Scott Gray

Members

View Profile See their activity

Posts
6
Joined
August 19, 2010
Last visited
August 25, 2010

Reputation

0 Neutral

About Scott Gray

Birthday 10/11/1966

Profile Information

Location
Mid-Missouri

Ramnit.b, search redirect, etc.

Scott Gray replied to Scott Gray's topic in Resolved Malware Removal Logs

Okay, here's the latest; I'll let you know later today or tomorrow morning if things are ship-shape or not. Thanks again! ComboFix 10-08-24.02 - graysl 08/25/2010 8:11.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.1394 [GMT -5:00] Running from: c:\documents and settings\graysl\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\graysl\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 ))))))))))))))))))))))))))))))) . 2010-08-24 19:20 . 2010-08-24 19:20 -------- d-----w- c:\documents and settings\umcjourcasrcaller\Application Data\Avira 2010-08-23 19:56 . 2010-08-23 19:56 -------- d-----w- c:\documents and settings\graysl\Application Data\Avira 2010-08-20 15:04 . 2010-08-20 15:24 -------- d-----w- c:\documents and settings\graysl\Application Data\Ynwyv 2010-08-20 15:00 . 2010-08-24 20:43 -------- d-----w- c:\windows\system32\NtmsData 2010-08-20 14:55 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-08-20 14:55 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-08-20 14:55 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2010-08-20 14:55 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\program files\Avira 2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2010-08-20 14:52 . 2010-08-20 14:52 -------- d-----w- c:\program files\Unlocker 2010-08-19 19:47 . 2010-08-19 19:47 -------- d-----w- c:\windows\system32\MpEngineStore 2010-08-19 19:34 . 2010-08-19 19:34 133440 ----a-w- c:\windows\system32\LnkProtect.dll 2010-08-19 18:31 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\69022312.sys 2010-08-19 18:31 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\6902231.sys 2010-08-19 17:56 . 2010-08-20 12:49 -------- d-----w- c:\program files\riv 2010-08-17 13:43 . 2010-08-23 19:42 -------- d-----w- c:\documents and settings\graysl\Local Settings\Application Data\Emerald 2010-08-17 13:43 . 2010-08-23 18:20 -------- d-----w- c:\documents and settings\graysl\Application Data\SecondLife 2010-08-02 21:26 . 2010-08-20 13:21 822784 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-24 20:39 . 2010-06-16 13:28 -------- d-----w- c:\documents and settings\graysl\Application Data\Abine 2010-08-23 13:07 . 2010-06-14 19:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-08-20 15:38 . 2010-03-30 18:53 -------- d-----w- c:\program files\Windows Desktop Search 2010-08-20 14:42 . 2010-05-27 20:23 -------- d-----w- c:\program files\QuickTime 2010-08-20 14:28 . 2010-04-24 18:04 -------- d-----w- c:\program files\Coupons 2010-08-20 14:24 . 2010-03-30 19:01 -------- d-----w- c:\program files\Microsoft 2010-08-20 13:51 . 2010-03-30 19:21 -------- d-----w- c:\program files\Microsoft Office Outlook Connector 2010-08-20 13:48 . 2010-06-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-20 13:21 . 2010-04-24 19:06 79872 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll 2010-08-19 21:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys 2010-08-12 08:06 . 2010-03-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-07-29 12:51 . 2010-04-01 19:02 70032 ----a-w- c:\documents and settings\wagnerna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-12 17:55 . 2010-03-26 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-07-12 17:55 . 2010-03-26 18:18 -------- d-----w- c:\program files\Common Files\InstallShield 2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\graysl\Application Data\PDF Writer 2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer 2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Common Files\Bullzip 2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Bullzip 2010-07-03 15:12 . 2010-04-02 19:16 70032 ----a-w- c:\documents and settings\manns\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-02 13:46 . 2010-07-02 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe 2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-26 01:46 . 2010-04-27 22:06 70032 ----a-w- c:\documents and settings\drwww8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-25 12:53 . 2010-04-05 15:56 70032 ----a-w- c:\documents and settings\graysl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-25 12:52 . 2010-03-26 20:26 70032 ----a-w- c:\documents and settings\umcjourcasrcaller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2010-06-18 21:48 . 2010-06-22 14:19 535176 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll 2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll 2010-06-15 17:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2010-06-14 14:31 . 2010-03-26 18:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll 2010-06-01 17:37 . 2010-03-30 19:57 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-30 23:36 . 2010-07-08 19:13 135168 ----a-w- c:\windows\system32\bzpdfc.dll . ((((((((((((((((((((((((((((( SnapShot@2010-08-23_20.08.02 ))))))))))))))))))))))))))))))))))))))))) . + 2010-08-24 19:57 . 2010-08-24 19:57 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2010-08-20 208896] "Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-20 421888] "HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-14 5937984] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] c:\documents and settings\umcjourcasrcaller\Start Menu\Programs\Startup\ Inter.cmd [2010-3-30 690] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\0\0] "Script"=casr_printer.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\1\0] "Script"=casr_mapping.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\2\0] "Script"=casr_mapping.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\0\0] "Script"=casr_printer.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\1\0] "Script"=casr_mapping.cmd [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Sybase\\Adaptive Server Anywhere 6.0\\win32\\dbeng6.exe"= R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [8/19/2010 1:31 PM 37392] R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [8/19/2010 1:31 PM 315408] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 9:55 AM 135336] R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880] R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120] R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [3/26/2010 1:23 PM 209960] S1 69022311;69022311;c:\windows\system32\DRIVERS\69022311.sys --> c:\windows\system32\DRIVERS\69022311.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-08-24 c:\windows\Tasks\MP Scheduled Quick Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49] 2010-08-24 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49] 2010-08-24 c:\windows\Tasks\MP Scheduled Signature Update.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49] . . ------- Supplementary Scan ------- . uStart Page = hxxp://webmail.missouri.edu/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB FF - ProfilePath - c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\ FF - prefs.js: network.proxy.type - 0 FF - component: c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll FF - component: c:\program files\Mozilla Firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}\components\2cd863b0.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-25 08:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(112) c:\windows\system32\WININET.dll c:\windows\system32\igfxdo.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-08-25 08:19:38 ComboFix-quarantined-files.txt 2010-08-25 13:19 ComboFix2.txt 2010-08-24 19:13 ComboFix3.txt 2010-08-23 20:12 Pre-Run: 140,151,357,440 bytes free Post-Run: 140,165,816,320 bytes free - - End Of File - - 85E325784BF370EAF7F6B85E47714713
- August 25, 2010
- 12 replies
Ramnit.b, search redirect, etc.

Scott Gray replied to Scott Gray's topic in Resolved Malware Removal Logs

ComboFix 10-08-24.02 - graysl 08/24/2010 14:05:24.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.772 [GMT -5:00] Running from: c:\documents and settings\graysl\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe . ((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 ))))))))))))))))))))))))))))))) . 2010-08-23 19:56 . 2010-08-23 19:56 -------- d-----w- c:\documents and settings\graysl\Application Data\Avira 2010-08-20 15:04 . 2010-08-20 15:24 -------- d-----w- c:\documents and settings\graysl\Application Data\Ynwyv 2010-08-20 15:00 . 2010-08-24 19:04 -------- d-----w- c:\windows\system32\NtmsData 2010-08-20 14:55 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-08-20 14:55 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-08-20 14:55 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2010-08-20 14:55 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\program files\Avira 2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2010-08-20 14:52 . 2010-08-20 14:52 -------- d-----w- c:\program files\Unlocker 2010-08-19 19:47 . 2010-08-19 19:47 -------- d-----w- c:\windows\system32\MpEngineStore 2010-08-19 19:34 . 2010-08-19 19:34 133440 ----a-w- c:\windows\system32\LnkProtect.dll 2010-08-19 18:31 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\69022312.sys 2010-08-19 18:31 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\6902231.sys 2010-08-19 17:56 . 2010-08-20 12:49 -------- d-----w- c:\program files\riv 2010-08-17 13:43 . 2010-08-23 19:42 -------- d-----w- c:\documents and settings\graysl\Local Settings\Application Data\Emerald 2010-08-17 13:43 . 2010-08-23 18:20 -------- d-----w- c:\documents and settings\graysl\Application Data\SecondLife 2010-08-02 21:26 . 2010-08-20 13:21 822784 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-24 18:44 . 2010-06-16 13:28 -------- d-----w- c:\documents and settings\graysl\Application Data\Abine 2010-08-23 13:07 . 2010-06-14 19:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-08-20 15:38 . 2010-03-30 18:53 -------- d-----w- c:\program files\Windows Desktop Search 2010-08-20 14:42 . 2010-05-27 20:23 -------- d-----w- c:\program files\QuickTime 2010-08-20 14:28 . 2010-04-24 18:04 -------- d-----w- c:\program files\Coupons 2010-08-20 14:24 . 2010-03-30 19:01 -------- d-----w- c:\program files\Microsoft 2010-08-20 14:22 . 2010-04-24 18:47 203776 ----a-w- c:\documents and settings\graysl\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2010-08-20 13:51 . 2010-03-30 19:21 -------- d-----w- c:\program files\Microsoft Office Outlook Connector 2010-08-20 13:48 . 2010-06-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-20 13:21 . 2010-04-24 19:06 79872 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll 2010-08-20 13:20 . 2010-04-16 15:42 139264 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2010-08-19 21:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys 2010-08-12 08:06 . 2010-03-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-07-29 12:51 . 2010-04-01 19:02 70032 ----a-w- c:\documents and settings\wagnerna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-12 17:55 . 2010-03-26 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-07-12 17:55 . 2010-03-26 18:18 -------- d-----w- c:\program files\Common Files\InstallShield 2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\graysl\Application Data\PDF Writer 2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer 2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Common Files\Bullzip 2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Bullzip 2010-07-03 15:12 . 2010-04-02 19:16 70032 ----a-w- c:\documents and settings\manns\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-02 13:46 . 2010-07-02 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe 2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-26 01:46 . 2010-04-27 22:06 70032 ----a-w- c:\documents and settings\drwww8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-25 12:53 . 2010-04-05 15:56 70032 ----a-w- c:\documents and settings\graysl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-25 12:52 . 2010-03-26 20:26 70032 ----a-w- c:\documents and settings\umcjourcasrcaller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2010-06-18 21:48 . 2010-06-22 14:19 535176 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll 2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll 2010-06-15 17:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2010-06-14 14:31 . 2010-03-26 18:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll 2010-06-01 17:37 . 2010-03-30 19:57 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-30 23:36 . 2010-07-08 19:13 135168 ----a-w- c:\windows\system32\bzpdfc.dll . ((((((((((((((((((((((((((((( SnapShot@2010-08-23_20.08.02 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2010-08-20 208896] "Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-20 421888] "HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-14 5937984] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] c:\documents and settings\umcjourcasrcaller\Start Menu\Programs\Startup\ Inter.cmd [2010-3-30 690] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\0\0] "Script"=casr_printer.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\1\0] "Script"=casr_mapping.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\2\0] "Script"=casr_mapping.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\0\0] "Script"=casr_printer.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\1\0] "Script"=casr_mapping.cmd [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Sybase\\Adaptive Server Anywhere 6.0\\win32\\dbeng6.exe"= R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [8/19/2010 1:31 PM 37392] R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [8/19/2010 1:31 PM 315408] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 9:55 AM 135336] R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880] R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [3/26/2010 1:23 PM 209960] S1 69022311;69022311;c:\windows\system32\DRIVERS\69022311.sys --> c:\windows\system32\DRIVERS\69022311.sys [?] S2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120] . Contents of the 'Scheduled Tasks' folder 2010-08-23 c:\windows\Tasks\MP Scheduled Quick Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49] 2010-08-24 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49] 2010-08-23 c:\windows\Tasks\MP Scheduled Signature Update.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49] . . ------- Supplementary Scan ------- . uStart Page = hxxp://webmail.missouri.edu/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB FF - ProfilePath - c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 1127 FF - prefs.js: network.proxy.type - 0 FF - component: c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll FF - component: c:\program files\Mozilla Firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}\components\2cd863b0.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - HKCU-Run-{C226AD38-BBFC-65F9-36B0-D2B3D07BA323} - c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-24 14:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2010-08-24 14:13:33 ComboFix-quarantined-files.txt 2010-08-24 19:13 ComboFix2.txt 2010-08-23 20:12 Pre-Run: 128,061,001,728 bytes free Post-Run: 128,046,256,128 bytes free - - End Of File - - 4D0E99B9EC49B4C25904278ACDDB62E9
- August 24, 2010
- 12 replies
Ramnit.b, search redirect, etc.

Scott Gray replied to Scott Gray's topic in Resolved Malware Removal Logs

OTL logfile created on: 8/24/2010 8:15:50 AM - Run 1 OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\graysl\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 149.01 Gb Total Space | 120.83 Gb Free Space | 81.09% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive W: | 68.35 Gb Total Space | 8.20 Gb Free Space | 12.00% Space Free | Partition Type: NTFS Computer Name: JOUR-CASR-SUP1 Current User Name: graysl NOT logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010/08/24 08:15:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe PRC - [2010/07/22 21:07:03 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe PRC - [2010/07/22 21:06:53 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2010/07/04 14:51:26 | 000,017,408 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe PRC - [2010/05/20 23:44:02 | 012,978,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2010/01/19 16:51:32 | 001,033,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe PRC - [2010/01/19 16:49:44 | 000,016,880 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2009/08/26 15:49:00 | 002,691,072 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTDCPL.EXE PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/04/06 05:12:48 | 000,073,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe ========== Modules (SafeList) ========== MOD - [2010/08/24 08:15:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe MOD - [2010/07/04 16:32:36 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll MOD - [2009/06/25 07:51:42 | 000,130,048 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxdo.dll MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- C:\windows\System32\hidserv.dll -- (HidServ) SRV - [2010/08/20 09:17:35 | 000,208,896 | ---- | M] (AT&T Research Labs Cambridge) [Auto | Stopped] -- C:\Program Files\ORL\VNC\WinVNC.exe -- (winvnc) SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2010/01/19 16:49:44 | 000,016,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe -- (FCSAM) SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc) SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort) SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc) SRV - [2007/04/06 05:12:48 | 000,073,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe -- (FcsSas) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme) DRV - File not found [Kernel | System | Stopped] -- C:\windows\System32\DRIVERS\69022311.sys -- (69022311) DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb) DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt) DRV - [2009/10/23 11:14:08 | 005,876,224 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtDHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) DRV - [2009/10/22 13:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\69022312.sys -- (69022312) DRV - [2009/10/09 23:31:10 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\6902231.sys -- (setup_9.0.0.722_18.08.2010_17-51drv) DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr) DRV - [2009/07/31 20:31:50 | 004,747,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igdkmd32.sys -- (igfx) DRV - [2009/06/25 08:09:16 | 006,316,160 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm) DRV - [2009/05/31 02:41:00 | 000,209,960 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\k57xp32.sys -- (k57w2k) Broadcom NetLink DRV - [2009/05/22 15:15:50 | 000,090,112 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp) DRV - [2009/05/15 12:35:52 | 000,069,616 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter) DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio) DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://webmail.missouri.edu/ IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E2 C2 EC 76 2B E3 CA 01 [binary data] IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.69.1 FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.7.8 FF - prefs.js..extensions.enabledItems: TooManyTabs@visibotech.com:1.2.0 FF - prefs.js..extensions.enabledItems: sharing@addons.mozilla.org:1.1.1 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: savecomplete@perlprogrammer.com:1.0.1 FF - prefs.js..extensions.enabledItems: lazarus@interclue.com:2.0.5 FF - prefs.js..extensions.enabledItems: charlie@packetprotector.org:1.2 FF - prefs.js..extensions.enabledItems: amano@os14.com:1.3 FF - prefs.js..extensions.enabledItems: guiconfig@slosd.net:1.0 FF - prefs.js..extensions.enabledItems: omfg@olive:0.6.080510 FF - prefs.js..extensions.enabledItems: firefox@red-cog.com:2.6 FF - prefs.js..extensions.enabledItems: download-panel@kwok.wai.kan:2009.09.02 FF - prefs.js..extensions.enabledItems: FasterFox_Lite@BigRedBrent:3.8.2Lite FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:4.1.12s FF - prefs.js..extensions.enabledItems: optout@dubfire.net:3.02 FF - prefs.js..extensions.enabledItems: CompactMenuCE@Merci.chao:4.3.2 FF - prefs.js..extensions.enabledItems: {095751f7-cef8-b08c-63e7-aef653237eba}:4.6.6.7 FF - prefs.js..network.proxy.http: "127.0.0.1" FF - prefs.js..network.proxy.http_port: 1127 FF - prefs.js..network.proxy.type: 0 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/20 09:33:10 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/20 09:48:54 | 000,000,000 | ---D | M] [2010/04/05 10:57:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Extensions [2010/08/23 15:29:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions [2010/06/15 08:10:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\amano@os14.com [2010/04/24 14:06:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\charlie@packetprotector.org [2010/06/15 08:10:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\CompactMenuCE@Merci.chao [2010/06/15 08:11:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\download-panel@kwok.wai.kan [2010/06/15 08:11:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\FasterFox_Lite@BigRedBrent [2010/06/15 08:12:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\firefox@red-cog.com [2010/07/08 07:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\foxmarks@kei.com [2010/06/15 08:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\guiconfig@slosd.net [2010/06/15 08:13:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com [2010/06/15 08:13:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\omfg@olive [2010/06/22 09:19:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net [2010/06/15 08:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\savecomplete@perlprogrammer.com [2010/06/15 08:13:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\sharing@addons.mozilla.org [2010/06/15 08:14:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\SkipScreen@SkipScreen [2010/08/06 07:38:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\staged-xpis [2010/08/02 16:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com [2010/06/15 08:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\TooManyTabs@visibotech.com [2010/08/23 15:29:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/04/29 14:04:12 | 000,000,000 | ---D | M] (z) -- C:\Program Files\Mozilla Firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba} [2009/11/19 16:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll [2009/11/19 16:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll O1 HOSTS File: ([2010/08/23 15:07:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.) O4 - HKLM..\Run: [Microsoft Forefront Client Security Antimalware Service] c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe (Microsoft Corporation) O4 - HKLM..\Run: [RTHDCPL] C:\windows\RTDCPL.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe () O4 - HKLM..\Run: [WinVNC] C:\Program Files\ORL\VNC\WinVNC.exe (AT&T Research Labs Cambridge) O4 - HKU\S-1-5-21-201074022-649947792-1237804090-90572..\Run: [{C226AD38-BBFC-65F9-36B0-D2B3D07BA323}] C:\Documents and Settings\graysl\Application Data\Zyvyy\zogi.exe File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\umcjourcasrcaller\Start Menu\Programs\Startup\Inter.cmd () O4 - Startup: C:\Documents and Settings\umcjourcasrcaller\Start Menu\Programs\Startup\setup_9.0.0.722_18.08.2010_17-51.lnk = C:\Documents and Settings\graysl\Desktop\Virus Removal Tool\setup_9.0.0.722_18.08.2010_17-51\startup.exe File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1269973430266 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 128.206.10.3 128.206.10.2 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = col.missouri.edu O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\windows\System32\igfxdev.dll (Intel Corporation) O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\windows\System32\NavLogon.dll File not found O24 - Desktop WallPaper: O24 - Desktop BackupWallPaper: O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010/03/26 13:14:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2001/09/07 06:33:04 | 000,004,656 | ---- | M] () - W:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [1997/02/12 16:53:58 | 000,000,123 | ---- | M] () - W:\autoexec.w95 -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/08/24 08:15:08 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe [2010/08/23 14:56:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Application Data\Avira [2010/08/23 14:50:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe [2010/08/23 14:50:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe [2010/08/23 14:50:20 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe [2010/08/23 14:50:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe [2010/08/23 14:50:04 | 000,000,000 | ---D | C] -- C:\windows\ERDNT [2010/08/23 14:45:10 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/08/20 11:14:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Desktop\MMS2_files [2010/08/20 10:38:58 | 000,000,000 | ---D | C] -- C:\windows\Minidump [2010/08/20 10:04:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Application Data\Ynwyv [2010/08/20 10:00:25 | 000,000,000 | ---D | C] -- C:\windows\System32\NtmsData [2010/08/20 09:55:21 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\ssmdrv.sys [2010/08/20 09:55:16 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avipbb.sys [2010/08/20 09:55:16 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntflt.sys [2010/08/20 09:55:16 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntmgr.sys [2010/08/20 09:55:15 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntdd.sys [2010/08/20 09:55:12 | 000,000,000 | ---D | C] -- C:\Program Files\Avira [2010/08/20 09:55:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira [2010/08/20 09:52:56 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker [2010/08/20 08:27:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\My Documents\Downloads [2010/08/19 16:19:37 | 008,573,648 | ---- | C] (Mozilla) -- C:\Documents and Settings\graysl\My Documents\Firefox Setup 3.6.8.exe [2010/08/19 14:51:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\My Documents\pics5 [2010/08/19 14:47:02 | 000,000,000 | ---D | C] -- C:\windows\System32\MpEngineStore [2010/08/19 14:34:08 | 000,133,440 | ---- | C] (SurfRight B.V.) -- C:\windows\System32\LnkProtect.dll [2010/08/19 13:31:19 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\6902231.sys [2010/08/19 13:31:19 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\69022312.sys [2010/08/19 12:56:29 | 000,000,000 | ---D | C] -- C:\Program Files\riv [2010/08/17 08:43:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Application Data\SecondLife [2010/08/17 08:43:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Local Settings\Application Data\Emerald [2010/08/06 15:21:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Desktop\Magic [4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ] [1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/08/24 08:16:35 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\graysl\NTUSER.DAT [2010/08/24 08:15:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe [2010/08/24 07:57:01 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Microsoft Office Outlook 2007.lnk [2010/08/24 07:56:28 | 000,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl [2010/08/24 01:40:00 | 000,000,406 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Scan.job [2010/08/23 16:17:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\graysl\ntuser.ini [2010/08/23 15:09:57 | 000,000,412 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Signature Update.job [2010/08/23 15:09:55 | 000,000,430 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Quick Scan.job [2010/08/23 15:08:06 | 000,000,227 | ---- | M] () -- C:\windows\system.ini [2010/08/23 15:07:33 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts [2010/08/23 15:06:43 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT [2010/08/23 15:06:41 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat [2010/08/23 14:44:31 | 003,825,912 | R--- | M] () -- C:\Documents and Settings\graysl\Desktop\ComboFix.exe [2010/08/23 08:42:25 | 000,000,426 | ---- | M] () -- C:\windows\BRWMARK.INI [2010/08/23 08:07:44 | 000,015,944 | ---- | M] () -- C:\windows\System32\drivers\hitmanpro35.sys [2010/08/23 08:02:19 | 000,000,582 | ---- | M] () -- C:\windows\win.ini [2010/08/20 15:39:21 | 000,004,995 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Attach.zip [2010/08/20 15:39:17 | 000,001,039 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\ark.zip [2010/08/20 15:39:09 | 000,000,836 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\mbam-log-2010-08-20 (09-22-29).zip [2010/08/20 11:14:28 | 000,031,969 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\MMS2.htm [2010/08/20 10:37:00 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\wxxjuoeo.exe [2010/08/20 10:27:46 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\dds.scr [2010/08/20 10:25:34 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Defogger.exe [2010/08/20 09:55:41 | 000,001,716 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk [2010/08/20 09:33:12 | 000,001,629 | ---- | M] () -- C:\Documents and Settings\graysl\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2010/08/20 09:33:12 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2010/08/19 16:49:15 | 000,001,672 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk [2010/08/19 16:19:49 | 008,573,648 | ---- | M] (Mozilla) -- C:\Documents and Settings\graysl\My Documents\Firefox Setup 3.6.8.exe [2010/08/19 14:34:08 | 000,133,440 | ---- | M] (SurfRight B.V.) -- C:\windows\System32\LnkProtect.dll [2010/08/13 10:01:44 | 000,000,870 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Shortcut to GIMPPortable.lnk [2010/08/12 08:05:49 | 000,000,061 | ---- | M] () -- C:\windows\System32\mapisvc.inf [2010/08/12 08:05:48 | 000,015,724 | ---- | M] () -- C:\windows\System32\PageADT.hlp [2010/08/12 03:09:24 | 000,269,392 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT [2010/08/12 03:06:46 | 000,001,374 | ---- | M] () -- C:\windows\imsins.BAK [2010/08/12 03:05:28 | 000,534,674 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI [2010/08/12 03:05:28 | 000,464,964 | ---- | M] () -- C:\windows\System32\perfh009.dat [2010/08/12 03:05:28 | 000,079,248 | ---- | M] () -- C:\windows\System32\perfc009.dat [2010/07/27 01:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\shell32.dll [4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ] [1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/08/23 14:50:21 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe [2010/08/23 14:50:21 | 000,077,312 | ---- | C] () -- C:\windows\MBR.exe [2010/08/23 14:50:20 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe [2010/08/23 14:50:20 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe [2010/08/23 14:50:20 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe [2010/08/23 14:44:21 | 003,825,912 | R--- | C] () -- C:\Documents and Settings\graysl\Desktop\ComboFix.exe [2010/08/20 15:39:21 | 000,004,995 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\Attach.zip [2010/08/20 15:39:17 | 000,001,039 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\ark.zip [2010/08/20 15:39:09 | 000,000,836 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\mbam-log-2010-08-20 (09-22-29).zip [2010/08/20 11:14:26 | 000,031,969 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\MMS2.htm [2010/08/20 10:36:59 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\wxxjuoeo.exe [2010/08/20 10:27:37 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\dds.scr [2010/08/20 10:25:33 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\Defogger.exe [2010/08/20 09:55:41 | 000,001,716 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk [2010/08/19 16:22:17 | 000,001,629 | ---- | C] () -- C:\Documents and Settings\graysl\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2010/08/19 16:22:17 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2010/08/19 14:33:41 | 000,001,672 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk [2010/08/13 10:01:44 | 000,000,870 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\Shortcut to GIMPPortable.lnk [2010/06/24 07:22:04 | 112,752,435 | ---- | C] () -- C:\windows\System32\priparpo.dll [2010/06/24 07:22:04 | 108,877,220 | ---- | C] () -- C:\windows\System32\lofoyebx.dll [2010/06/24 07:22:04 | 107,625,654 | ---- | C] () -- C:\windows\System32\dllyupebx.dll [2010/06/14 14:17:26 | 000,015,944 | ---- | C] () -- C:\windows\System32\drivers\hitmanpro35.sys [2010/05/24 16:29:21 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\graysl\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/05/06 05:41:54 | 106,020,036 | ---- | C] () -- C:\windows\System32\ylingie.dll [2010/05/06 05:41:54 | 105,549,880 | ---- | C] () -- C:\windows\System32\evcraandg.dll [2010/05/06 05:41:54 | 102,515,873 | ---- | C] () -- C:\windows\System32\toevandwin.dll [2010/05/06 05:41:54 | 100,832,561 | ---- | C] () -- C:\windows\System32\ygiwifo.dll [2010/05/06 05:41:54 | 098,849,697 | ---- | C] () -- C:\windows\System32\craetexex.dll [2010/05/06 05:41:54 | 097,728,123 | ---- | C] () -- C:\windows\System32\aspoerrrip.dll [2010/05/06 05:41:54 | 096,866,548 | ---- | C] () -- C:\windows\System32\winjese.dll [2010/05/06 05:41:54 | 096,092,765 | ---- | C] () -- C:\windows\System32\she32etpo.dll [2010/05/06 05:41:54 | 094,933,195 | ---- | C] () -- C:\windows\System32\etyorp.dll [2010/05/06 05:41:54 | 093,038,812 | ---- | C] () -- C:\windows\System32\ajedllco.dll [2010/05/06 05:41:54 | 092,167,290 | ---- | C] () -- C:\windows\System32\asripasand.dll [2010/05/06 05:41:54 | 091,073,586 | ---- | C] () -- C:\windows\System32\hexloex.dll [2010/05/06 05:41:54 | 089,865,909 | ---- | C] () -- C:\windows\System32\wiapias.dll [2010/05/06 05:41:54 | 088,557,801 | ---- | C] () -- C:\windows\System32\jmcraevs.dll [2010/05/06 05:41:54 | 087,325,056 | ---- | C] () -- C:\windows\System32\aslinplo.dll [2010/05/06 05:41:54 | 086,097,648 | ---- | C] () -- C:\windows\System32\jeppapi.dll [2010/05/06 05:41:54 | 084,890,712 | ---- | C] () -- C:\windows\System32\sheworrip.dll [2010/05/06 05:41:54 | 084,113,160 | ---- | C] () -- C:\windows\System32\hdllarw.dll [2010/05/06 05:41:54 | 082,456,037 | ---- | C] () -- C:\windows\System32\cotoupar.dll [2010/05/06 05:41:54 | 081,503,133 | ---- | C] () -- C:\windows\System32\focoripar.dll [2010/05/06 05:41:54 | 078,989,483 | ---- | C] () -- C:\windows\System32\jeydopo.dll [2010/05/06 05:41:54 | 076,946,106 | ---- | C] () -- C:\windows\System32\asetnico.dll [2010/05/06 05:41:54 | 075,671,927 | ---- | C] () -- C:\windows\System32\uparaet.dll [2010/05/06 05:41:54 | 074,064,048 | ---- | C] () -- C:\windows\System32\sarlindo.dll [2010/05/06 05:41:54 | 072,995,043 | ---- | C] () -- C:\windows\System32\pandupcra.dll [2010/05/06 05:41:54 | 071,178,592 | ---- | C] () -- C:\windows\System32\winapicopo.dll [2010/05/06 05:41:54 | 068,973,455 | ---- | C] () -- C:\windows\System32\apiarripor.dll [2010/05/06 05:41:54 | 067,365,063 | ---- | C] () -- C:\windows\System32\byripas.dll [2010/05/06 05:41:54 | 066,151,155 | ---- | C] () -- C:\windows\System32\andbplin.dll [2010/05/06 05:41:54 | 065,413,493 | ---- | C] () -- C:\windows\System32\ygjme.dll [2010/05/06 05:41:54 | 064,450,588 | ---- | C] () -- C:\windows\System32\upwiaje.dll [2010/05/06 05:41:54 | 062,745,593 | ---- | C] () -- C:\windows\System32\gior32do.dll [2010/05/06 05:41:54 | 061,072,928 | ---- | C] () -- C:\windows\System32\niaupw.dll [2010/05/06 05:41:54 | 059,470,049 | ---- | C] () -- C:\windows\System32\apitoglo.dll [2010/05/06 05:41:54 | 057,072,797 | ---- | C] () -- C:\windows\System32\dlllosheni.dll [2010/05/06 05:41:54 | 054,606,531 | ---- | C] () -- C:\windows\System32\nidopob.dll [2010/05/06 05:41:54 | 053,295,560 | ---- | C] () -- C:\windows\System32\stocraet.dll [2010/04/05 11:40:27 | 000,045,056 | ---- | C] () -- C:\windows\System32\omnithread_rt.dll [2010/03/30 13:28:05 | 000,274,432 | ---- | C] () -- C:\windows\System32\OE60as.dll [2010/03/30 13:23:04 | 000,000,426 | ---- | C] () -- C:\windows\BRWMARK.INI [2010/03/30 12:42:56 | 000,000,000 | ---- | C] () -- C:\windows\winque.INI [2010/02/25 01:24:38 | 052,748,379 | ---- | C] () -- C:\windows\System32\jmhandapi.dll [2010/02/25 01:24:38 | 051,841,730 | ---- | C] () -- C:\windows\System32\co32niasu.dll [2010/02/25 01:24:38 | 050,884,611 | ---- | C] () -- C:\windows\System32\lojeandlin.dll [2010/02/25 01:24:38 | 049,400,792 | ---- | C] () -- C:\windows\System32\orjmbcra.dll [2010/02/25 01:24:38 | 048,711,220 | ---- | C] () -- C:\windows\System32\witowins.dll [2010/02/25 01:24:38 | 047,843,284 | ---- | C] () -- C:\windows\System32\orgpni.dll [2010/02/25 01:24:38 | 047,140,892 | ---- | C] () -- C:\windows\System32\hganda.dll [2010/02/25 01:24:38 | 045,162,068 | ---- | C] () -- C:\windows\System32\asujewiasu.dll [2010/02/25 01:24:38 | 044,523,428 | ---- | C] () -- C:\windows\System32\asandcolin.dll [2010/02/25 01:24:38 | 043,442,514 | ---- | C] () -- C:\windows\System32\asulobshe.dll [2010/02/25 01:24:38 | 042,543,994 | ---- | C] () -- C:\windows\System32\wetlocra.dll [2010/02/25 01:24:38 | 041,695,984 | ---- | C] () -- C:\windows\System32\bwiorco.dll [2010/02/25 01:24:38 | 040,597,551 | ---- | C] () -- C:\windows\System32\ripsyet.dll [2010/02/25 01:24:38 | 037,873,338 | ---- | C] () -- C:\windows\System32\windowinrip.dll [2010/02/25 01:24:38 | 036,817,805 | ---- | C] () -- C:\windows\System32\errexarwi.dll [2010/02/25 01:24:38 | 035,143,247 | ---- | C] () -- C:\windows\System32\jeripora.dll [2010/02/25 01:24:38 | 034,048,803 | ---- | C] () -- C:\windows\System32\arerrp32.dll [2010/02/25 01:24:38 | 033,105,206 | ---- | C] () -- C:\windows\System32\winidllshe.dll [2010/02/25 01:24:38 | 031,646,718 | ---- | C] () -- C:\windows\System32\uperrripw.dll [2010/02/25 01:24:38 | 030,964,166 | ---- | C] () -- C:\windows\System32\shejmerrwi.dll [2010/02/25 01:24:38 | 029,252,747 | ---- | C] () -- C:\windows\System32\evapiandy.dll [2010/02/25 01:24:38 | 028,460,786 | ---- | C] () -- C:\windows\System32\etjmdoni.dll [2010/02/25 01:24:38 | 026,762,701 | ---- | C] () -- C:\windows\System32\potocoe.dll [2010/02/25 01:24:38 | 025,916,914 | ---- | C] () -- C:\windows\System32\gijmeb.dll [2010/02/25 01:24:38 | 025,418,662 | ---- | C] () -- C:\windows\System32\lofoorb.dll [2010/02/25 01:24:38 | 024,430,462 | ---- | C] () -- C:\windows\System32\eetgifo.dll [2010/02/25 01:24:38 | 021,650,280 | ---- | C] () -- C:\windows\System32\jmshejee.dll [2010/02/25 01:24:38 | 020,773,298 | ---- | C] () -- C:\windows\System32\asdllgih.dll [2010/02/25 01:24:38 | 019,809,026 | ---- | C] () -- C:\windows\System32\rip32upni.dll [2010/02/25 01:24:38 | 017,860,659 | ---- | C] () -- C:\windows\System32\jewgiex.dll [2010/02/25 01:24:38 | 016,708,944 | ---- | C] () -- C:\windows\System32\toswinasu.dll [2010/02/25 01:24:38 | 015,898,789 | ---- | C] () -- C:\windows\System32\foexevlo.dll [2010/02/25 01:24:38 | 014,180,827 | ---- | C] () -- C:\windows\System32\evdocrashe.dll [2010/02/25 01:24:38 | 012,469,488 | ---- | C] () -- C:\windows\System32\posheebxb.dll [2010/02/25 01:24:38 | 008,494,549 | ---- | C] () -- C:\windows\System32\dowiexapi.dll [2010/02/25 01:24:38 | 007,040,523 | ---- | C] () -- C:\windows\System32\wierryb.dll [2010/02/25 01:24:38 | 005,323,414 | ---- | C] () -- C:\windows\System32\pygs.dll [2010/02/25 01:24:38 | 003,625,607 | ---- | C] () -- C:\windows\System32\32asuerrto.dll [2010/02/25 01:24:38 | 003,522,345 | ---- | C] () -- C:\windows\System32\apevlin.dll [2010/02/25 01:24:38 | 003,299,288 | ---- | C] () -- C:\windows\System32\gijmerrwi.dll [2010/02/25 01:24:38 | 002,971,389 | ---- | C] () -- C:\windows\System32\arewiny.dll [2010/02/25 01:24:38 | 002,789,788 | ---- | C] () -- C:\windows\System32\lin32gini.dll [2010/02/25 01:24:38 | 002,788,278 | ---- | C] () -- C:\windows\System32\jedllcrapo.dll [2010/02/25 01:24:38 | 002,241,435 | ---- | C] () -- C:\windows\System32\wiwandas.dll [2010/02/25 01:24:38 | 002,001,333 | ---- | C] () -- C:\windows\System32\asupyy.dll [2010/02/25 01:24:38 | 001,944,310 | ---- | C] () -- C:\windows\System32\werrcrap.dll [2010/02/25 01:24:38 | 001,696,724 | ---- | C] () -- C:\windows\System32\alowdll.dll [2010/02/25 01:24:38 | 001,530,126 | ---- | C] () -- C:\windows\System32\exupupy.dll [2010/02/25 01:24:38 | 001,144,253 | ---- | C] () -- C:\windows\System32\apilinlop.dll [2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\windows\System32\OGACheckControl.dll [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\windows\System32\idxcntrs.ini [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\windows\System32\gsrvctr.ini [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\windows\System32\gthrctr.ini < End of report > OTL Extras logfile created on: 8/24/2010 8:15:50 AM - Run 1 OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\graysl\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 149.01 Gb Total Space | 120.83 Gb Free Space | 81.09% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive W: | 68.35 Gb Total Space | 8.20 Gb Free Space | 12.00% Space Free | Partition Type: NTFS Computer Name: JOUR-CASR-SUP1 Current User Name: graysl NOT logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] [HKEY_USERS\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 "AntiVirusDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "5900:TCP" = 5900:TCP:*:Enabled:WinVNC [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation) "C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation) "C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation) "C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation) "C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation) "C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe" = C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (Sybase, Inc.) "E:\SecondLifePortable\Emerald Viewer\SLVoice.exe" = E:\SecondLifePortable\Emerald Viewer\SLVoice.exe:*:Enabled:SLVoice -- File not found "C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation) "C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation) "C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe" = C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (Sybase, Inc.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool "{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant "{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety "{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java 6 Update 15 "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime "{2E98C5B7-D64C-4D7E-BFC3-A7D078569F28}" = Broadcom NetXtreme-I Netlink Driver and Management Installer "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack "{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support "{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials "{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86) "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007 "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007 "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007 "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007 "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007 "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007 "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007 "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007 "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector "{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3 "{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4 "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0 "{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86) "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery "{DDCD95B5-7230-462F-9889-7EBBEE74123C}" = Microsoft Forefront Client Security Antimalware Service "{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update "{E8B56B38-A826-11DB-8C83-0011430C73A4}" = Microsoft Forefront Client Security State Assessment Service "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call "{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "Bullzip PDF Printer_is1" = Bullzip PDF Printer 7.1.0.1195 "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com "Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows "ENTERPRISE" = Microsoft Office Enterprise 2007 "GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.70 "HDMI" = Intel® Graphics Media Accelerator Driver "HitmanPro35" = Hitman Pro 3.5 "ie8" = Windows Internet Explorer 8 "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "Unlocker" = Unlocker 1.9.0 "WinCati 4.1 - Interviewer" = WinCati 4.1 - Interviewer "WinCati 4.1 - Supervisor" = WinCati 4.1 - Supervisor "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinLiveSuite_Wave3" = Windows Live Essentials "WinVNC" = WinVNC 3.3.3 "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "WorksDatabaseConverter" = WorksDatabaseConverter ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\INTERESTING BANANA FACTS AND USES _ EPIDEMICFUN.COM_FILES> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\INTERESTING BANANA FACTS AND USES_FILES> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\INTERESTING BANANA FACTS AND USES_FILES> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\LARA CROFT.JPG> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\LEGEND OF ZELDA SISTERS.JPG> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\MAGIC LISTS.XLSX> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 8/20/2010 10:24:27 AM | Computer Name = JOUR-CASR-SUP1 | Source = MDM | ID = 4101 Description = An error occurred while the debugger attempted to correct its registry. Error - 8/20/2010 10:27:33 AM | Computer Name = JOUR-CASR-SUP1 | Source = Application Error | ID = 1000 Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting module lnkprotect.dll, version 1.0.0.1, fault address 0x000014d8. Error - 8/20/2010 10:30:44 AM | Computer Name = JOUR-CASR-SUP1 | Source = MDM | ID = 4101 Description = An error occurred while the debugger attempted to correct its registry. Error - 8/20/2010 10:33:04 AM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3024 Description = The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again. Context: Application, SystemIndex Catalog [ OSession Events ] Error - 6/21/2010 5:29:18 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 2, Application Name: Microsoft Office Access, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 20550 seconds with 13740 seconds of active time. This session ended with a crash. Error - 6/22/2010 11:46:16 AM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 2, Application Name: Microsoft Office Access, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 681 seconds with 600 seconds of active time. This session ended with a crash. Error - 6/22/2010 12:23:34 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 2, Application Name: Microsoft Office Access, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2228 seconds with 1680 seconds of active time. This session ended with a crash. Error - 6/24/2010 1:08:34 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 2, Application Name: Microsoft Office Access, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3296 seconds with 3060 seconds of active time. This session ended with a crash. Error - 6/24/2010 1:57:53 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 2, Application Name: Microsoft Office Access, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2950 seconds with 2400 seconds of active time. This session ended with a crash. Error - 6/24/2010 4:36:47 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 2, Application Name: Microsoft Office Access, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9524 seconds with 7200 seconds of active time. This session ended with a crash. [ System Events ] Error - 8/19/2010 4:05:24 PM | Computer Name = JOUR-CASR-SUP1 | Source = FCSAM | ID = 3006 Description = %%830 Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...atid=2147636914 Scan ID: {3A8F5C14-B06E-469D-859C-CA2FEF607AF8} User: UMC-USERS\umcjourcasrcaller Name: Virus:Win32/Ramnit.B ID: 2147636914 Severity: Severe Category: Virus Path: file:\\?\C:\Program Files\Common Files\Microsoft Shared\Help 8\dexplmnu.dll;file:\\?\C:\Program Files\Common Files\Microsoft Shared\Help 8\dexplmnu.dll Alert Type: %%805 Action: %%812 Error Code: 0x80508021 Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support. Error - 8/23/2010 9:16:59 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004 Description = A driver packet received from the I/O subsystem was invalid. The data is the packet. Error - 8/23/2010 9:16:58 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004 Description = A driver packet received from the I/O subsystem was invalid. The data is the packet. Error - 8/23/2010 9:16:58 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004 Description = A driver packet received from the I/O subsystem was invalid. The data is the packet. Error - 8/23/2010 10:26:09 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004 Description = A driver packet received from the I/O subsystem was invalid. The data is the packet. Error - 8/23/2010 10:26:02 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004 Description = A driver packet received from the I/O subsystem was invalid. The data is the packet. Error - 8/23/2010 10:26:31 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004 Description = A driver packet received from the I/O subsystem was invalid. The data is the packet. Error - 8/23/2010 12:02:12 PM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004 Description = A driver packet received from the I/O subsystem was invalid. The data is the packet. Error - 8/23/2010 3:42:05 PM | Computer Name = JOUR-CASR-SUP1 | Source = FCSAM | ID = 3006 Description = %%830 Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...atid=2147636914 Scan ID: {6326BECF-C0D8-4510-BB45-127E27450D38} User: UMC-USERS\graysl Name: Virus:Win32/Ramnit.B ID: 2147636914 Severity: Severe Category: Virus Path: Alert Type: %%805 Action: %%812 Error Code: 0x80508024 Error description: To finish removing spyware and other potentially unwanted software, you need to run a full scan. For information about scanning options, see Help and Support. Error - 8/23/2010 3:46:18 PM | Computer Name = JOUR-CASR-SUP1 | Source = Service Control Manager | ID = 7031 Description = The Microsoft Forefront Client Security State Assessment Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service. < End of report >
- August 24, 2010
- 12 replies
Ramnit.b, search redirect, etc.

Scott Gray replied to Scott Gray's topic in Resolved Malware Removal Logs

Will do; but I notice the scan is for files created or modified in the last 30 days (by default), and I'm not sure but that might need to be changed, and here's why: a while back, this computer was hit with the phony Antivirus package pop-up and the web browser search redirect. I got rid of that (I thought) with Hitman Pro. This Ramnit problem (so identified my Microsoft Forefront Client Security, anyway) shows the exact same browser redirect behavior, up to and including the little curly-q symbol at the left of the address bar when it redirects. Could what's going on now, despite a period of over 30 days of apparently being 'clean', be a resurgence of that earlier infection? And if so, should I run the scan with more than a 30 day time frame? Oh, and Avira is now also reporting "DR/Delphi.Gen" in various dll files and such, and like with Pedalac.A, says access to the file was denied so there's nothing it can do. Since these are cropping up and moving around, are they / could they be related to the same problem? And thanks again for the help; I really appreciate it!
- August 24, 2010
- 12 replies
Ramnit.b, search redirect, etc.

Scott Gray replied to Scott Gray's topic in Resolved Malware Removal Logs

Elise, Thank you for your time and help. I'll do the best to comply with your instructions, though there may be a snag or two; for example, when ComboFix attempted to install the Recovery Console, it downloaded it okay, then a pop-up appeared that said the Boot Drive Could Not Be Enumerated Properly. Don't know the results from that, because things went on anyway. Also, Avira AntiVir, which was installed as part of the original "try this first" directions, keeps telling me that something called "W32/Pedalac.A" was found in various system .exe or .dll files; it seems to change around each time. Anyway, here's the ComboFix log: ComboFix 10-08-22.07 - graysl 08/23/2010 14:56:47.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.937 [GMT -5:00] Running from: c:\documents and settings\graysl\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 ((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 ))))))))))))))))))))))))))))))) . 2010-08-23 19:56 . 2010-08-23 19:56 -------- d-----w- c:\documents and settings\graysl\Application Data\Avira 2010-08-20 15:04 . 2010-08-20 15:24 -------- d-----w- c:\documents and settings\graysl\Application Data\Ynwyv 2010-08-20 15:00 . 2010-08-23 19:59 -------- d-----w- c:\windows\system32\NtmsData 2010-08-20 14:55 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-08-20 14:55 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-08-20 14:55 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2010-08-20 14:55 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\program files\Avira 2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2010-08-20 14:52 . 2010-08-20 14:52 -------- d-----w- c:\program files\Unlocker 2010-08-19 19:47 . 2010-08-19 19:47 -------- d-----w- c:\windows\system32\MpEngineStore 2010-08-19 19:34 . 2010-08-19 19:34 133440 ----a-w- c:\windows\system32\LnkProtect.dll 2010-08-19 18:31 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\69022312.sys 2010-08-19 18:31 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\6902231.sys 2010-08-19 17:56 . 2010-08-20 12:49 -------- d-----w- c:\program files\riv 2010-08-17 13:43 . 2010-08-23 19:42 -------- d-----w- c:\documents and settings\graysl\Local Settings\Application Data\Emerald 2010-08-17 13:43 . 2010-08-23 18:20 -------- d-----w- c:\documents and settings\graysl\Application Data\SecondLife . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-23 19:54 . 2010-06-16 13:28 -------- d-----w- c:\documents and settings\graysl\Application Data\Abine 2010-08-23 13:07 . 2010-06-14 19:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-08-20 15:38 . 2010-03-30 18:53 -------- d-----w- c:\program files\Windows Desktop Search 2010-08-20 14:42 . 2010-05-27 20:23 -------- d-----w- c:\program files\QuickTime 2010-08-20 14:28 . 2010-04-24 18:04 -------- d-----w- c:\program files\Coupons 2010-08-20 14:24 . 2010-03-30 19:01 -------- d-----w- c:\program files\Microsoft 2010-08-20 14:22 . 2010-04-24 18:47 203776 ----a-w- c:\documents and settings\graysl\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2010-08-20 13:51 . 2010-03-30 19:21 -------- d-----w- c:\program files\Microsoft Office Outlook Connector 2010-08-20 13:48 . 2010-06-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-20 13:21 . 2010-08-02 21:26 822784 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll 2010-08-20 13:21 . 2010-04-24 19:06 79872 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll 2010-08-20 13:20 . 2010-04-16 15:42 139264 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2010-08-19 21:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys 2010-08-12 08:06 . 2010-03-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-07-29 12:51 . 2010-04-01 19:02 70032 ----a-w- c:\documents and settings\wagnerna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-12 17:55 . 2010-03-26 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-07-12 17:55 . 2010-03-26 18:18 -------- d-----w- c:\program files\Common Files\InstallShield 2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\graysl\Application Data\PDF Writer 2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer 2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Common Files\Bullzip 2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Bullzip 2010-07-03 15:12 . 2010-04-02 19:16 70032 ----a-w- c:\documents and settings\manns\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-02 13:46 . 2010-07-02 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe 2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-26 01:46 . 2010-04-27 22:06 70032 ----a-w- c:\documents and settings\drwww8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-25 12:53 . 2010-04-05 15:56 70032 ----a-w- c:\documents and settings\graysl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-25 12:52 . 2010-03-26 20:26 70032 ----a-w- c:\documents and settings\umcjourcasrcaller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-24 12:22 . 2010-06-24 12:22 112752435 ----a-w- c:\windows\system32\priparpo.dll 2010-06-24 12:22 . 2010-06-24 12:22 108877220 ----a-w- c:\windows\system32\lofoyebx.dll 2010-06-24 12:22 . 2010-06-24 12:22 107625654 ----a-w- c:\windows\system32\dllyupebx.dll 2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2010-06-18 21:48 . 2010-06-22 14:19 535176 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll 2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll 2010-06-15 17:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2010-06-14 14:31 . 2010-03-26 18:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll 2010-06-01 17:37 . 2010-03-30 19:57 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-30 23:36 . 2010-07-08 19:13 135168 ----a-w- c:\windows\system32\bzpdfc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2010-08-20 208896] "Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-20 421888] "HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-14 5937984] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] c:\documents and settings\umcjourcasrcaller\Start Menu\Programs\Startup\ Inter.cmd [2010-3-30 690] setup_9.0.0.722_18.08.2010_17-51.lnk - c:\documents and settings\umcjourcasrcaller\Desktop\Virus Removal Tool\setup_9.0.0.722_18.08.2010_17-51\startup.exe [2010-8-19 72208] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\0\0] "Script"=casr_printer.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\1\0] "Script"=casr_mapping.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\2\0] "Script"=casr_mapping.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\0\0] "Script"=casr_printer.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\1\0] "Script"=casr_mapping.cmd [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Sybase\\Adaptive Server Anywhere 6.0\\win32\\dbeng6.exe"= R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [8/19/2010 1:31 PM 37392] R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [8/19/2010 1:31 PM 315408] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 9:55 AM 135336] R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880] R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120] R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [3/26/2010 1:23 PM 209960] S1 69022311;69022311;c:\windows\system32\DRIVERS\69022311.sys --> c:\windows\system32\DRIVERS\69022311.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-08-23 c:\windows\Tasks\MP Scheduled Quick Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49] 2010-08-23 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49] 2010-08-23 c:\windows\Tasks\MP Scheduled Signature Update.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys MSConfigStartUp-ikiktmhbtoajjq - c:\documents and settings\graysl\local settings\application data\tqlkhavr\xefyuhf.exe MSConfigStartUp-jyhqxntq - c:\documents and settings\graysl\Local Settings\Application Data\qsigxbyyo\clljdpftssd.exe MSConfigStartUp-ktuiaulj - c:\documents and settings\chamberlainab\Local Settings\Application Data\xbvxrdanf\aboxsertssd.exe MSConfigStartUp-ljjomntfyd - c:\documents and settings\umcjourcasrcaller\local settings\application data\nhwlhog\ylfyjgy.exe MSConfigStartUp-{C226AD38-BBFC-65F9-36B0-D2B3D07BA323} - c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe AddRemove-63fc5ade - c:\windows\system32\63fc5ade.exe AddRemove-{204D48C5-6231-4955-83EC-623DCB437FD9}_is1 - e:\secondlifeportable\Emerald Viewer\unins000.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-23 15:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1612) c:\windows\system32\WININET.dll c:\windows\system32\igfxdo.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\windows\system32\SearchIndexer.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\RTDCPL.EXE c:\windows\system32\igfxsrvc.exe c:\windows\system32\SearchProtocolHost.exe c:\windows\system32\SearchFilterHost.exe . ************************************************************************** . Completion time: 2010-08-23 15:12:51 - machine was rebooted ComboFix-quarantined-files.txt 2010-08-23 20:12 Pre-Run: 127,464,611,840 bytes free Post-Run: 129,800,163,328 bytes free - - End Of File - - E4A949CEE7BA695C8953305C9465EF80
- August 23, 2010
- 12 replies
Ramnit.b, search redirect, etc.

Scott Gray posted a topic in Resolved Malware Removal Logs

I've apparently been bitten by the Ramnit.b bug; at least that's what the Microsoft Forefront Client Security claims it is; MFCS and Antivir are the only things I've found that recognize it, but they can't get rid of it. They SAY they do, but then things show up as infected again just a few seconds later. I've followed the steps listed here and it's still present, so here are the requested log files and my plea for assistance: DDS (Ver_10-03-17.01) - NTFSx86 Run by graysl at 10:27:51.20 on Fri 08/20/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.1167 [GMT -5:00] AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF} AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\windows\system32\svchost -k DcomLaunch C:\windows\system32\svchost -k rpcss c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe C:\windows\System32\svchost.exe -k netsvcs C:\windows\system32\svchost.exe -k NetworkService C:\windows\system32\svchost.exe -k LocalService C:\windows\system32\spoolsv.exe C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\windows\system32\SearchIndexer.exe C:\windows\System32\alg.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\windows\Explorer.EXE C:\windows\RTDCPL.EXE C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\windows\system32\ctfmon.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\windows\system32\wuauclt.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\windows\System32\vssvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\msdtc.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\windows\system32\SearchProtocolHost.exe C:\windows\system32\SearchFilterHost.exe C:\Documents and Settings\graysl\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://webmail.missouri.edu/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [{C226AD38-BBFC-65F9-36B0-D2B3D07BA323}] "c:\documents and settings\graysl\application data\zyvyy\zogi.exe" mRun: [RTHDCPL] RTDCPL.EXE mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [WinVNC] "c:\program files\orl\vnc\WinVNC.exe" -servicehelper mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto mRun: [unlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269973430266 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Notify: igfxcui - igfxdev.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\graysl\applic~1\mozilla\firefox\profiles\d6u1zqrm.default\ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 1127 FF - prefs.js: network.proxy.type - 0 FF - component: c:\documents and settings\graysl\application data\mozilla\firefox\profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\winnt\ff3\AbineComponent.dll FF - component: c:\program files\mozilla firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}\components\2cd863b0.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: z: No Registry Reference - c:\program files\mozilla firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [2010-8-19 37392] R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-20 11608] R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [2010-8-19 315408] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-20 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-20 267432] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-20 60936] R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16880] R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-3-30 54752] R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2010-3-26 209960] R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-26 69616] S1 69022311;69022311;c:\windows\system32\drivers\69022311.sys --> c:\windows\system32\drivers\69022311.sys [?] S1 wcraceuc;wcraceuc;c:\windows\system32\drivers\wcraceuc.sys [2010-8-20 30784] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864] =============== Created Last 30 ================ 2010-08-20 15:05:18 30784 ----a-w- c:\windows\system32\drivers\wcraceuc.sys 2010-08-20 15:04:34 0 d-----w- c:\docume~1\graysl\applic~1\Ynwyv 2010-08-20 15:00:25 0 d-----w- c:\windows\system32\NtmsData 2010-08-20 14:55:16 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-08-20 14:55:12 0 d-----w- c:\program files\Avira 2010-08-20 14:55:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira 2010-08-20 14:52:56 0 d-----w- c:\program files\Unlocker 2010-08-19 19:47:02 0 d-----w- c:\windows\system32\MpEngineStore 2010-08-19 19:34:08 133440 ----a-w- c:\windows\system32\LnkProtect.dll 2010-08-19 18:31:19 37392 ----a-w- c:\windows\system32\drivers\69022312.sys 2010-08-19 18:31:19 315408 ----a-w- c:\windows\system32\drivers\6902231.sys 2010-08-19 17:56:29 0 d-----w- c:\program files\riv ==================== Find3M ==================== 2010-08-19 21:14:39 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys 2010-08-19 13:12:14 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-07-02 13:46:36 12872 ----a-w- c:\windows\system32\bootdelete.exe 2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-24 12:22:04 112752435 ----a-w- c:\windows\system32\priparpo.dll 2010-06-24 12:22:04 108877220 ----a-w- c:\windows\system32\lofoyebx.dll 2010-06-24 12:22:04 107625654 ----a-w- c:\windows\system32\dllyupebx.dll 2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll 2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll 2010-06-02 15:40:26 23968 ----a-w- c:\windows\fonts\bt_oldstyle.ttf 2010-06-02 15:40:08 25620 ----a-w- c:\windows\fonts\bt_new_italic.ttf 2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-30 23:36:28 135168 ----a-w- c:\windows\system32\bzpdfc.dll 2010-05-25 03:13:30 196096 ----a-w- c:\windows\system32\bzpdf.dll ============= FINISH: 10:30:59.50 =============== ark.zip Attach.zip mbam_log_2010_08_20__09_22_29_.zip
- August 20, 2010
- 12 replies

Sign In

Scott Gray

Posts

Joined

Last visited

Reputation

About Scott Gray

Profile Information

Ramnit.b, search redirect, etc.

Ramnit.b, search redirect, etc.

Ramnit.b, search redirect, etc.

Ramnit.b, search redirect, etc.

Ramnit.b, search redirect, etc.

Ramnit.b, search redirect, etc.

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information