Scott Gray

Ramnit.b, search redirect, etc.

13 posts in this topic

I've apparently been bitten by the Ramnit.b bug; at least that's what the Microsoft Forefront Client Security claims it is; MFCS and Antivir are the only things I've found that recognize it, but they can't get rid of it. They SAY they do, but then things show up as infected again just a few seconds later.

I've followed the steps listed here and it's still present, so here are the requested log files and my plea for assistance:

DDS (Ver_10-03-17.01) - NTFSx86

Run by graysl at 10:27:51.20 on Fri 08/20/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.1167 [GMT -5:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch

C:\windows\system32\svchost -k rpcss

c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe

C:\windows\System32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\spoolsv.exe

C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\windows\system32\SearchIndexer.exe

C:\windows\System32\alg.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\windows\Explorer.EXE

C:\windows\RTDCPL.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\windows\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\windows\system32\wuauclt.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\windows\System32\vssvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\msdtc.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\Documents and Settings\graysl\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://webmail.missouri.edu/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [{C226AD38-BBFC-65F9-36B0-D2B3D07BA323}] "c:\documents and settings\graysl\application data\zyvyy\zogi.exe"

mRun: [RTHDCPL] RTDCPL.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [WinVNC] "c:\program files\orl\vnc\WinVNC.exe" -servicehelper

mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [unlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269973430266

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\graysl\applic~1\mozilla\firefox\profiles\d6u1zqrm.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 1127

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\graysl\application data\mozilla\firefox\profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\winnt\ff3\AbineComponent.dll

FF - component: c:\program files\mozilla firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}\components\2cd863b0.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: z: No Registry Reference - c:\program files\mozilla firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [2010-8-19 37392]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-20 11608]

R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [2010-8-19 315408]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-20 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-20 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-20 60936]

R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16880]

R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-3-30 54752]

R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2010-3-26 209960]

R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-26 69616]

S1 69022311;69022311;c:\windows\system32\drivers\69022311.sys --> c:\windows\system32\drivers\69022311.sys [?]

S1 wcraceuc;wcraceuc;c:\windows\system32\drivers\wcraceuc.sys [2010-8-20 30784]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-08-20 15:05:18 30784 ----a-w- c:\windows\system32\drivers\wcraceuc.sys

2010-08-20 15:04:34 0 d-----w- c:\docume~1\graysl\applic~1\Ynwyv

2010-08-20 15:00:25 0 d-----w- c:\windows\system32\NtmsData

2010-08-20 14:55:16 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-20 14:55:12 0 d-----w- c:\program files\Avira

2010-08-20 14:55:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-08-20 14:52:56 0 d-----w- c:\program files\Unlocker

2010-08-19 19:47:02 0 d-----w- c:\windows\system32\MpEngineStore

2010-08-19 19:34:08 133440 ----a-w- c:\windows\system32\LnkProtect.dll

2010-08-19 18:31:19 37392 ----a-w- c:\windows\system32\drivers\69022312.sys

2010-08-19 18:31:19 315408 ----a-w- c:\windows\system32\drivers\6902231.sys

2010-08-19 17:56:29 0 d-----w- c:\program files\riv

==================== Find3M ====================

2010-08-19 21:14:39 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys

2010-08-19 13:12:14 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-07-02 13:46:36 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22:04 112752435 ----a-w- c:\windows\system32\priparpo.dll

2010-06-24 12:22:04 108877220 ----a-w- c:\windows\system32\lofoyebx.dll

2010-06-24 12:22:04 107625654 ----a-w- c:\windows\system32\dllyupebx.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-02 15:40:26 23968 ----a-w- c:\windows\fonts\bt_oldstyle.ttf

2010-06-02 15:40:08 25620 ----a-w- c:\windows\fonts\bt_new_italic.ttf

2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-30 23:36:28 135168 ----a-w- c:\windows\system32\bzpdfc.dll

2010-05-25 03:13:30 196096 ----a-w- c:\windows\system32\bzpdf.dll

============= FINISH: 10:30:59.50 ===============

ark.zip

Attach.zip

mbam_log_2010_08_20__09_22_29_.zip

Share this post


Link to post
Share on other sites

Hello ,

And ;) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Share this post


Link to post
Share on other sites

Elise,

Thank you for your time and help. I'll do the best to comply with your instructions, though there may be a snag or two; for example, when ComboFix attempted to install the Recovery Console, it downloaded it okay, then a pop-up appeared that said the Boot Drive Could Not Be Enumerated Properly. Don't know the results from that, because things went on anyway.

Also, Avira AntiVir, which was installed as part of the original "try this first" directions, keeps telling me that something called "W32/Pedalac.A" was found in various system .exe or .dll files; it seems to change around each time.

Anyway, here's the ComboFix log:

ComboFix 10-08-22.07 - graysl 08/23/2010 14:56:47.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.937 [GMT -5:00]

Running from: c:\documents and settings\graysl\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))

.

2010-08-23 19:56 . 2010-08-23 19:56 -------- d-----w- c:\documents and settings\graysl\Application Data\Avira

2010-08-20 15:04 . 2010-08-20 15:24 -------- d-----w- c:\documents and settings\graysl\Application Data\Ynwyv

2010-08-20 15:00 . 2010-08-23 19:59 -------- d-----w- c:\windows\system32\NtmsData

2010-08-20 14:55 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-20 14:55 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-20 14:55 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-20 14:55 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\program files\Avira

2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-20 14:52 . 2010-08-20 14:52 -------- d-----w- c:\program files\Unlocker

2010-08-19 19:47 . 2010-08-19 19:47 -------- d-----w- c:\windows\system32\MpEngineStore

2010-08-19 19:34 . 2010-08-19 19:34 133440 ----a-w- c:\windows\system32\LnkProtect.dll

2010-08-19 18:31 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\69022312.sys

2010-08-19 18:31 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\6902231.sys

2010-08-19 17:56 . 2010-08-20 12:49 -------- d-----w- c:\program files\riv

2010-08-17 13:43 . 2010-08-23 19:42 -------- d-----w- c:\documents and settings\graysl\Local Settings\Application Data\Emerald

2010-08-17 13:43 . 2010-08-23 18:20 -------- d-----w- c:\documents and settings\graysl\Application Data\SecondLife

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-23 19:54 . 2010-06-16 13:28 -------- d-----w- c:\documents and settings\graysl\Application Data\Abine

2010-08-23 13:07 . 2010-06-14 19:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-08-20 15:38 . 2010-03-30 18:53 -------- d-----w- c:\program files\Windows Desktop Search

2010-08-20 14:42 . 2010-05-27 20:23 -------- d-----w- c:\program files\QuickTime

2010-08-20 14:28 . 2010-04-24 18:04 -------- d-----w- c:\program files\Coupons

2010-08-20 14:24 . 2010-03-30 19:01 -------- d-----w- c:\program files\Microsoft

2010-08-20 14:22 . 2010-04-24 18:47 203776 ----a-w- c:\documents and settings\graysl\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2010-08-20 13:51 . 2010-03-30 19:21 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2010-08-20 13:48 . 2010-06-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-20 13:21 . 2010-08-02 21:26 822784 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

2010-08-20 13:21 . 2010-04-24 19:06 79872 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2010-08-20 13:20 . 2010-04-16 15:42 139264 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-08-19 21:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys

2010-08-12 08:06 . 2010-03-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-29 12:51 . 2010-04-01 19:02 70032 ----a-w- c:\documents and settings\wagnerna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-12 17:55 . 2010-03-26 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-12 17:55 . 2010-03-26 18:18 -------- d-----w- c:\program files\Common Files\InstallShield

2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\graysl\Application Data\PDF Writer

2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer

2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Common Files\Bullzip

2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Bullzip

2010-07-03 15:12 . 2010-04-02 19:16 70032 ----a-w- c:\documents and settings\manns\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-02 13:46 . 2010-07-02 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-26 01:46 . 2010-04-27 22:06 70032 ----a-w- c:\documents and settings\drwww8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-25 12:53 . 2010-04-05 15:56 70032 ----a-w- c:\documents and settings\graysl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-25 12:52 . 2010-03-26 20:26 70032 ----a-w- c:\documents and settings\umcjourcasrcaller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-24 12:22 . 2010-06-24 12:22 112752435 ----a-w- c:\windows\system32\priparpo.dll

2010-06-24 12:22 . 2010-06-24 12:22 108877220 ----a-w- c:\windows\system32\lofoyebx.dll

2010-06-24 12:22 . 2010-06-24 12:22 107625654 ----a-w- c:\windows\system32\dllyupebx.dll

2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-18 21:48 . 2010-06-22 14:19 535176 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll

2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-15 17:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2010-06-14 14:31 . 2010-03-26 18:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-01 17:37 . 2010-03-30 19:57 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-30 23:36 . 2010-07-08 19:13 135168 ----a-w- c:\windows\system32\bzpdfc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2010-08-20 208896]

"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-20 421888]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-14 5937984]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\umcjourcasrcaller\Start Menu\Programs\Startup\

Inter.cmd [2010-3-30 690]

setup_9.0.0.722_18.08.2010_17-51.lnk - c:\documents and settings\umcjourcasrcaller\Desktop\Virus Removal Tool\setup_9.0.0.722_18.08.2010_17-51\startup.exe [2010-8-19 72208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\0\0]

"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\1\0]

"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\2\0]

"Script"=casr_mapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\0\0]

"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\1\0]

"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Sybase\\Adaptive Server Anywhere 6.0\\win32\\dbeng6.exe"=

R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [8/19/2010 1:31 PM 37392]

R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [8/19/2010 1:31 PM 315408]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 9:55 AM 135336]

R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]

R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120]

R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [3/26/2010 1:23 PM 209960]

S1 69022311;69022311;c:\windows\system32\DRIVERS\69022311.sys --> c:\windows\system32\DRIVERS\69022311.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\MP Scheduled Quick Scan.job

- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-23 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-23 c:\windows\Tasks\MP Scheduled Signature Update.job

- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

MSConfigStartUp-ikiktmhbtoajjq - c:\documents and settings\graysl\local settings\application data\tqlkhavr\xefyuhf.exe

MSConfigStartUp-jyhqxntq - c:\documents and settings\graysl\Local Settings\Application Data\qsigxbyyo\clljdpftssd.exe

MSConfigStartUp-ktuiaulj - c:\documents and settings\chamberlainab\Local Settings\Application Data\xbvxrdanf\aboxsertssd.exe

MSConfigStartUp-ljjomntfyd - c:\documents and settings\umcjourcasrcaller\local settings\application data\nhwlhog\ylfyjgy.exe

MSConfigStartUp-{C226AD38-BBFC-65F9-36B0-D2B3D07BA323} - c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe

AddRemove-63fc5ade - c:\windows\system32\63fc5ade.exe

AddRemove-{204D48C5-6231-4955-83EC-623DCB437FD9}_is1 - e:\secondlifeportable\Emerald Viewer\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-23 15:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1612)

c:\windows\system32\WININET.dll

c:\windows\system32\igfxdo.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\RTDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2010-08-23 15:12:51 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-23 20:12

Pre-Run: 127,464,611,840 bytes free

Post-Run: 129,800,163,328 bytes free

- - End Of File - - E4A949CEE7BA695C8953305C9465EF80

Share this post


Link to post
Share on other sites

I see no signs of ramnit yet (which doesn't mean it isn't there), so lets take a closer look.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the runscanbutton.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Share this post


Link to post
Share on other sites

Will do; but I notice the scan is for files created or modified in the last 30 days (by default), and I'm not sure but that might need to be changed, and here's why: a while back, this computer was hit with the phony Antivirus package pop-up and the web browser search redirect. I got rid of that (I thought) with Hitman Pro. This Ramnit problem (so identified my Microsoft Forefront Client Security, anyway) shows the exact same browser redirect behavior, up to and including the little curly-q symbol at the left of the address bar when it redirects.

Could what's going on now, despite a period of over 30 days of apparently being 'clean', be a resurgence of that earlier infection? And if so, should I run the scan with more than a 30 day time frame?

Oh, and Avira is now also reporting "DR/Delphi.Gen" in various dll files and such, and like with Pedalac.A, says access to the file was denied so there's nothing it can do. Since these are cropping up and moving around, are they / could they be related to the same problem?

And thanks again for the help; I really appreciate it!

Share this post


Link to post
Share on other sites

Hi, we can change the default 30 days to 60, but lets first see what your logs come up with. Ramnit can be quite a pain to fully get rid of and its indeed possible it was still there.

Share this post


Link to post
Share on other sites

OTL logfile created on: 8/24/2010 8:15:50 AM - Run 1

OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\graysl\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files

Drive C: | 149.01 Gb Total Space | 120.83 Gb Free Space | 81.09% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive W: | 68.35 Gb Total Space | 8.20 Gb Free Space | 12.00% Space Free | Partition Type: NTFS

Computer Name: JOUR-CASR-SUP1

Current User Name: graysl

NOT logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/24 08:15:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe

PRC - [2010/07/22 21:07:03 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe

PRC - [2010/07/22 21:06:53 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/07/04 14:51:26 | 000,017,408 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe

PRC - [2010/05/20 23:44:02 | 012,978,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe

PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2010/01/19 16:51:32 | 001,033,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe

PRC - [2010/01/19 16:49:44 | 000,016,880 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe

PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

PRC - [2009/08/26 15:49:00 | 002,691,072 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTDCPL.EXE

PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/04/06 05:12:48 | 000,073,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe

========== Modules (SafeList) ==========

MOD - [2010/08/24 08:15:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe

MOD - [2010/07/04 16:32:36 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll

MOD - [2009/06/25 07:51:42 | 000,130,048 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxdo.dll

MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\windows\System32\hidserv.dll -- (HidServ)

SRV - [2010/08/20 09:17:35 | 000,208,896 | ---- | M] (AT&T Research Labs Cambridge) [Auto | Stopped] -- C:\Program Files\ORL\VNC\WinVNC.exe -- (winvnc)

SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2010/01/19 16:49:44 | 000,016,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe -- (FCSAM)

SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)

SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)

SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)

SRV - [2007/04/06 05:12:48 | 000,073,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe -- (FcsSas)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)

DRV - File not found [Kernel | System | Stopped] -- C:\windows\System32\DRIVERS\69022311.sys -- (69022311)

DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)

DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)

DRV - [2009/10/23 11:14:08 | 005,876,224 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtDHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2009/10/22 13:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\69022312.sys -- (69022312)

DRV - [2009/10/09 23:31:10 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\6902231.sys -- (setup_9.0.0.722_18.08.2010_17-51drv)

DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)

DRV - [2009/07/31 20:31:50 | 004,747,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igdkmd32.sys -- (igfx)

DRV - [2009/06/25 08:09:16 | 006,316,160 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)

DRV - [2009/05/31 02:41:00 | 000,209,960 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\k57xp32.sys -- (k57w2k) Broadcom NetLink

DRV - [2009/05/22 15:15:50 | 000,090,112 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)

DRV - [2009/05/15 12:35:52 | 000,069,616 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)

DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)

DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)

DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://webmail.missouri.edu/

IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E2 C2 EC 76 2B E3 CA 01 [binary data]

IE - HKU\S-1-5-21-201074022-649947792-1237804090-90572\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.69.1

FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.7.8

FF - prefs.js..extensions.enabledItems: TooManyTabs@visibotech.com:1.2.0

FF - prefs.js..extensions.enabledItems: sharing@addons.mozilla.org:1.1.1

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: savecomplete@perlprogrammer.com:1.0.1

FF - prefs.js..extensions.enabledItems: lazarus@interclue.com:2.0.5

FF - prefs.js..extensions.enabledItems: charlie@packetprotector.org:1.2

FF - prefs.js..extensions.enabledItems: amano@os14.com:1.3

FF - prefs.js..extensions.enabledItems: guiconfig@slosd.net:1.0

FF - prefs.js..extensions.enabledItems: omfg@olive:0.6.080510

FF - prefs.js..extensions.enabledItems: firefox@red-cog.com:2.6

FF - prefs.js..extensions.enabledItems: download-panel@kwok.wai.kan:2009.09.02

FF - prefs.js..extensions.enabledItems: FasterFox_Lite@BigRedBrent:3.8.2Lite

FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:4.1.12s

FF - prefs.js..extensions.enabledItems: optout@dubfire.net:3.02

FF - prefs.js..extensions.enabledItems: CompactMenuCE@Merci.chao:4.3.2

FF - prefs.js..extensions.enabledItems: {095751f7-cef8-b08c-63e7-aef653237eba}:4.6.6.7

FF - prefs.js..network.proxy.http: "127.0.0.1"

FF - prefs.js..network.proxy.http_port: 1127

FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/20 09:33:10 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/20 09:48:54 | 000,000,000 | ---D | M]

[2010/04/05 10:57:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Extensions

[2010/08/23 15:29:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions

[2010/06/15 08:10:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\amano@os14.com

[2010/04/24 14:06:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\charlie@packetprotector.org

[2010/06/15 08:10:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\CompactMenuCE@Merci.chao

[2010/06/15 08:11:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\download-panel@kwok.wai.kan

[2010/06/15 08:11:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\FasterFox_Lite@BigRedBrent

[2010/06/15 08:12:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\firefox@red-cog.com

[2010/07/08 07:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\foxmarks@kei.com

[2010/06/15 08:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\guiconfig@slosd.net

[2010/06/15 08:13:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com

[2010/06/15 08:13:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\omfg@olive

[2010/06/22 09:19:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net

[2010/06/15 08:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\savecomplete@perlprogrammer.com

[2010/06/15 08:13:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\sharing@addons.mozilla.org

[2010/06/15 08:14:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\SkipScreen@SkipScreen

[2010/08/06 07:38:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\staged-xpis

[2010/08/02 16:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com

[2010/06/15 08:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\TooManyTabs@visibotech.com

[2010/08/23 15:29:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/04/29 14:04:12 | 000,000,000 | ---D | M] (z) -- C:\Program Files\Mozilla Firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}

[2009/11/19 16:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll

[2009/11/19 16:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2010/08/23 15:07:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O3 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)

O4 - HKLM..\Run: [Microsoft Forefront Client Security Antimalware Service] c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe (Microsoft Corporation)

O4 - HKLM..\Run: [RTHDCPL] C:\windows\RTDCPL.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()

O4 - HKLM..\Run: [WinVNC] C:\Program Files\ORL\VNC\WinVNC.exe (AT&T Research Labs Cambridge)

O4 - HKU\S-1-5-21-201074022-649947792-1237804090-90572..\Run: [{C226AD38-BBFC-65F9-36B0-D2B3D07BA323}] C:\Documents and Settings\graysl\Application Data\Zyvyy\zogi.exe File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\umcjourcasrcaller\Start Menu\Programs\Startup\Inter.cmd ()

O4 - Startup: C:\Documents and Settings\umcjourcasrcaller\Start Menu\Programs\Startup\setup_9.0.0.722_18.08.2010_17-51.lnk = C:\Documents and Settings\graysl\Desktop\Virus Removal Tool\setup_9.0.0.722_18.08.2010_17-51\startup.exe File not found

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1269973430266 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 128.206.10.3 128.206.10.2

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = col.missouri.edu

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\windows\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\windows\System32\NavLogon.dll File not found

O24 - Desktop WallPaper:

O24 - Desktop BackupWallPaper:

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/03/26 13:14:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2001/09/07 06:33:04 | 000,004,656 | ---- | M] () - W:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [1997/02/12 16:53:58 | 000,000,123 | ---- | M] () - W:\autoexec.w95 -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/24 08:15:08 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe

[2010/08/23 14:56:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Application Data\Avira

[2010/08/23 14:50:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe

[2010/08/23 14:50:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe

[2010/08/23 14:50:20 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe

[2010/08/23 14:50:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe

[2010/08/23 14:50:04 | 000,000,000 | ---D | C] -- C:\windows\ERDNT

[2010/08/23 14:45:10 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/08/20 11:14:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Desktop\MMS2_files

[2010/08/20 10:38:58 | 000,000,000 | ---D | C] -- C:\windows\Minidump

[2010/08/20 10:04:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Application Data\Ynwyv

[2010/08/20 10:00:25 | 000,000,000 | ---D | C] -- C:\windows\System32\NtmsData

[2010/08/20 09:55:21 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\ssmdrv.sys

[2010/08/20 09:55:16 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avipbb.sys

[2010/08/20 09:55:16 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntflt.sys

[2010/08/20 09:55:16 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntmgr.sys

[2010/08/20 09:55:15 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntdd.sys

[2010/08/20 09:55:12 | 000,000,000 | ---D | C] -- C:\Program Files\Avira

[2010/08/20 09:55:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira

[2010/08/20 09:52:56 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker

[2010/08/20 08:27:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\My Documents\Downloads

[2010/08/19 16:19:37 | 008,573,648 | ---- | C] (Mozilla) -- C:\Documents and Settings\graysl\My Documents\Firefox Setup 3.6.8.exe

[2010/08/19 14:51:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\My Documents\pics5

[2010/08/19 14:47:02 | 000,000,000 | ---D | C] -- C:\windows\System32\MpEngineStore

[2010/08/19 14:34:08 | 000,133,440 | ---- | C] (SurfRight B.V.) -- C:\windows\System32\LnkProtect.dll

[2010/08/19 13:31:19 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\6902231.sys

[2010/08/19 13:31:19 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\69022312.sys

[2010/08/19 12:56:29 | 000,000,000 | ---D | C] -- C:\Program Files\riv

[2010/08/17 08:43:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Application Data\SecondLife

[2010/08/17 08:43:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Local Settings\Application Data\Emerald

[2010/08/06 15:21:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\graysl\Desktop\Magic

[4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/24 08:16:35 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\graysl\NTUSER.DAT

[2010/08/24 08:15:23 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\graysl\Desktop\OTL.exe

[2010/08/24 07:57:01 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Microsoft Office Outlook 2007.lnk

[2010/08/24 07:56:28 | 000,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl

[2010/08/24 01:40:00 | 000,000,406 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Scan.job

[2010/08/23 16:17:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\graysl\ntuser.ini

[2010/08/23 15:09:57 | 000,000,412 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Signature Update.job

[2010/08/23 15:09:55 | 000,000,430 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Quick Scan.job

[2010/08/23 15:08:06 | 000,000,227 | ---- | M] () -- C:\windows\system.ini

[2010/08/23 15:07:33 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts

[2010/08/23 15:06:43 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT

[2010/08/23 15:06:41 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat

[2010/08/23 14:44:31 | 003,825,912 | R--- | M] () -- C:\Documents and Settings\graysl\Desktop\ComboFix.exe

[2010/08/23 08:42:25 | 000,000,426 | ---- | M] () -- C:\windows\BRWMARK.INI

[2010/08/23 08:07:44 | 000,015,944 | ---- | M] () -- C:\windows\System32\drivers\hitmanpro35.sys

[2010/08/23 08:02:19 | 000,000,582 | ---- | M] () -- C:\windows\win.ini

[2010/08/20 15:39:21 | 000,004,995 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Attach.zip

[2010/08/20 15:39:17 | 000,001,039 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\ark.zip

[2010/08/20 15:39:09 | 000,000,836 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\mbam-log-2010-08-20 (09-22-29).zip

[2010/08/20 11:14:28 | 000,031,969 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\MMS2.htm

[2010/08/20 10:37:00 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\wxxjuoeo.exe

[2010/08/20 10:27:46 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\dds.scr

[2010/08/20 10:25:34 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Defogger.exe

[2010/08/20 09:55:41 | 000,001,716 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk

[2010/08/20 09:33:12 | 000,001,629 | ---- | M] () -- C:\Documents and Settings\graysl\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2010/08/20 09:33:12 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/08/19 16:49:15 | 000,001,672 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk

[2010/08/19 16:19:49 | 008,573,648 | ---- | M] (Mozilla) -- C:\Documents and Settings\graysl\My Documents\Firefox Setup 3.6.8.exe

[2010/08/19 14:34:08 | 000,133,440 | ---- | M] (SurfRight B.V.) -- C:\windows\System32\LnkProtect.dll

[2010/08/13 10:01:44 | 000,000,870 | ---- | M] () -- C:\Documents and Settings\graysl\Desktop\Shortcut to GIMPPortable.lnk

[2010/08/12 08:05:49 | 000,000,061 | ---- | M] () -- C:\windows\System32\mapisvc.inf

[2010/08/12 08:05:48 | 000,015,724 | ---- | M] () -- C:\windows\System32\PageADT.hlp

[2010/08/12 03:09:24 | 000,269,392 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT

[2010/08/12 03:06:46 | 000,001,374 | ---- | M] () -- C:\windows\imsins.BAK

[2010/08/12 03:05:28 | 000,534,674 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI

[2010/08/12 03:05:28 | 000,464,964 | ---- | M] () -- C:\windows\System32\perfh009.dat

[2010/08/12 03:05:28 | 000,079,248 | ---- | M] () -- C:\windows\System32\perfc009.dat

[2010/07/27 01:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dllcache\shell32.dll

[4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/23 14:50:21 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe

[2010/08/23 14:50:21 | 000,077,312 | ---- | C] () -- C:\windows\MBR.exe

[2010/08/23 14:50:20 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe

[2010/08/23 14:50:20 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe

[2010/08/23 14:50:20 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe

[2010/08/23 14:44:21 | 003,825,912 | R--- | C] () -- C:\Documents and Settings\graysl\Desktop\ComboFix.exe

[2010/08/20 15:39:21 | 000,004,995 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\Attach.zip

[2010/08/20 15:39:17 | 000,001,039 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\ark.zip

[2010/08/20 15:39:09 | 000,000,836 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\mbam-log-2010-08-20 (09-22-29).zip

[2010/08/20 11:14:26 | 000,031,969 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\MMS2.htm

[2010/08/20 10:36:59 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\wxxjuoeo.exe

[2010/08/20 10:27:37 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\dds.scr

[2010/08/20 10:25:33 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\Defogger.exe

[2010/08/20 09:55:41 | 000,001,716 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk

[2010/08/19 16:22:17 | 000,001,629 | ---- | C] () -- C:\Documents and Settings\graysl\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2010/08/19 16:22:17 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/08/19 14:33:41 | 000,001,672 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk

[2010/08/13 10:01:44 | 000,000,870 | ---- | C] () -- C:\Documents and Settings\graysl\Desktop\Shortcut to GIMPPortable.lnk

[2010/06/24 07:22:04 | 112,752,435 | ---- | C] () -- C:\windows\System32\priparpo.dll

[2010/06/24 07:22:04 | 108,877,220 | ---- | C] () -- C:\windows\System32\lofoyebx.dll

[2010/06/24 07:22:04 | 107,625,654 | ---- | C] () -- C:\windows\System32\dllyupebx.dll

[2010/06/14 14:17:26 | 000,015,944 | ---- | C] () -- C:\windows\System32\drivers\hitmanpro35.sys

[2010/05/24 16:29:21 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\graysl\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/05/06 05:41:54 | 106,020,036 | ---- | C] () -- C:\windows\System32\ylingie.dll

[2010/05/06 05:41:54 | 105,549,880 | ---- | C] () -- C:\windows\System32\evcraandg.dll

[2010/05/06 05:41:54 | 102,515,873 | ---- | C] () -- C:\windows\System32\toevandwin.dll

[2010/05/06 05:41:54 | 100,832,561 | ---- | C] () -- C:\windows\System32\ygiwifo.dll

[2010/05/06 05:41:54 | 098,849,697 | ---- | C] () -- C:\windows\System32\craetexex.dll

[2010/05/06 05:41:54 | 097,728,123 | ---- | C] () -- C:\windows\System32\aspoerrrip.dll

[2010/05/06 05:41:54 | 096,866,548 | ---- | C] () -- C:\windows\System32\winjese.dll

[2010/05/06 05:41:54 | 096,092,765 | ---- | C] () -- C:\windows\System32\she32etpo.dll

[2010/05/06 05:41:54 | 094,933,195 | ---- | C] () -- C:\windows\System32\etyorp.dll

[2010/05/06 05:41:54 | 093,038,812 | ---- | C] () -- C:\windows\System32\ajedllco.dll

[2010/05/06 05:41:54 | 092,167,290 | ---- | C] () -- C:\windows\System32\asripasand.dll

[2010/05/06 05:41:54 | 091,073,586 | ---- | C] () -- C:\windows\System32\hexloex.dll

[2010/05/06 05:41:54 | 089,865,909 | ---- | C] () -- C:\windows\System32\wiapias.dll

[2010/05/06 05:41:54 | 088,557,801 | ---- | C] () -- C:\windows\System32\jmcraevs.dll

[2010/05/06 05:41:54 | 087,325,056 | ---- | C] () -- C:\windows\System32\aslinplo.dll

[2010/05/06 05:41:54 | 086,097,648 | ---- | C] () -- C:\windows\System32\jeppapi.dll

[2010/05/06 05:41:54 | 084,890,712 | ---- | C] () -- C:\windows\System32\sheworrip.dll

[2010/05/06 05:41:54 | 084,113,160 | ---- | C] () -- C:\windows\System32\hdllarw.dll

[2010/05/06 05:41:54 | 082,456,037 | ---- | C] () -- C:\windows\System32\cotoupar.dll

[2010/05/06 05:41:54 | 081,503,133 | ---- | C] () -- C:\windows\System32\focoripar.dll

[2010/05/06 05:41:54 | 078,989,483 | ---- | C] () -- C:\windows\System32\jeydopo.dll

[2010/05/06 05:41:54 | 076,946,106 | ---- | C] () -- C:\windows\System32\asetnico.dll

[2010/05/06 05:41:54 | 075,671,927 | ---- | C] () -- C:\windows\System32\uparaet.dll

[2010/05/06 05:41:54 | 074,064,048 | ---- | C] () -- C:\windows\System32\sarlindo.dll

[2010/05/06 05:41:54 | 072,995,043 | ---- | C] () -- C:\windows\System32\pandupcra.dll

[2010/05/06 05:41:54 | 071,178,592 | ---- | C] () -- C:\windows\System32\winapicopo.dll

[2010/05/06 05:41:54 | 068,973,455 | ---- | C] () -- C:\windows\System32\apiarripor.dll

[2010/05/06 05:41:54 | 067,365,063 | ---- | C] () -- C:\windows\System32\byripas.dll

[2010/05/06 05:41:54 | 066,151,155 | ---- | C] () -- C:\windows\System32\andbplin.dll

[2010/05/06 05:41:54 | 065,413,493 | ---- | C] () -- C:\windows\System32\ygjme.dll

[2010/05/06 05:41:54 | 064,450,588 | ---- | C] () -- C:\windows\System32\upwiaje.dll

[2010/05/06 05:41:54 | 062,745,593 | ---- | C] () -- C:\windows\System32\gior32do.dll

[2010/05/06 05:41:54 | 061,072,928 | ---- | C] () -- C:\windows\System32\niaupw.dll

[2010/05/06 05:41:54 | 059,470,049 | ---- | C] () -- C:\windows\System32\apitoglo.dll

[2010/05/06 05:41:54 | 057,072,797 | ---- | C] () -- C:\windows\System32\dlllosheni.dll

[2010/05/06 05:41:54 | 054,606,531 | ---- | C] () -- C:\windows\System32\nidopob.dll

[2010/05/06 05:41:54 | 053,295,560 | ---- | C] () -- C:\windows\System32\stocraet.dll

[2010/04/05 11:40:27 | 000,045,056 | ---- | C] () -- C:\windows\System32\omnithread_rt.dll

[2010/03/30 13:28:05 | 000,274,432 | ---- | C] () -- C:\windows\System32\OE60as.dll

[2010/03/30 13:23:04 | 000,000,426 | ---- | C] () -- C:\windows\BRWMARK.INI

[2010/03/30 12:42:56 | 000,000,000 | ---- | C] () -- C:\windows\winque.INI

[2010/02/25 01:24:38 | 052,748,379 | ---- | C] () -- C:\windows\System32\jmhandapi.dll

[2010/02/25 01:24:38 | 051,841,730 | ---- | C] () -- C:\windows\System32\co32niasu.dll

[2010/02/25 01:24:38 | 050,884,611 | ---- | C] () -- C:\windows\System32\lojeandlin.dll

[2010/02/25 01:24:38 | 049,400,792 | ---- | C] () -- C:\windows\System32\orjmbcra.dll

[2010/02/25 01:24:38 | 048,711,220 | ---- | C] () -- C:\windows\System32\witowins.dll

[2010/02/25 01:24:38 | 047,843,284 | ---- | C] () -- C:\windows\System32\orgpni.dll

[2010/02/25 01:24:38 | 047,140,892 | ---- | C] () -- C:\windows\System32\hganda.dll

[2010/02/25 01:24:38 | 045,162,068 | ---- | C] () -- C:\windows\System32\asujewiasu.dll

[2010/02/25 01:24:38 | 044,523,428 | ---- | C] () -- C:\windows\System32\asandcolin.dll

[2010/02/25 01:24:38 | 043,442,514 | ---- | C] () -- C:\windows\System32\asulobshe.dll

[2010/02/25 01:24:38 | 042,543,994 | ---- | C] () -- C:\windows\System32\wetlocra.dll

[2010/02/25 01:24:38 | 041,695,984 | ---- | C] () -- C:\windows\System32\bwiorco.dll

[2010/02/25 01:24:38 | 040,597,551 | ---- | C] () -- C:\windows\System32\ripsyet.dll

[2010/02/25 01:24:38 | 037,873,338 | ---- | C] () -- C:\windows\System32\windowinrip.dll

[2010/02/25 01:24:38 | 036,817,805 | ---- | C] () -- C:\windows\System32\errexarwi.dll

[2010/02/25 01:24:38 | 035,143,247 | ---- | C] () -- C:\windows\System32\jeripora.dll

[2010/02/25 01:24:38 | 034,048,803 | ---- | C] () -- C:\windows\System32\arerrp32.dll

[2010/02/25 01:24:38 | 033,105,206 | ---- | C] () -- C:\windows\System32\winidllshe.dll

[2010/02/25 01:24:38 | 031,646,718 | ---- | C] () -- C:\windows\System32\uperrripw.dll

[2010/02/25 01:24:38 | 030,964,166 | ---- | C] () -- C:\windows\System32\shejmerrwi.dll

[2010/02/25 01:24:38 | 029,252,747 | ---- | C] () -- C:\windows\System32\evapiandy.dll

[2010/02/25 01:24:38 | 028,460,786 | ---- | C] () -- C:\windows\System32\etjmdoni.dll

[2010/02/25 01:24:38 | 026,762,701 | ---- | C] () -- C:\windows\System32\potocoe.dll

[2010/02/25 01:24:38 | 025,916,914 | ---- | C] () -- C:\windows\System32\gijmeb.dll

[2010/02/25 01:24:38 | 025,418,662 | ---- | C] () -- C:\windows\System32\lofoorb.dll

[2010/02/25 01:24:38 | 024,430,462 | ---- | C] () -- C:\windows\System32\eetgifo.dll

[2010/02/25 01:24:38 | 021,650,280 | ---- | C] () -- C:\windows\System32\jmshejee.dll

[2010/02/25 01:24:38 | 020,773,298 | ---- | C] () -- C:\windows\System32\asdllgih.dll

[2010/02/25 01:24:38 | 019,809,026 | ---- | C] () -- C:\windows\System32\rip32upni.dll

[2010/02/25 01:24:38 | 017,860,659 | ---- | C] () -- C:\windows\System32\jewgiex.dll

[2010/02/25 01:24:38 | 016,708,944 | ---- | C] () -- C:\windows\System32\toswinasu.dll

[2010/02/25 01:24:38 | 015,898,789 | ---- | C] () -- C:\windows\System32\foexevlo.dll

[2010/02/25 01:24:38 | 014,180,827 | ---- | C] () -- C:\windows\System32\evdocrashe.dll

[2010/02/25 01:24:38 | 012,469,488 | ---- | C] () -- C:\windows\System32\posheebxb.dll

[2010/02/25 01:24:38 | 008,494,549 | ---- | C] () -- C:\windows\System32\dowiexapi.dll

[2010/02/25 01:24:38 | 007,040,523 | ---- | C] () -- C:\windows\System32\wierryb.dll

[2010/02/25 01:24:38 | 005,323,414 | ---- | C] () -- C:\windows\System32\pygs.dll

[2010/02/25 01:24:38 | 003,625,607 | ---- | C] () -- C:\windows\System32\32asuerrto.dll

[2010/02/25 01:24:38 | 003,522,345 | ---- | C] () -- C:\windows\System32\apevlin.dll

[2010/02/25 01:24:38 | 003,299,288 | ---- | C] () -- C:\windows\System32\gijmerrwi.dll

[2010/02/25 01:24:38 | 002,971,389 | ---- | C] () -- C:\windows\System32\arewiny.dll

[2010/02/25 01:24:38 | 002,789,788 | ---- | C] () -- C:\windows\System32\lin32gini.dll

[2010/02/25 01:24:38 | 002,788,278 | ---- | C] () -- C:\windows\System32\jedllcrapo.dll

[2010/02/25 01:24:38 | 002,241,435 | ---- | C] () -- C:\windows\System32\wiwandas.dll

[2010/02/25 01:24:38 | 002,001,333 | ---- | C] () -- C:\windows\System32\asupyy.dll

[2010/02/25 01:24:38 | 001,944,310 | ---- | C] () -- C:\windows\System32\werrcrap.dll

[2010/02/25 01:24:38 | 001,696,724 | ---- | C] () -- C:\windows\System32\alowdll.dll

[2010/02/25 01:24:38 | 001,530,126 | ---- | C] () -- C:\windows\System32\exupupy.dll

[2010/02/25 01:24:38 | 001,144,253 | ---- | C] () -- C:\windows\System32\apilinlop.dll

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\windows\System32\OGACheckControl.dll

[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\windows\System32\idxcntrs.ini

[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\windows\System32\gsrvctr.ini

[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\windows\System32\gthrctr.ini

< End of report >

OTL Extras logfile created on: 8/24/2010 8:15:50 AM - Run 1

OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\graysl\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files

Drive C: | 149.01 Gb Total Space | 120.83 Gb Free Space | 81.09% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive W: | 68.35 Gb Total Space | 8.20 Gb Free Space | 12.00% Space Free | Partition Type: NTFS

Computer Name: JOUR-CASR-SUP1

Current User Name: graysl

NOT logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"5900:TCP" = 5900:TCP:*:Enabled:WinVNC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

"C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe" = C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (Sybase, Inc.)

"E:\SecondLifePortable\Emerald Viewer\SLVoice.exe" = E:\SecondLifePortable\Emerald Viewer\SLVoice.exe:*:Enabled:SLVoice -- File not found

"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

"C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe" = C:\Program Files\Sybase\Adaptive Server Anywhere 6.0\win32\dbeng6.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (Sybase, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool

"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant

"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety

"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java 6 Update 15

"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime

"{2E98C5B7-D64C-4D7E-BFC3-A7D078569F28}" = Broadcom NetXtreme-I Netlink Driver and Management Installer

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack

"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support

"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials

"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector

"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger

"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3

"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery

"{DDCD95B5-7230-462F-9889-7EBBEE74123C}" = Microsoft Forefront Client Security Antimalware Service

"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update

"{E8B56B38-A826-11DB-8C83-0011430C73A4}" = Microsoft Forefront Client Security State Assessment Service

"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call

"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus

"Bullzip PDF Printer_is1" = Bullzip PDF Printer 7.1.0.1195

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows

"ENTERPRISE" = Microsoft Office Enterprise 2007

"GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.70

"HDMI" = Intel® Graphics Media Accelerator Driver

"HitmanPro35" = Hitman Pro 3.5

"ie8" = Windows Internet Explorer 8

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"Unlocker" = Unlocker 1.9.0

"WinCati 4.1 - Interviewer" = WinCati 4.1 - Interviewer

"WinCati 4.1 - Supervisor" = WinCati 4.1 - Supervisor

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinLiveSuite_Wave3" = Windows Live Essentials

"WinVNC" = WinVNC 3.3.3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-201074022-649947792-1237804090-90572\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"WorksDatabaseConverter" = WorksDatabaseConverter

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\INTERESTING

BANANA FACTS AND USES _ EPIDEMICFUN.COM_FILES> in the hash map cannot be updated.

Context:

Application, SystemIndex Catalog Details: A device attached to the system is not

functioning. (0x8007001f)

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\INTERESTING

BANANA FACTS AND USES_FILES> in the hash map cannot be updated. Context: Application,

SystemIndex Catalog Details: A device attached to the system is not functioning.

(0x8007001f)

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\INTERESTING

BANANA FACTS AND USES_FILES> in the hash map cannot be updated. Context: Application,

SystemIndex Catalog Details: A device attached to the system is not functioning.

(0x8007001f)

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\LARA

CROFT.JPG> in the hash map cannot be updated. Context: Application, SystemIndex

Catalog Details: A device attached to the system is not functioning. (0x8007001f)

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\LEGEND

OF ZELDA SISTERS.JPG> in the hash map cannot be updated. Context: Application,

SystemIndex Catalog Details: A device attached to the system is not functioning.

(0x8007001f)

Error - 8/19/2010 5:20:13 PM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\GRAYSL\MY DOCUMENTS\PICS4\MAGIC

LISTS.XLSX> in the hash map cannot be updated. Context: Application, SystemIndex

Catalog Details: A device attached to the system is not functioning. (0x8007001f)

Error - 8/20/2010 10:24:27 AM | Computer Name = JOUR-CASR-SUP1 | Source = MDM | ID = 4101

Description = An error occurred while the debugger attempted to correct its registry.

Error - 8/20/2010 10:27:33 AM | Computer Name = JOUR-CASR-SUP1 | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module lnkprotect.dll, version 1.0.0.1, fault address 0x000014d8.

Error - 8/20/2010 10:30:44 AM | Computer Name = JOUR-CASR-SUP1 | Source = MDM | ID = 4101

Description = An error occurred while the debugger attempted to correct its registry.

Error - 8/20/2010 10:33:04 AM | Computer Name = JOUR-CASR-SUP1 | Source = Windows Search Service | ID = 3024

Description = The update cannot be started because the content sources cannot be

accessed. Fix the errors and try the update again. Context: Application, SystemIndex

Catalog

[ OSession Events ]

Error - 6/21/2010 5:29:18 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 2, Application Name: Microsoft Office Access, Application Version:

12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 20550

seconds with 13740 seconds of active time. This session ended with a crash.

Error - 6/22/2010 11:46:16 AM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 2, Application Name: Microsoft Office Access, Application Version:

12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 681

seconds with 600 seconds of active time. This session ended with a crash.

Error - 6/22/2010 12:23:34 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 2, Application Name: Microsoft Office Access, Application Version:

12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2228

seconds with 1680 seconds of active time. This session ended with a crash.

Error - 6/24/2010 1:08:34 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 2, Application Name: Microsoft Office Access, Application Version:

12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3296

seconds with 3060 seconds of active time. This session ended with a crash.

Error - 6/24/2010 1:57:53 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 2, Application Name: Microsoft Office Access, Application Version:

12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2950

seconds with 2400 seconds of active time. This session ended with a crash.

Error - 6/24/2010 4:36:47 PM | Computer Name = JOUR-CASR-SUP1 | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 2, Application Name: Microsoft Office Access, Application Version:

12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9524

seconds with 7200 seconds of active time. This session ended with a crash.

[ System Events ]

Error - 8/19/2010 4:05:24 PM | Computer Name = JOUR-CASR-SUP1 | Source = FCSAM | ID = 3006

Description = %%830 Real-Time Protection agent has encountered an error when taking

action on spyware or other potentially unwanted software. For more information please

see the following: http://go.microsoft.com/fwlink/?linkid=370...atid=2147636914

Scan

ID: {3A8F5C14-B06E-469D-859C-CA2FEF607AF8} User: UMC-USERS\umcjourcasrcaller Name:

Virus:Win32/Ramnit.B ID: 2147636914 Severity: Severe Category: Virus Path: file:\\?\C:\Program

Files\Common Files\Microsoft Shared\Help 8\dexplmnu.dll;file:\\?\C:\Program Files\Common

Files\Microsoft Shared\Help 8\dexplmnu.dll Alert Type: %%805 Action: %%812 Error Code:

0x80508021 Error description: An unexpected problem occurred. Install any available

updates, and then try to start the program again. For information on installing

updates, see Help and Support.

Error - 8/23/2010 9:16:59 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004

Description = A driver packet received from the I/O subsystem was invalid. The

data is the packet.

Error - 8/23/2010 9:16:58 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004

Description = A driver packet received from the I/O subsystem was invalid. The

data is the packet.

Error - 8/23/2010 9:16:58 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004

Description = A driver packet received from the I/O subsystem was invalid. The

data is the packet.

Error - 8/23/2010 10:26:09 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004

Description = A driver packet received from the I/O subsystem was invalid. The

data is the packet.

Error - 8/23/2010 10:26:02 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004

Description = A driver packet received from the I/O subsystem was invalid. The

data is the packet.

Error - 8/23/2010 10:26:31 AM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004

Description = A driver packet received from the I/O subsystem was invalid. The

data is the packet.

Error - 8/23/2010 12:02:12 PM | Computer Name = JOUR-CASR-SUP1 | Source = EventLog | ID = 6004

Description = A driver packet received from the I/O subsystem was invalid. The

data is the packet.

Error - 8/23/2010 3:42:05 PM | Computer Name = JOUR-CASR-SUP1 | Source = FCSAM | ID = 3006

Description = %%830 Real-Time Protection agent has encountered an error when taking

action on spyware or other potentially unwanted software. For more information please

see the following: http://go.microsoft.com/fwlink/?linkid=370...atid=2147636914

Scan

ID: {6326BECF-C0D8-4510-BB45-127E27450D38} User: UMC-USERS\graysl Name: Virus:Win32/Ramnit.B

ID:

2147636914 Severity: Severe Category: Virus Path: Alert Type: %%805 Action: %%812 Error

Code: 0x80508024 Error description: To finish removing spyware and other potentially

unwanted software, you need to run a full scan. For information about scanning

options, see Help and Support.

Error - 8/23/2010 3:46:18 PM | Computer Name = JOUR-CASR-SUP1 | Source = Service Control Manager | ID = 7031

Description = The Microsoft Forefront Client Security State Assessment Service service

terminated unexpectedly. It has done this 1 time(s). The following corrective

action will be taken in 0 milliseconds: Restart the service.

< End of report >

Share this post


Link to post
Share on other sites

Hi, no active Ramnit there, its possible there will be some leftovers, but scanners will get that.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Share this post


Link to post
Share on other sites

ComboFix 10-08-24.02 - graysl 08/24/2010 14:05:24.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.772 [GMT -5:00]

Running from: c:\documents and settings\graysl\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe

.

((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))

.

2010-08-23 19:56 . 2010-08-23 19:56 -------- d-----w- c:\documents and settings\graysl\Application Data\Avira

2010-08-20 15:04 . 2010-08-20 15:24 -------- d-----w- c:\documents and settings\graysl\Application Data\Ynwyv

2010-08-20 15:00 . 2010-08-24 19:04 -------- d-----w- c:\windows\system32\NtmsData

2010-08-20 14:55 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-20 14:55 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-20 14:55 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-20 14:55 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\program files\Avira

2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-20 14:52 . 2010-08-20 14:52 -------- d-----w- c:\program files\Unlocker

2010-08-19 19:47 . 2010-08-19 19:47 -------- d-----w- c:\windows\system32\MpEngineStore

2010-08-19 19:34 . 2010-08-19 19:34 133440 ----a-w- c:\windows\system32\LnkProtect.dll

2010-08-19 18:31 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\69022312.sys

2010-08-19 18:31 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\6902231.sys

2010-08-19 17:56 . 2010-08-20 12:49 -------- d-----w- c:\program files\riv

2010-08-17 13:43 . 2010-08-23 19:42 -------- d-----w- c:\documents and settings\graysl\Local Settings\Application Data\Emerald

2010-08-17 13:43 . 2010-08-23 18:20 -------- d-----w- c:\documents and settings\graysl\Application Data\SecondLife

2010-08-02 21:26 . 2010-08-20 13:21 822784 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-24 18:44 . 2010-06-16 13:28 -------- d-----w- c:\documents and settings\graysl\Application Data\Abine

2010-08-23 13:07 . 2010-06-14 19:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-08-20 15:38 . 2010-03-30 18:53 -------- d-----w- c:\program files\Windows Desktop Search

2010-08-20 14:42 . 2010-05-27 20:23 -------- d-----w- c:\program files\QuickTime

2010-08-20 14:28 . 2010-04-24 18:04 -------- d-----w- c:\program files\Coupons

2010-08-20 14:24 . 2010-03-30 19:01 -------- d-----w- c:\program files\Microsoft

2010-08-20 14:22 . 2010-04-24 18:47 203776 ----a-w- c:\documents and settings\graysl\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2010-08-20 13:51 . 2010-03-30 19:21 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2010-08-20 13:48 . 2010-06-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-20 13:21 . 2010-04-24 19:06 79872 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2010-08-20 13:20 . 2010-04-16 15:42 139264 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-08-19 21:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys

2010-08-12 08:06 . 2010-03-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-29 12:51 . 2010-04-01 19:02 70032 ----a-w- c:\documents and settings\wagnerna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-12 17:55 . 2010-03-26 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-12 17:55 . 2010-03-26 18:18 -------- d-----w- c:\program files\Common Files\InstallShield

2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\graysl\Application Data\PDF Writer

2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer

2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Common Files\Bullzip

2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Bullzip

2010-07-03 15:12 . 2010-04-02 19:16 70032 ----a-w- c:\documents and settings\manns\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-02 13:46 . 2010-07-02 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-26 01:46 . 2010-04-27 22:06 70032 ----a-w- c:\documents and settings\drwww8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-25 12:53 . 2010-04-05 15:56 70032 ----a-w- c:\documents and settings\graysl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-25 12:52 . 2010-03-26 20:26 70032 ----a-w- c:\documents and settings\umcjourcasrcaller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-18 21:48 . 2010-06-22 14:19 535176 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll

2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-15 17:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2010-06-14 14:31 . 2010-03-26 18:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-01 17:37 . 2010-03-30 19:57 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-30 23:36 . 2010-07-08 19:13 135168 ----a-w- c:\windows\system32\bzpdfc.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-08-23_20.08.02 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2010-08-20 208896]

"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-20 421888]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-14 5937984]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\umcjourcasrcaller\Start Menu\Programs\Startup\

Inter.cmd [2010-3-30 690]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\0\0]

"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\1\0]

"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\2\0]

"Script"=casr_mapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\0\0]

"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\1\0]

"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Sybase\\Adaptive Server Anywhere 6.0\\win32\\dbeng6.exe"=

R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [8/19/2010 1:31 PM 37392]

R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [8/19/2010 1:31 PM 315408]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 9:55 AM 135336]

R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]

R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [3/26/2010 1:23 PM 209960]

S1 69022311;69022311;c:\windows\system32\DRIVERS\69022311.sys --> c:\windows\system32\DRIVERS\69022311.sys [?]

S2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120]

.

Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\MP Scheduled Quick Scan.job

- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-24 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-23 c:\windows\Tasks\MP Scheduled Signature Update.job

- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://webmail.missouri.edu/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

FF - ProfilePath - c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 1127

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}\components\2cd863b0.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-{C226AD38-BBFC-65F9-36B0-D2B3D07BA323} - c:\documents and settings\graysl\Application Data\Zyvyy\zogi.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-24 14:10

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-08-24 14:13:33

ComboFix-quarantined-files.txt 2010-08-24 19:13

ComboFix2.txt 2010-08-23 20:12

Pre-Run: 128,061,001,728 bytes free

Post-Run: 128,046,256,128 bytes free

- - End Of File - - 4D0E99B9EC49B4C25904278ACDDB62E9

Share this post


Link to post
Share on other sites

Hi, please let me know how things are running after the following fix.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Firefox::
FF - ProfilePath - c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 1127

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Share this post


Link to post
Share on other sites

Okay, here's the latest; I'll let you know later today or tomorrow morning if things are ship-shape or not. Thanks again!

ComboFix 10-08-24.02 - graysl 08/25/2010 8:11.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.1394 [GMT -5:00]

Running from: c:\documents and settings\graysl\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\graysl\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))

.

2010-08-24 19:20 . 2010-08-24 19:20 -------- d-----w- c:\documents and settings\umcjourcasrcaller\Application Data\Avira

2010-08-23 19:56 . 2010-08-23 19:56 -------- d-----w- c:\documents and settings\graysl\Application Data\Avira

2010-08-20 15:04 . 2010-08-20 15:24 -------- d-----w- c:\documents and settings\graysl\Application Data\Ynwyv

2010-08-20 15:00 . 2010-08-24 20:43 -------- d-----w- c:\windows\system32\NtmsData

2010-08-20 14:55 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-20 14:55 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-20 14:55 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-20 14:55 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\program files\Avira

2010-08-20 14:55 . 2010-08-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-20 14:52 . 2010-08-20 14:52 -------- d-----w- c:\program files\Unlocker

2010-08-19 19:47 . 2010-08-19 19:47 -------- d-----w- c:\windows\system32\MpEngineStore

2010-08-19 19:34 . 2010-08-19 19:34 133440 ----a-w- c:\windows\system32\LnkProtect.dll

2010-08-19 18:31 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\69022312.sys

2010-08-19 18:31 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\6902231.sys

2010-08-19 17:56 . 2010-08-20 12:49 -------- d-----w- c:\program files\riv

2010-08-17 13:43 . 2010-08-23 19:42 -------- d-----w- c:\documents and settings\graysl\Local Settings\Application Data\Emerald

2010-08-17 13:43 . 2010-08-23 18:20 -------- d-----w- c:\documents and settings\graysl\Application Data\SecondLife

2010-08-02 21:26 . 2010-08-20 13:21 822784 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-24 20:39 . 2010-06-16 13:28 -------- d-----w- c:\documents and settings\graysl\Application Data\Abine

2010-08-23 13:07 . 2010-06-14 19:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-08-20 15:38 . 2010-03-30 18:53 -------- d-----w- c:\program files\Windows Desktop Search

2010-08-20 14:42 . 2010-05-27 20:23 -------- d-----w- c:\program files\QuickTime

2010-08-20 14:28 . 2010-04-24 18:04 -------- d-----w- c:\program files\Coupons

2010-08-20 14:24 . 2010-03-30 19:01 -------- d-----w- c:\program files\Microsoft

2010-08-20 13:51 . 2010-03-30 19:21 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2010-08-20 13:48 . 2010-06-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-20 13:21 . 2010-04-24 19:06 79872 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2010-08-19 21:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys

2010-08-12 08:06 . 2010-03-30 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-29 12:51 . 2010-04-01 19:02 70032 ----a-w- c:\documents and settings\wagnerna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-12 17:55 . 2010-03-26 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-12 17:55 . 2010-03-26 18:18 -------- d-----w- c:\program files\Common Files\InstallShield

2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\graysl\Application Data\PDF Writer

2010-07-08 19:15 . 2010-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer

2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Common Files\Bullzip

2010-07-08 19:13 . 2010-07-08 19:13 -------- d-----w- c:\program files\Bullzip

2010-07-03 15:12 . 2010-04-02 19:16 70032 ----a-w- c:\documents and settings\manns\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-02 13:46 . 2010-07-02 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-26 01:46 . 2010-04-27 22:06 70032 ----a-w- c:\documents and settings\drwww8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-25 12:53 . 2010-04-05 15:56 70032 ----a-w- c:\documents and settings\graysl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-25 12:52 . 2010-03-26 20:26 70032 ----a-w- c:\documents and settings\umcjourcasrcaller\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-18 21:48 . 2010-06-22 14:19 535176 ----a-w- c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll

2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-15 17:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2010-06-14 14:31 . 2010-03-26 18:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-01 17:37 . 2010-03-30 19:57 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-30 23:36 . 2010-07-08 19:13 135168 ----a-w- c:\windows\system32\bzpdfc.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-08-23_20.08.02 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-08-24 19:57 . 2010-08-24 19:57 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2010-08-20 208896]

"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-20 421888]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-14 5937984]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\umcjourcasrcaller\Start Menu\Programs\Startup\

Inter.cmd [2010-3-30 690]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\0\0]

"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\1\0]

"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-3961\Scripts\Logon\2\0]

"Script"=casr_mapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\0\0]

"Script"=casr_printer.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-201074022-649947792-1237804090-64928\Scripts\Logon\1\0]

"Script"=casr_mapping.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Sybase\\Adaptive Server Anywhere 6.0\\win32\\dbeng6.exe"=

R0 69022312;69022312 Boot Guard Driver;c:\windows\system32\drivers\69022312.sys [8/19/2010 1:31 PM 37392]

R1 setup_9.0.0.722_18.08.2010_17-51drv;setup_9.0.0.722_18.08.2010_17-51drv;c:\windows\system32\drivers\6902231.sys [8/19/2010 1:31 PM 315408]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 9:55 AM 135336]

R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]

R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120]

R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [3/26/2010 1:23 PM 209960]

S1 69022311;69022311;c:\windows\system32\DRIVERS\69022311.sys --> c:\windows\system32\DRIVERS\69022311.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-08-24 c:\windows\Tasks\MP Scheduled Quick Scan.job

- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-24 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-08-24 c:\windows\Tasks\MP Scheduled Signature Update.job

- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://webmail.missouri.edu/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

FF - ProfilePath - c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\graysl\Application Data\Mozilla\Firefox\Profiles\d6u1zqrm.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{095751f7-cef8-b08c-63e7-aef653237eba}\components\2cd863b0.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-25 08:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(112)

c:\windows\system32\WININET.dll

c:\windows\system32\igfxdo.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-08-25 08:19:38

ComboFix-quarantined-files.txt 2010-08-25 13:19

ComboFix2.txt 2010-08-24 19:13

ComboFix3.txt 2010-08-23 20:12

Pre-Run: 140,151,357,440 bytes free

Post-Run: 140,165,816,320 bytes free

- - End Of File - - 85E325784BF370EAF7F6B85E47714713

Share this post


Link to post
Share on other sites

Okay, in the mean time, some updating/doublechecking. :)

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.