assistance:


DDS (Ver_10-03-17.01) - NTFSx86
Run by graysl at 10:27:51.20 on Fri 08/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.1167 [GMT -5:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
C:\windows\system32\svchost -k rpcss
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\spoolsv.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\Explorer.EXE
C:\windows\RTDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\windows\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\Documents and Settings\graysl\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://webmail.missouri.edu/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{C226AD38-BBFC-65F9-36B0-D2B3D07BA323}] "c:\documents and settings\graysl\application data\zyvyy\zogi.exe"
mRun: [RTHDCPL] RTDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinVNC] "c:\program files\orl\vnc\WinVNC.exe" -servicehelper
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269973430266
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\graysl\applic~1\mozilla\firefox\profiles\d6u1zqrm.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 1127
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\graysl\application data\mozilla\firefox\profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\winnt\ff3\AbineComponent.dll
FF - component: c:\program files\mozilla firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}\components\2cd863b0.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: z: No Registry Reference - c:\program files\mozilla firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [2010-8-19 37392]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-20 11608]
R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [2010-8-19 315408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-20 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-20 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-20 60936]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-3-30 54752]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2010-3-26 209960]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-26 69616]
S1 69022311;69022311;c:\windows\system32\drivers\69022311.sys --> c:\windows\system32\drivers\69022311.sys [?]
S1 wcraceuc;wcraceuc;c:\windows\system32\drivers\wcraceuc.sys [2010-8-20 30784]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-08-20 15:05:18 30784 ----a-w- c:\windows\system32\drivers\wcraceuc.sys
2010-08-20 15:04:34 0 d-----w- c:\docume~1\graysl\applic~1\Ynwyv
2010-08-20 15:00:25 0 d-----w- c:\windows\system32\NtmsData
2010-08-20 14:55:16 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-20 14:55:12 0 d-----w- c:\program files\Avira
2010-08-20 14:55:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-08-20 14:52:56 0 d-----w- c:\program files\Unlocker
2010-08-19 19:47:02 0 d-----w- c:\windows\system32\MpEngineStore
2010-08-19 19:34:08 133440 ----a-w- c:\windows\system32\LnkProtect.dll
2010-08-19 18:31:19 37392 ----a-w- c:\windows\system32\drivers\69022312.sys
2010-08-19 18:31:19 315408 ----a-w- c:\windows\system32\drivers\6902231.sys
2010-08-19 17:56:29 0 d-----w- c:\program files\riv

==================== Find3M ====================

2010-08-19 21:14:39 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-08-19 13:12:14 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-02 13:46:36 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:04 112752435 ----a-w- c:\windows\system32\priparpo.dll
2010-06-24 12:22:04 108877220 ----a-w- c:\windows\system32\lofoyebx.dll
2010-06-24 12:22:04 107625654 ----a-w- c:\windows\system32\dllyupebx.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-02 15:40:26 23968 ----a-w- c:\windows\fonts\bt_oldstyle.ttf
2010-06-02 15:40:08 25620 ----a-w- c:\windows\fonts\bt_new_italic.ttf
2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-30 23:36:28 135168 ----a-w- c:\windows\system32\bzpdfc.dll
2010-05-25 03:13:30 196096 ----a-w- c:\windows\system32\bzpdf.dll

============= FINISH: 10:30:59.50 ===============

Attached Files



#2 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 22 August 2010 - 05:40 AM

Hello ,
And ;)
My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.
-----------------------------------------------------------

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#3 Scott Gray

Scott Gray

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Mid-Missouri

Posted 23 August 2010 - 03:23 PM

Elise,

Thank you for your time and help. I'll do the best to comply with your instructions, though there may be a snag or two; for example, when ComboFix attempted to install the Recovery Console, it downloaded it okay, then a pop-up appeared that said the Boot Drive Could Not Be Enumerated Properly. Don't know the results from that, because things went on anyway.

Also, Avira AntiVir, which was installed as part of the original "try this first" directions, keeps telling me that something called "W32/Pedalac.A" was found in various system .exe or .dll files; it seems to change around each time.

Anyway, here's the ComboFix log:

ComboFix 10-08-22.07 - graysl 08/23/2010 14:56:47.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.937 [GMT -5:00]
Running from: c:\documents and settings\graysl\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-23 19:56 . 2010-08-23 19:56 -------- d-----w- c:\documents and settings\graysl\Application Data\Avira
2010-08-20 15:04 . 2010-08-20 15:24 -------- d-----w- c:\documents and settings\graysl\Application Data\Ynwyv
2010-08-20 15:00 . 2010-08-23 19:59 -------- d-----w- c:\windows\system32\NtmsData
2010-08-20 14:55 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-20 14:55 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-20 14:55 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-20 14:55 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\program files\Avira
2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-20 14:52 . 2010-08-20 14:52 -------- d-----w- c:\program files\Unlocker
2010-08-19 19:47 . 2010-08-19 19:47 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-19 19:34 . 2010-08-19 19:34 133440 ----a-w- c:\windows\system32\LnkProtect.dll
2010-08-19 18:31 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\69022312.sys
2010-08-19 18:31 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\6902231.sys
2010-08-19 17:56 . 2010-08-20 12:49 -------- d-----w- c:\program files\riv
2010-08-17 13:43 . 2010-08-23 19:42 -------- d-----w- c:\documents and settings\graysl\Local Settings\Application Data\Emerald
2010-08-17 13:43 . 2010-08-23 18:20 -------- d-----w- c:\documents and settings\graysl\Application Data\SecondLife

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-23 19:54 . 2010-06-16 13:28 -------- d-----w- c:\documents and settings\graysl\Application Data\Abine
2010-08-23 13:07 . 2010-06-14 19:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-20 15:38 . 2010-03-30 18:53 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-20 14:42 . 2010-05-27 20:23 -------- d-----w- c:\program files\QuickTime
2010-08-20 14:28 . 2010-04-24 18:04 -------- d-----w- c:\program files\Coupons
2010-08-20 14:24 . 2010-03-30 19:01 -------- d-----w- c:\program files\Microsoft
2010-08-20 14:22 . 2010-04-24 18:47 203776 ----a-w- c:\documents and settings\graysl\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2010-08-20 13:51 . 2010-03-30 19:21 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-08-20 13:48 . 2010-06-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 13:21 . 2010-08-02 21:26 822784 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-08-20 13:21 . 2010-04-24 19:06 79872 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2010-08-20 13:20 . 2010-04-16 15:42 139264 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-08-19 21:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-08-12 08:06 . 2010-03-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-29 12:51 . 2010-04-01 19:02 70032 ----a-w- c:\documents and settings\wagnerna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:55 . 2010-03-26 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-12 17:55 . 2010-03-26 18:18 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\graysl\Application Data\PDF Writer
2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer
2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Common Files\Bullzip
2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Bullzip
2010-07-03 15:12 . 2010-04-02 19:16 70032 ----a-w- c:\documents and settings\manns\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 13:46 . 2010-07-02 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 01:46 . 2010-04-27 22:06 70032 ----a-w- c:\documents and settings\drwww8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 12:53 . 2010-04-05 15:56 70032 ----a-w- c:\documents and settings\graysl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 12:52 . 2010-03-26 20:26 70032 ----a-w- c:\documents and settings\umcjourcasrcaller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 12:22 . 2010-06-24 12:22 112752435 ----a-w- c:\windows\system32\priparpo.dll
2010-06-24 12:22 . 2010-06-24 12:22 108877220 ----a-w- c:\windows\system32\lofoyebx.dll
2010-06-24 12:22 . 2010-06-24 12:22 107625654 ----a-w- c:\windows\system32\dllyupebx.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 21:48 . 2010-06-22 14:19 535176 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 17:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-06-14 14:31 . 2010-03-26 18:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-01 17:37 . 2010-03-30 19:57 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-30 23:36 . 2010-07-08 19:13 135168 ----a-w- c:\windows\system32\bzpdfc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2010-08-20 208896]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-20 421888]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-14 5937984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\umcjourcasrcaller\Start Menu\Programs\Startup\
Inter.cmd [2010-3-30 690]
setup_9.0.0.722_18.08.2010_17-51.lnk - c:\documents and settings\umcjourcasrcaller\Desktop\Virus Removal Tool\setup_9.0.0.722_18.08.2010_17-51\startup.exe [2010-8-19 72208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\0\0]
"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\1\0]
"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\2\0]
"Script"=casr_mapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\0\0]
"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\1\0]
"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sybase\\Adaptive Server Anywhere 6.0\\win32\\dbeng6.exe"=

R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [8/19/2010 1:31 PM 37392]
R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [8/19/2010 1:31 PM 315408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 9:55 AM 135336]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [3/26/2010 1:23 PM 209960]
S1 69022311;69022311;c:\windows\system32\DRIVERS\69022311.sys --> c:\windows\system32\DRIVERS\69022311.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-23 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-ikiktmhbtoajjq - c:\documents and settings\graysl\local settings\application data\tqlkhavr\xefyuhf.exe
MSConfigStartUp-jyhqxntq - c:\documents and settings\graysl\Local Settings\Application Data\qsigxbyyo\clljdpftssd.exe
MSConfigStartUp-ktuiaulj - c:\documents and settings\chamberlainab\Local Settings\Application Data\xbvxrdanf\aboxsertssd.exe
MSConfigStartUp-ljjomntfyd - c:\documents and settings\umcjourcasrcaller\local settings\application data\nhwlhog\ylfyjgy.exe
MSConfigStartUp-{C226AD38-BBFC-65F9-36B0-D2B3D07BA323} - c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe
AddRemove-63fc5ade - c:\windows\system32\63fc5ade.exe
AddRemove-{204D48C5-6231-4955-83EC-623DCB437FD9}_is1 - e:\secondlifeportable\Emerald Viewer\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 15:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1612)
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdo.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-08-23 15:12:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-23 20:12

Pre-Run: 127,464,611,840 bytes free
Post-Run: 129,800,163,328 bytes free

- - End Of File - - E4A949CEE7BA695C8953305C9465EF80

#4 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 23 August 2010 - 03:53 PM

I see no signs of ramnit yet (which doesn't mean it isn't there), so lets take a closer look.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#5 Scott Gray

Scott Gray

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Mid-Missouri

Posted 24 August 2010 - 08:23 AM

Will do; but I notice the scan is for files created or modified in the last 30 days (by default), and I'm not sure but that might need to be changed, and here's why: a while back, this computer was hit with the phony Antivirus package pop-up and the web browser search redirect. I got rid of that (I thought) with Hitman Pro. This Ramnit problem (so identified my Microsoft Forefront Client Security, anyway) shows the exact same browser redirect behavior, up to and including the little curly-q symbol at the left of the address bar when it redirects.

Could what's going on now, despite a period of over 30 days of apparently being 'clean', be a resurgence of that earlier infection? And if so, should I run the scan with more than a 30 day time frame?

Oh, and Avira is now also reporting "DR/Delphi.Gen" in various dll files and such, and like with Pedalac.A, says access to the file was denied so there's nothing it can do. Since these are cropping up and moving around, are they / could they be related to the same problem?

And thanks again for the help; I really appreciate it!

#6 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 24 August 2010 - 08:41 AM

Hi, we can change the default 30 days to 60, but lets first see what your logs come up with. Ramnit can be quite a pain to fully get rid of and its indeed possible it was still there.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#7 Scott Gray

Scott Gray

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Mid-Missouri

Posted 24 August 2010 - 08:42 AM

OTL logfile created on: 8/24/2010 8:15:50 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\graysl\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.01 Gb Total Space | 120.83 Gb Free Space | 81.09% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive W: | 68.35 Gb Total Space | 8.20 Gb Free Space | 12.00% Space Free | Partition Type: NTFS

Computer Name: JOUR-CASR-SUP1
Current User Name: graysl
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/24 08:15:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe
PRC - [2010/07/22 21:07:03 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/22 21:06:53 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/04 14:51:26 | 000,017,408 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2010/05/20 23:44:02 | 012,978,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/19 16:51:32 | 001,033,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
PRC - [2010/01/19 16:49:44 | 000,016,880 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/08/26 15:49:00 | 002,691,072 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTDCPL.EXE
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/06 05:12:48 | 000,073,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe


========== Modules (SafeList) ==========

MOD - [2010/08/24 08:15:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe
MOD - [2010/07/04 16:32:36 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2009/06/25 07:51:42 | 000,130,048 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxdo.dll
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\windows\System32\hidserv.dll -- (HidServ)
SRV - [2010/08/20 09:17:35 | 000,208,896 | ---- | M] (AT&T Research Labs Cambridge) [Auto | Stopped] -- C:\Program Files\ORL\VNC\WinVNC.exe -- (winvnc)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/01/19 16:49:44 | 000,016,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe -- (FCSAM)
SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2007/04/06 05:12:48 | 000,073,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe -- (FcsSas)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | System | Stopped] -- C:\windows\System32\DRIVERS\69022311.sys -- (69022311)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/10/23 11:14:08 | 005,876,224 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtDHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/10/22 13:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\69022312.sys -- (69022312)
DRV - [2009/10/09 23:31:10 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\6902231.sys -- (setup_9.0.0.722_18.08.2010_17-51drv)
DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/07/31 20:31:50 | 004,747,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igdkmd32.sys -- (igfx)
DRV - [2009/06/25 08:09:16 | 006,316,160 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2009/05/31 02:41:00 | 000,209,960 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\k57xp32.sys -- (k57w2k) Broadcom NetLink ™
DRV - [2009/05/22 15:15:50 | 000,090,112 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2009/05/15 12:35:52 | 000,069,616 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://webmail.missouri.edu/
IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E2 C2 EC 76 2B E3 CA 01 [binary data]
IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.69.1
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.7.8
FF - prefs.js..extensions.enabledItems: TooManyTabs@visibotech.com:1.2.0
FF - prefs.js..extensions.enabledItems: sharing@addons.mozilla.org:1.1.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: savecomplete@perlprogrammer.com:1.0.1
FF - prefs.js..extensions.enabledItems: lazarus@interclue.com:2.0.5
FF - prefs.js..extensions.enabledItems: charlie@packetprotector.org:1.2
FF - prefs.js..extensions.enabledItems: amano@os14.com:1.3
FF - prefs.js..extensions.enabledItems: guiconfig@slosd.net:1.0
FF - prefs.js..extensions.enabledItems: omfg@olive:0.6.080510
FF - prefs.js..extensions.enabledItems: firefox@red-cog.com:2.6
FF - prefs.js..extensions.enabledItems: download-panel@kwok.wai.kan:2009.09.02
FF - prefs.js..extensions.enabledItems: FasterFox_Lite@BigRedBrent:3.8.2Lite
FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:4.1.12s
FF - prefs.js..extensions.enabledItems: optout@dubfire.net:3.02
FF - prefs.js..extensions.enabledItems: CompactMenuCE@Merci.chao:4.3.2
FF - prefs.js..extensions.enabledItems: {095751f7-cef8-b08c-63e7-aef653237eba}:4.6.6.7
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1127
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/20 09:33:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/20 09:48:54 | 000,000,000 | ---D | M]

[2010/04/05 10:57:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Extensions
[2010/08/23 15:29:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions
[2010/06/15 08:10:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\amano@os14.com
[2010/04/24 14:06:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\charlie@packetprotector.org
[2010/06/15 08:10:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\CompactMenuCE@Merci.chao
[2010/06/15 08:11:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\download-panel@kwok.wai.kan
[2010/06/15 08:11:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\FasterFox_Lite@BigRedBrent
[2010/06/15 08:12:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\firefox@red-cog.com
[2010/07/08 07:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\foxmarks@kei.com
[2010/06/15 08:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\guiconfig@slosd.net
[2010/06/15 08:13:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com
[2010/06/15 08:13:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\omfg@olive
[2010/06/22 09:19:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net
[2010/06/15 08:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\savecomplete@perlprogrammer.com
[2010/06/15 08:13:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\sharing@addons.mozilla.org
[2010/06/15 08:14:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\SkipScreen@SkipScreen
[2010/08/06 07:38:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\staged-xpis
[2010/08/02 16:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com
[2010/06/15 08:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\TooManyTabs@visibotech.com
[2010/08/23 15:29:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/29 14:04:12 | 000,000,000 | ---D | M] (z) -- C:\Program Files\Mozilla Firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}
[2009/11/19 16:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 16:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2010/08/23 15:07:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [Microsoft Forefront Client Security Antimalware Service] c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RTHDCPL] C:\windows\RTDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [WinVNC] C:\Program Files\ORL\VNC\WinVNC.exe (AT&T Research Labs Cambridge)
O4 - HKU\S-1-5-21-201074022-649947792-1237804090-90572..\Run: [{C226AD38-BBFC-65F9-36B0-D2B3D07BA323}] C:\Documents and Settings\graysl\Application Data\Zyvyy\zogi.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\umcjourcasrcaller\Start Menu\Programs\Startup\Inter.cmd ()
O4 - Startup: C:\Documents and Settings\umcjourcasrcaller\Start Menu\Programs\Startup\setup_9.0.0.722_18.08.2010_17-51.lnk = C:\Documents and Settings\graysl\Desktop\Virus Removal Tool\setup_9.0.0.722_18.08.2010_17-51\startup.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1269973430266 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell....lSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 128.206.10.3 128.206.10.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = col.missouri.edu
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\windows\System32\NavLogon.dll File not found
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/26 13:14:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/09/07 06:33:04 | 000,004,656 | ---- | M] () - W:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1997/02/12 16:53:58 | 000,000,123 | ---- | M] () - W:\autoexec.w95 -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/24 08:15:08 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe
[2010/08/23 14:56:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Application Data\Avira
[2010/08/23 14:50:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2010/08/23 14:50:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe
[2010/08/23 14:50:20 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2010/08/23 14:50:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2010/08/23 14:50:04 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2010/08/23 14:45:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/20 11:14:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Desktop\MMS2_files
[2010/08/20 10:38:58 | 000,000,000 | ---D | C] -- C:\windows\Minidump
[2010/08/20 10:04:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Application Data\Ynwyv
[2010/08/20 10:00:25 | 000,000,000 | ---D | C] -- C:\windows\System32\NtmsData
[2010/08/20 09:55:21 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\ssmdrv.sys
[2010/08/20 09:55:16 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avipbb.sys
[2010/08/20 09:55:16 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntflt.sys
[2010/08/20 09:55:16 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntmgr.sys
[2010/08/20 09:55:15 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntdd.sys
[2010/08/20 09:55:12 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/08/20 09:55:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/08/20 09:52:56 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/08/20 08:27:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\My Documents\Downloads
[2010/08/19 16:19:37 | 008,573,648 | ---- | C] (Mozilla) -- C:\Documents and Settings\graysl\My Documents\Firefox Setup 3.6.8.exe
[2010/08/19 14:51:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\My Documents\pics5
[2010/08/19 14:47:02 | 000,000,000 | ---D | C] -- C:\windows\System32\MpEngineStore
[2010/08/19 14:34:08 | 000,133,440 | ---- | C] (SurfRight B.V.) -- C:\windows\System32\LnkProtect.dll
[2010/08/19 13:31:19 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\6902231.sys
[2010/08/19 13:31:19 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\69022312.sys
[2010/08/19 12:56:29 | 000,000,000 | ---D | C] -- C:\Program Files\riv
[2010/08/17 08:43:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Application Data\SecondLife
[2010/08/17 08:43:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Local Settings\Application Data\Emerald
[2010/08/06 15:21:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Desktop\Magic
[4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/24 08:16:35 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\graysl\NTUSER.DAT
[2010/08/24 08:15:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe
[2010/08/24 07:57:01 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Microsoft Office Outlook 2007.lnk
[2010/08/24 07:56:28 | 000,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2010/08/24 01:40:00 | 000,000,406 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Scan.job
[2010/08/23 16:17:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\graysl\ntuser.ini
[2010/08/23 15:09:57 | 000,000,412 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Signature Update.job
[2010/08/23 15:09:55 | 000,000,430 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Quick Scan.job
[2010/08/23 15:08:06 | 000,000,227 | ---- | M] () -- C:\windows\system.ini
[2010/08/23 15:07:33 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts
[2010/08/23 15:06:43 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2010/08/23 15:06:41 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2010/08/23 14:44:31 | 003,825,912 | R--- | M] () -- C:\Documents and Settings\graysl\Desktop\ComboFix.exe
[2010/08/23 08:42:25 | 000,000,426 | ---- | M] () -- C:\windows\BRWMARK.INI
[2010/08/23 08:07:44 | 000,015,944 | ---- | M] () -- C:\windows\System32\drivers\hitmanpro35.sys
[2010/08/23 08:02:19 | 000,000,582 | ---- | M] () -- C:\windows\win.ini
[2010/08/20 15:39:21 | 000,004,995 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Attach.zip
[2010/08/20 15:39:17 | 000,001,039 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\ark.zip
[2010/08/20 15:39:09 | 000,000,836 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\mbam-log-2010-08-20 (09-22-29).zip
[2010/08/20 11:14:28 | 000,031,969 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\MMS2.htm
[2010/08/20 10:37:00 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\wxxjuoeo.exe
[2010/08/20 10:27:46 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\dds.scr
[2010/08/20 10:25:34 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Defogger.exe
[2010/08/20 09:55:41 | 000,001,716 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/08/20 09:33:12 | 000,001,629 | ---- | M] () -- C:\Documents and Settings\graysl\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/08/20 09:33:12 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/08/19 16:49:15 | 000,001,672 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/08/19 16:19:49 | 008,573,648 | ---- | M] (Mozilla) -- C:\Documents and Settings\graysl\My Documents\Firefox Setup 3.6.8.exe
[2010/08/19 14:34:08 | 000,133,440 | ---- | M] (SurfRight B.V.) -- C:\windows\System32\LnkProtect.dll
[2010/08/13 10:01:44 | 000,000,870 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Shortcut to GIMPPortable.lnk
[2010/08/12 08:05:49 | 000,000,061 | ---- | M] () -- C:\windows\System32\mapisvc.inf
[2010/08/12 08:05:48 | 000,015,724 | ---- | M] () -- C:\windows\System32\PageADT.hlp
[2010/08/12 03:09:24 | 000,269,392 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2010/08/12 03:06:46 | 000,001,374 | ---- | M] () -- C:\windows\imsins.BAK
[2010/08/12 03:05:28 | 000,534,674 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2010/08/12 03:05:28 | 000,464,964 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2010/08/12 03:05:28 | 000,079,248 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2010/07/27 01:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\shell32.dll
[4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/23 14:50:21 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe
[2010/08/23 14:50:21 | 000,077,312 | ---- | C] () -- C:\windows\MBR.exe
[2010/08/23 14:50:20 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2010/08/23 14:50:20 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2010/08/23 14:50:20 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2010/08/23 14:44:21 | 003,825,912 | R--- | C] () -- C:\Documents and Settings\graysl\Desktop\ComboFix.exe
[2010/08/20 15:39:21 | 000,004,995 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\Attach.zip
[2010/08/20 15:39:17 | 000,001,039 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\ark.zip
[2010/08/20 15:39:09 | 000,000,836 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\mbam-log-2010-08-20 (09-22-29).zip
[2010/08/20 11:14:26 | 000,031,969 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\MMS2.htm
[2010/08/20 10:36:59 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\wxxjuoeo.exe
[2010/08/20 10:27:37 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\dds.scr
[2010/08/20 10:25:33 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\Defogger.exe
[2010/08/20 09:55:41 | 000,001,716 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/08/19 16:22:17 | 000,001,629 | ---- | C] () -- C:\Documents and Settings\graysl\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/08/19 16:22:17 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/08/19 14:33:41 | 000,001,672 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/08/13 10:01:44 | 000,000,870 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\Shortcut to GIMPPortable.lnk
[2010/06/24 07:22:04 | 112,752,435 | ---- | C] () -- C:\windows\System32\priparpo.dll
[2010/06/24 07:22:04 | 108,877,220 | ---- | C] () -- C:\windows\System32\lofoyebx.dll
[2010/06/24 07:22:04 | 107,625,654 | ---- | C] () -- C:\windows\System32\dllyupebx.dll
[2010/06/14 14:17:26 | 000,015,944 | ---- | C] () -- C:\windows\System32\drivers\hitmanpro35.sys
[2010/05/24 16:29:21 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\graysl\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/06 05:41:54 | 106,020,036 | ---- | C] () -- C:\windows\System32\ylingie.dll
[2010/05/06 05:41:54 | 105,549,880 | ---- | C] () -- C:\windows\System32\evcraandg.dll
[2010/05/06 05:41:54 | 102,515,873 | ---- | C] () -- C:\windows\System32\toevandwin.dll
[2010/05/06 05:41:54 | 100,832,561 | ---- | C] () -- C:\windows\System32\ygiwifo.dll
[2010/05/06 05:41:54 | 098,849,697 | ---- | C] () -- C:\windows\System32\craetexex.dll
[2010/05/06 05:41:54 | 097,728,123 | ---- | C] () -- C:\windows\System32\aspoerrrip.dll
[2010/05/06 05:41:54 | 096,866,548 | ---- | C] () -- C:\windows\System32\winjese.dll
[2010/05/06 05:41:54 | 096,092,765 | ---- | C] () -- C:\windows\System32\she32etpo.dll
[2010/05/06 05:41:54 | 094,933,195 | ---- | C] () -- C:\windows\System32\etyorp.dll
[2010/05/06 05:41:54 | 093,038,812 | ---- | C] () -- C:\windows\System32\ajedllco.dll
[2010/05/06 05:41:54 | 092,167,290 | ---- | C] () -- C:\windows\System32\asripasand.dll
[2010/05/06 05:41:54 | 091,073,586 | ---- | C] () -- C:\windows\System32\hexloex.dll
[2010/05/06 05:41:54 | 089,865,909 | ---- | C] () -- C:\windows\System32\wiapias.dll
[2010/05/06 05:41:54 | 088,557,801 | ---- | C] () -- C:\windows\System32\jmcraevs.dll
[2010/05/06 05:41:54 | 087,325,056 | ---- | C] () -- C:\windows\System32\aslinplo.dll
[2010/05/06 05:41:54 | 086,097,648 | ---- | C] () -- C:\windows\System32\jeppapi.dll
[2010/05/06 05:41:54 | 084,890,712 | ---- | C] () -- C:\windows\System32\sheworrip.dll
[2010/05/06 05:41:54 | 084,113,160 | ---- | C] () -- C:\windows\System32\hdllarw.dll
[2010/05/06 05:41:54 | 082,456,037 | ---- | C] () -- C:\windows\System32\cotoupar.dll
[2010/05/06 05:41:54 | 081,503,133 | ---- | C] () -- C:\windows\System32\focoripar.dll
[2010/05/06 05:41:54 | 078,989,483 | ---- | C] () -- C:\windows\System32\jeydopo.dll
[2010/05/06 05:41:54 | 076,946,106 | ---- | C] () -- C:\windows\System32\asetnico.dll
[2010/05/06 05:41:54 | 075,671,927 | ---- | C] () -- C:\windows\System32\uparaet.dll
[2010/05/06 05:41:54 | 074,064,048 | ---- | C] () -- C:\windows\System32\sarlindo.dll
[2010/05/06 05:41:54 | 072,995,043 | ---- | C] () -- C:\windows\System32\pandupcra.dll
[2010/05/06 05:41:54 | 071,178,592 | ---- | C] () -- C:\windows\System32\winapicopo.dll
[2010/05/06 05:41:54 | 068,973,455 | ---- | C] () -- C:\windows\System32\apiarripor.dll
[2010/05/06 05:41:54 | 067,365,063 | ---- | C] () -- C:\windows\System32\byripas.dll
[2010/05/06 05:41:54 | 066,151,155 | ---- | C] () -- C:\windows\System32\andbplin.dll
[2010/05/06 05:41:54 | 065,413,493 | ---- | C] () -- C:\windows\System32\ygjme.dll
[2010/05/06 05:41:54 | 064,450,588 | ---- | C] () -- C:\windows\System32\upwiaje.dll
[2010/05/06 05:41:54 | 062,745,593 | ---- | C] () -- C:\windows\System32\gior32do.dll
[2010/05/06 05:41:54 | 061,072,928 | ---- | C] () -- C:\windows\System32\niaupw.dll
[2010/05/06 05:41:54 | 059,470,049 | ---- | C] () -- C:\windows\System32\apitoglo.dll
[2010/05/06 05:41:54 | 057,072,797 | ---- | C] () -- C:\windows\System32\dlllosheni.dll
[2010/05/06 05:41:54 | 054,606,531 | ---- | C] () -- C:\windows\System32\nidopob.dll
[2010/05/06 05:41:54 | 053,295,560 | ---- | C] () -- C:\windows\System32\stocraet.dll
[2010/04/05 11:40:27 | 000,045,056 | ---- | C] () -- C:\windows\System32\omnithread_rt.dll
[2010/03/30 13:28:05 | 000,274,432 | ---- | C] () -- C:\windows\System32\OE60as.dll
[2010/03/30 13:23:04 | 000,000,426 | ---- | C] () -- C:\windows\BRWMARK.INI
[2010/03/30 12:42:56 | 000,000,000 | ---- | C] () -- C:\windows\winque.INI
[2010/02/25 01:24:38 | 052,748,379 | ---- | C] () -- C:\windows\System32\jmhandapi.dll
[2010/02/25 01:24:38 | 051,841,730 | ---- | C] () -- C:\windows\System32\co32niasu.dll
[2010/02/25 01:24:38 | 050,884,611 | ---- | C] () -- C:\windows\System32\lojeandlin.dll
[2010/02/25 01:24:38 | 049,400,792 | ---- | C] () -- C:\windows\System32\orjmbcra.dll
[2010/02/25 01:24:38 | 048,711,220 | ---- | C] () -- C:\windows\System32\witowins.dll
[2010/02/25 01:24:38 | 047,843,284 | ---- | C] () -- C:\windows\System32\orgpni.dll
[2010/02/25 01:24:38 | 047,140,892 | ---- | C] () -- C:\windows\System32\hganda.dll
[2010/02/25 01:24:38 | 045,162,068 | ---- | C] () -- C:\windows\System32\asujewiasu.dll
[2010/02/25 01:24:38 | 044,523,428 | ---- | C] () -- C:\windows\System32\asandcolin.dll
[2010/02/25 01:24:38 | 043,442,514 | ---- | C] () -- C:\windows\System32\asulobshe.dll
[2010/02/25 01:24:38 | 042,543,994 | ---- | C] () -- C:\windows\System32\wetlocra.dll
[2010/02/25 01:24:38 | 041,695,984 | ---- | C] () -- C:\windows\System32\bwiorco.dll
[2010/02/25 01:24:38 | 040,597,551 | ---- | C] () -- C:\windows\System32\ripsyet.dll
[2010/02/25 01:24:38 | 037,873,338 | ---- | C] () -- C:\windows\System32\windowinrip.dll
[2010/02/25 01:24:38 | 036,817,805 | ---- | C] () -- C:\windows\System32\errexarwi.dll
[2010/02/25 01:24:38 | 035,143,247 | ---- | C] () -- C:\windows\System32\jeripora.dll
[2010/02/25 01:24:38 | 034,048,803 | ---- | C] () -- C:\windows\System32\arerrp32.dll
[2010/02/25 01:24:38 | 033,105,206 | ---- | C] () -- C:\windows\System32\winidllshe.dll
[2010/02/25 01:24:38 | 031,646,718 | ---- | C] () -- C:\windows\System32\uperrripw.dll
[2010/02/25 01:24:38 | 030,964,166 | ---- | C] () -- C:\windows\System32\shejmerrwi.dll
[2010/02/25 01:24:38 | 029,252,747 | ---- | C] () -- C:\windows\System32\evapiandy.dll
[2010/02/25 01:24:38 | 028,460,786 | ---- | C] () -- C:\windows\System32\etjmdoni.dll
[2010/02/25 01:24:38 | 026,762,701 | ---- | C] () -- C:\windows\System32\potocoe.dll
[2010/02/25 01:24:38 | 025,916,914 | ---- | C] () -- C:\windows\System32\gijmeb.dll
[2010/02/25 01:24:38 | 025,418,662 | ---- | C] () -- C:\windows\System32\lofoorb.dll
[2010/02/25 01:24:38 | 024,430,462 | ---- | C] () -- C:\windows\System32\eetgifo.dll
[2010/02/25 01:24:38 | 021,650,280 | ---- | C] () -- C:\windows\System32\jmshejee.dll
[2010/02/25 01:24:38 | 020,773,298 | ---- | C] () -- C:\windows\System32\asdllgih.dll
[2010/02/25 01:24:38 | 019,809,026 | ---- | C] () -- C:\windows\System32\rip32upni.dll
[2010/02/25 01:24:38 | 017,860,659 | ---- | C] () -- C:\windows\System32\jewgiex.dll
[2010/02/25 01:24:38 | 016,708,944 | ---- | C] () -- C:\windows\System32\toswinasu.dll
[2010/02/25 01:24:38 | 015,898,789 | ---- | C] () -- C:\windows\System32\foexevlo.dll
[2010/02/25 01:24:38 | 014,180,827 | ---- | C] () -- C:\windows\System32\evdocrashe.dll
[2010/02/25 01:24:38 | 012,469,488 | ---- | C] () -- C:\windows\System32\posheebxb.dll
[2010/02/25 01:24:38 | 008,494,549 | ---- | C] () -- C:\windows\System32\dowiexapi.dll
[2010/02/25 01:24:38 | 007,040,523 | ---- | C] () -- C:\windows\System32\wierryb.dll
[2010/02/25 01:24:38 | 005,323,414 | ---- | C] () -- C:\windows\System32\pygs.dll
[2010/02/25 01:24:38 | 003,625,607 | ---- | C] () -- C:\windows\System32\32asuerrto.dll
[2010/02/25 01:24:38 | 003,522,345 | ---- | C] () -- C:\windows\System32\apevlin.dll
[2010/02/25 01:24:38 | 003,299,288 | ---- | C] () -- C:\windows\System32\gijmerrwi.dll
[2010/02/25 01:24:38 | 002,971,389 | ---- | C] () -- C:\windows\System32\arewiny.dll
[2010/02/25 01:24:38 | 002,789,788 | ---- | C] () -- C:\windows\System32\lin32gini.dll
[2010/02/25 01:24:38 | 002,788,278 | ---- | C] () -- C:\windows\System32\jedllcrapo.dll
[2010/02/25 01:24:38 | 002,241,435 | ---- | C] () -- C:\windows\System32\wiwandas.dll
[2010/02/25 01:24:38 | 002,001,333 | ---- | C] () -- C:\windows\System32\asupyy.dll
[2010/02/25 01:24:38 | 001,944,310 | ---- | C] () -- C:\windows\System32\werrcrap.dll
[2010/02/25 01:24:38 | 001,696,724 | ---- | C] () -- C:\windows\System32\alowdll.dll
[2010/02/25 01:24:38 | 001,530,126 | ---- | C] () -- C:\windows\System32\exupupy.dll
[2010/02/25 01:24:38 | 001,144,253 | ---- | C] () -- C:\windows\System32\apilinlop.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\windows\System32\OGACheckControl.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\windows\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\windows\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\windows\System32\gthrctr.ini
< End of report >



OTL Extras logfile created on: 8/24/2010 8:15:50 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\graysl\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.01 Gb Total Space | 120.83 Gb Free Space | 81.09% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive W: | 68.35 Gb Total Space | 8.20 Gb Free Space | 12.00% Space Free | Partition Type: NTFS

Computer Name: JOUR-CASR-SUP1
Current User Name: graysl
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"5900:TCP" = 5900:TCP:*:Enabled:WinVNC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe" = C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (Sybase, Inc.)
"E:\SecondLifePortable\Emerald Viewer\SLVoice.exe" = E:\SecondLifePortable\Emerald Viewer\SLVoice.exe:*:Enabled:SLVoice -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe" = C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (Sybase, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2E98C5B7-D64C-4D7E-BFC3-A7D078569F28}" = Broadcom NetXtreme-I Netlink Driver and Management Installer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DDCD95B5-7230-462F-9889-7EBBEE74123C}" = Microsoft Forefront Client Security Antimalware Service
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E8B56B38-A826-11DB-8C83-0011430C73A4}" = Microsoft Forefront Client Security State Assessment Service
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Bullzip PDF Printer_is1" = Bullzip PDF Printer 7.1.0.1195
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"ENTERPRISE" = Microsoft Office Enterprise 2007
"GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.70
"HDMI" = Intel® Graphics Media Accelerator Driver
"HitmanPro35" = Hitman Pro 3.5
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Unlocker" = Unlocker 1.9.0
"WinCati 4.1 - Interviewer" = WinCati 4.1 - Interviewer
"WinCati 4.1 - Supervisor" = WinCati 4.1 - Supervisor
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinVNC" = WinVNC 3.3.3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"WorksDatabaseConverter" = WorksDatabaseConverter

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\INTERESTING
BANANA FACTS AND USES _ EPIDEMICFUN.COM_FILES> in the hash map cannot be updated.

Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\INTERESTING
BANANA FACTS AND USES_FILES> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\INTERESTING
BANANA FACTS AND USES_FILES> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\LARA
CROFT.JPG> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\LEGEND
OF ZELDA SISTERS.JPG> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\MAGIC
LISTS.XLSX> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 8/20/2010 10:24:27 AM | Computer Name = JOUR-CASR-SUP1 | Source = MDM | ID = 4101
Description = An error occurred while the debugger attempted to correct its registry.

Error - 8/20/2010 10:27:33 AM | Computer Name = JOUR-CASR-SUP1 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module lnkprotect.dll, version 1.0.0.1, fault address 0x000014d8.

Error - 8/20/2010 10:30:44 AM | Computer Name = JOUR-CASR-SUP1 | Source = MDM | ID = 4101
Description = An error occurred while the debugger attempted to correct its registry.

Error - 8/20/2010 10:33:04 AM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

[ OSession Events ]
Error - 6/21/2010 5:29:18 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 20550
seconds with 13740 seconds of active time. This session ended with a crash.

Error - 6/22/2010 11:46:16 AM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 681
seconds with 600 seconds of active time. This session ended with a crash.

Error - 6/22/2010 12:23:34 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2228
seconds with 1680 seconds of active time. This session ended with a crash.

Error - 6/24/2010 1:08:34 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3296
seconds with 3060 seconds of active time. This session ended with a crash.

Error - 6/24/2010 1:57:53 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2950
seconds with 2400 seconds of active time. This session ended with a crash.

Error - 6/24/2010 4:36:47 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9524
seconds with 7200 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 8/19/2010 4:05:24 PM | Computer Name = JOUR-CASR-SUP1 | Source = FCSAM | ID = 3006
Description = %%830 Real-Time Protection agent has encountered an error when taking
action on spyware or other potentially unwanted software. For more information please
see the following: http://go.microsoft....atid=2147636914

Scan
ID: {3A8F5C14-B06E-469D-859C-CA2FEF607AF8} User: UMC-USERS\umcjourcasrcaller Name:
Virus:Win32/Ramnit.B ID: 2147636914 Severity: Severe Category: Virus Path: file:\\?\C:\Program
Files\Common Files\Microsoft Shared\Help 8\dexplmnu.dll;file:\\?\C:\Program Files\Common
Files\Microsoft Shared\Help 8\dexplmnu.dll Alert Type: %%805 Action: %%812 Error Code:
0x80508021 Error description: An unexpected problem occurred. Install any available
updates, and then try to start the program again. For information on installing
updates, see Help and Support.

Error - 8/23/2010 9:16:59 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 8/23/2010 9:16:58 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 8/23/2010 9:16:58 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 8/23/2010 10:26:09 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 8/23/2010 10:26:02 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 8/23/2010 10:26:31 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 8/23/2010 12:02:12 PM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 8/23/2010 3:42:05 PM | Computer Name = JOUR-CASR-SUP1 | Source = FCSAM | ID = 3006
Description = %%830 Real-Time Protection agent has encountered an error when taking
action on spyware or other potentially unwanted software. For more information please
see the following: http://go.microsoft....atid=2147636914

Scan
ID: {6326BECF-C0D8-4510-BB45-127E27450D38} User: UMC-USERS\graysl Name: Virus:Win32/Ramnit.B

ID:
2147636914 Severity: Severe Category: Virus Path: Alert Type: %%805 Action: %%812 Error
Code: 0x80508024 Error description: To finish removing spyware and other potentially
unwanted software, you need to run a full scan. For information about scanning
options, see Help and Support.

Error - 8/23/2010 3:46:18 PM | Computer Name = JOUR-CASR-SUP1 | Source = Service Control Manager | ID = 7031
Description = The Microsoft Forefront Client Security State Assessment Service service
terminated unexpectedly. It has done this 1 time(s). The following corrective
action will be taken in 0 milliseconds: Restart the service.


< End of report >

#8 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 24 August 2010 - 11:40 AM

Hi, no active Ramnit there, its possible there will be some leftovers, but scanners will get that.

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#9 Scott Gray

Scott Gray

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Mid-Missouri

Posted 24 August 2010 - 03:03 PM

ComboFix 10-08-24.02 - graysl 08/24/2010 14:05:24.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.772 [GMT -5:00]
Running from: c:\documents and settings\graysl\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))
.

2010-08-23 19:56 . 2010-08-23 19:56 -------- d-----w- c:\documents and settings\graysl\Application Data\Avira
2010-08-20 15:04 . 2010-08-20 15:24 -------- d-----w- c:\documents and settings\graysl\Application Data\Ynwyv
2010-08-20 15:00 . 2010-08-24 19:04 -------- d-----w- c:\windows\system32\NtmsData
2010-08-20 14:55 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-20 14:55 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-20 14:55 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-20 14:55 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\program files\Avira
2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-20 14:52 . 2010-08-20 14:52 -------- d-----w- c:\program files\Unlocker
2010-08-19 19:47 . 2010-08-19 19:47 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-19 19:34 . 2010-08-19 19:34 133440 ----a-w- c:\windows\system32\LnkProtect.dll
2010-08-19 18:31 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\69022312.sys
2010-08-19 18:31 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\6902231.sys
2010-08-19 17:56 . 2010-08-20 12:49 -------- d-----w- c:\program files\riv
2010-08-17 13:43 . 2010-08-23 19:42 -------- d-----w- c:\documents and settings\graysl\Local Settings\Application Data\Emerald
2010-08-17 13:43 . 2010-08-23 18:20 -------- d-----w- c:\documents and settings\graysl\Application Data\SecondLife
2010-08-02 21:26 . 2010-08-20 13:21 822784 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-24 18:44 . 2010-06-16 13:28 -------- d-----w- c:\documents and settings\graysl\Application Data\Abine
2010-08-23 13:07 . 2010-06-14 19:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-20 15:38 . 2010-03-30 18:53 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-20 14:42 . 2010-05-27 20:23 -------- d-----w- c:\program files\QuickTime
2010-08-20 14:28 . 2010-04-24 18:04 -------- d-----w- c:\program files\Coupons
2010-08-20 14:24 . 2010-03-30 19:01 -------- d-----w- c:\program files\Microsoft
2010-08-20 14:22 . 2010-04-24 18:47 203776 ----a-w- c:\documents and settings\graysl\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2010-08-20 13:51 . 2010-03-30 19:21 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-08-20 13:48 . 2010-06-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 13:21 . 2010-04-24 19:06 79872 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2010-08-20 13:20 . 2010-04-16 15:42 139264 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-08-19 21:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-08-12 08:06 . 2010-03-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-29 12:51 . 2010-04-01 19:02 70032 ----a-w- c:\documents and settings\wagnerna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:55 . 2010-03-26 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-12 17:55 . 2010-03-26 18:18 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\graysl\Application Data\PDF Writer
2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer
2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Common Files\Bullzip
2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Bullzip
2010-07-03 15:12 . 2010-04-02 19:16 70032 ----a-w- c:\documents and settings\manns\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 13:46 . 2010-07-02 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 01:46 . 2010-04-27 22:06 70032 ----a-w- c:\documents and settings\drwww8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 12:53 . 2010-04-05 15:56 70032 ----a-w- c:\documents and settings\graysl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 12:52 . 2010-03-26 20:26 70032 ----a-w- c:\documents and settings\umcjourcasrcaller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 21:48 . 2010-06-22 14:19 535176 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 17:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-06-14 14:31 . 2010-03-26 18:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-01 17:37 . 2010-03-30 19:57 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-30 23:36 . 2010-07-08 19:13 135168 ----a-w- c:\windows\system32\bzpdfc.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-23_20.08.02 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2010-08-20 208896]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-20 421888]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-14 5937984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\umcjourcasrcaller\Start Menu\Programs\Startup\
Inter.cmd [2010-3-30 690]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\0\0]
"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\1\0]
"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\2\0]
"Script"=casr_mapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\0\0]
"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\1\0]
"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sybase\\Adaptive Server Anywhere 6.0\\win32\\dbeng6.exe"=

R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [8/19/2010 1:31 PM 37392]
R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [8/19/2010 1:31 PM 315408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 9:55 AM 135336]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [3/26/2010 1:23 PM 209960]
S1 69022311;69022311;c:\windows\system32\DRIVERS\69022311.sys --> c:\windows\system32\DRIVERS\69022311.sys [?]
S2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120]
.
Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-23 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.missouri.edu/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 1127
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}\components\2cd863b0.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{C226AD38-BBFC-65F9-36B0-D2B3D07BA323} - c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-24 14:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-08-24 14:13:33
ComboFix-quarantined-files.txt 2010-08-24 19:13
ComboFix2.txt 2010-08-23 20:12

Pre-Run: 128,061,001,728 bytes free
Post-Run: 128,046,256,128 bytes free

- - End Of File - - 4D0E99B9EC49B4C25904278ACDDB62E9

#10 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 24 August 2010 - 03:35 PM

Hi, please let me know how things are running after the following fix.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Firefox::
FF - ProfilePath - c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 1127
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#11 Scott Gray

Scott Gray

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Mid-Missouri

Posted 25 August 2010 - 08:21 AM

Okay, here's the latest; I'll let you know later today or tomorrow morning if things are ship-shape or not. Thanks again!

ComboFix 10-08-24.02 - graysl 08/25/2010 8:11.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.1394 [GMT -5:00]
Running from: c:\documents and settings\graysl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\graysl\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))
.

2010-08-24 19:20 . 2010-08-24 19:20 -------- d-----w- c:\documents and settings\umcjourcasrcaller\Application Data\Avira
2010-08-23 19:56 . 2010-08-23 19:56 -------- d-----w- c:\documents and settings\graysl\Application Data\Avira
2010-08-20 15:04 . 2010-08-20 15:24 -------- d-----w- c:\documents and settings\graysl\Application Data\Ynwyv
2010-08-20 15:00 . 2010-08-24 20:43 -------- d-----w- c:\windows\system32\NtmsData
2010-08-20 14:55 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-20 14:55 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-20 14:55 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-20 14:55 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\program files\Avira
2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-20 14:52 . 2010-08-20 14:52 -------- d-----w- c:\program files\Unlocker
2010-08-19 19:47 . 2010-08-19 19:47 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-19 19:34 . 2010-08-19 19:34 133440 ----a-w- c:\windows\system32\LnkProtect.dll
2010-08-19 18:31 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\69022312.sys
2010-08-19 18:31 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\6902231.sys
2010-08-19 17:56 . 2010-08-20 12:49 -------- d-----w- c:\program files\riv
2010-08-17 13:43 . 2010-08-23 19:42 -------- d-----w- c:\documents and settings\graysl\Local Settings\Application Data\Emerald
2010-08-17 13:43 . 2010-08-23 18:20 -------- d-----w- c:\documents and settings\graysl\Application Data\SecondLife
2010-08-02 21:26 . 2010-08-20 13:21 822784 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-24 20:39 . 2010-06-16 13:28 -------- d-----w- c:\documents and settings\graysl\Application Data\Abine
2010-08-23 13:07 . 2010-06-14 19:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-20 15:38 . 2010-03-30 18:53 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-20 14:42 . 2010-05-27 20:23 -------- d-----w- c:\program files\QuickTime
2010-08-20 14:28 . 2010-04-24 18:04 -------- d-----w- c:\program files\Coupons
2010-08-20 14:24 . 2010-03-30 19:01 -------- d-----w- c:\program files\Microsoft
2010-08-20 13:51 . 2010-03-30 19:21 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-08-20 13:48 . 2010-06-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 13:21 . 2010-04-24 19:06 79872 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2010-08-19 21:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-08-12 08:06 . 2010-03-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-29 12:51 . 2010-04-01 19:02 70032 ----a-w- c:\documents and settings\wagnerna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:55 . 2010-03-26 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-12 17:55 . 2010-03-26 18:18 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\graysl\Application Data\PDF Writer
2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer
2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Common Files\Bullzip
2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Bullzip
2010-07-03 15:12 . 2010-04-02 19:16 70032 ----a-w- c:\documents and settings\manns\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 13:46 . 2010-07-02 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 01:46 . 2010-04-27 22:06 70032 ----a-w- c:\documents and settings\drwww8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 12:53 . 2010-04-05 15:56 70032 ----a-w- c:\documents and settings\graysl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 12:52 . 2010-03-26 20:26 70032 ----a-w- c:\documents and settings\umcjourcasrcaller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 21:48 . 2010-06-22 14:19 535176 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 17:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-06-14 14:31 . 2010-03-26 18:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-01 17:37 . 2010-03-30 19:57 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-30 23:36 . 2010-07-08 19:13 135168 ----a-w- c:\windows\system32\bzpdfc.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-23_20.08.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-24 19:57 . 2010-08-24 19:57 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2010-08-20 208896]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-20 421888]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-14 5937984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\umcjourcasrcaller\Start Menu\Programs\Startup\
Inter.cmd [2010-3-30 690]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\0\0]
"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\1\0]
"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\2\0]
"Script"=casr_mapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\0\0]
"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\1\0]
"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sybase\\Adaptive Server Anywhere 6.0\\win32\\dbeng6.exe"=

R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [8/19/2010 1:31 PM 37392]
R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [8/19/2010 1:31 PM 315408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 9:55 AM 135336]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [3/26/2010 1:23 PM 209960]
S1 69022311;69022311;c:\windows\system32\DRIVERS\69022311.sys --> c:\windows\system32\DRIVERS\69022311.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-24 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-24 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.missouri.edu/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}\components\2cd863b0.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 08:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(112)
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdo.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-25 08:19:38
ComboFix-quarantined-files.txt 2010-08-25 13:19
ComboFix2.txt 2010-08-24 19:13
ComboFix3.txt 2010-08-23 20:12

Pre-Run: 140,151,357,440 bytes free
Post-Run: 140,165,816,320 bytes free

- - End Of File - - 85E325784BF370EAF7F6B85E47714713

#12 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 25 August 2010 - 08:33 AM

Okay, in the mean time, some updating/doublechecking. :)

UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Please launch MBAM, update it and run a full scan. Post me the resulting log.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#13 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 12 September 2010 - 08:18 AM

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users