Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Reply
 
Topic Tools
  #1  
Old May 27th, 2011, 04:10 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
Question Win32:Hupigon-ONX trojan Please Help!

I have received excellent help here for past issues, and since I have been trying unsuccessfully on my own for the past 24 + hours to remove this thing, I came to where I am sure someone knows what to do.

Windows XP, AVAST antivirus, Firefox and IE

Avast windows started popping up with messages warning me about blocking a malicious URL. I was using Firefox and was on a local news/weather site. Facebook was open on another tab.

After numerous such messages, Avast recommended a boot scan, which I started immediately.

It found:
Alureon-G@mbr [Rtk]
wma:wimad [drp]
WIN32:Adware-HF [Adw]
WIN32:Hupigon-ONX [Trj]

The first three were deleted from the system.

The trojan could not be deleted or moved to the vault. The following message was given:
cannot be opened because the share access flags are incompatible

The boot scan was still running in the morning when I left for work. When I came home, there was the infamous blue screen STOP 0x0000008E (0xC0000005, 0xF74CA71D, 0xAAFF4748, 0x00000000) atapi.sys Address F74CA71D base at F74C0000 Date Stamp 4802539d
C:\Windows\System32\Svchost.exe URL Malware

I restarted the computer several times with different windows login accounts. Firefox always resulted in a return to the blue stop screen.

Then I got a pop up from Avast that wanted me to send a copy of this to their virus lab:

\\.\PHYSICALDRIVE0 MBR:TDL4

I searched the web, checked on the Avast site, called their toll free customer service, spoke with a technician from iyogi who wanted me to pay $170 to have access to my computer for the next two years to keep it running smoothly. While he had access to my computer, he sent the requested file to the avast virus lab. He said I needed to do 4 things:

1) remove the infections
2) remove conflicting software
3) remove the junk (haven't done that in awhile)
4) update windows

I told him windows updates automatically. He checked it, and the event log was full of errors.

He would do no more without the payment, so I respectfully declined his offer. However, while I was on the phone with him, I discovered that I can run IE without problems (so far).

I told him that I would try to find help online. He said that would only make matters worse.

But here I am, requesting help from folks who won't try to scam me.

I am currently running MBAM. It has scanned over 82000 objects with no infections.

Update:

The scan completed w/10 infected items, several trojan entries listed. I saved the log, and tried to remove all items. MBAM said that it could not remove all items and to restart for the changes to take effect. During the restart process, I got the blue screen again with Stop Code 0x0000000A (0x00000004, 0x00000002, 0x00000001, 0x804EDE8E) and the message IQRL_NOT_LESS_0R_EQUAL

If I can get that computer to work long enough I will try to post the MBAM log here.

Last edited by K McK; May 28th, 2011 at 12:37 AM. Reason: update MBAM scan
Reply With Quote


  #2  
Old May 29th, 2011, 12:56 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,119
Hello K McK,

Those malware names all suggest an MBR (Mater Boot Record) infection, so not something Avast or Malwarebytes might address. Let's get a more detailed look and then start some repairs.


Right off see if you can access Safe Mode, where the malware is less active. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.



To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

------------------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Do your best with that last one - it is specifically there to target these type bootkits.
Reply With Quote
  #3  
Old May 29th, 2011, 02:58 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
I am having trouble disabling any of the anti-spyware or antivirus software on the infected pc in safe mode. I don't know if this is important or not, but the first time I tried to open in safe mode, it froze. It worked the second time. There is nothing in the system tray! When I use START to open the program to try to disable, I can't find a way to disable it. I have tried to disable MBAM, SpywareBlaster, and SpyBot. The only place I can find Avast is in windows explorer. I clicked on the link to bleepingcomputers and read the information there with no luck. Any suggestions?
Reply With Quote
  #4  
Old May 29th, 2011, 03:18 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,119
Really more of a do what you can right now. We don't want security scanners interfering, but a good chance is that the malware has them disabled already.
Reply With Quote
  #5  
Old May 30th, 2011, 02:06 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
Problems: Computer finally booted into Safe Mode without freezing, got OTL scan, but when I reply with the logs, I keep getting a Cannot Display Web Page error.
Would it be safe to email it to myself from the infected computer and use my laptop to paste it here? If this trojan has a key logger, I don't want someone to have access to my email.

While I am waiting to hear from you, I will continue to try to post the results of the scan.

.................................................. ........................

I tried to paste with an edit and still got the IE cannot display the webpage.

Last edited by K McK; May 30th, 2011 at 02:28 AM. Reason: add info
Reply With Quote
  #6  
Old May 30th, 2011, 02:31 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,119
Email is one of the safer ways to deal with getting things on and off a system. Then at the receiving end, whatever was emailed has been run through an email scan, and (I assume) then the receiving computer's own antivirus scan.
Reply With Quote
  #7  
Old May 30th, 2011, 02:59 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
This is rediculous.

I can email to myself if I just say hi, but it won't let me email the logs. I tried forwarding, cc and bcc. Nothing worked. When I click on send, a box pops up that says I am about to leave the page without sending the message. If I cancel, I get a white screen. If I click on yes, I get a cannot display the webpage.

I tried my work email, and my browser gets hijacked.

I looked at the logs, and the best I can tell, Avast is stopping the scan. I opened Avast, and it says UNSECURED Your system is not protected. The program has been stopped, or is in an inconsistent state. It was fine 24 hrs ago.
Reply With Quote
  #8  
Old May 30th, 2011, 03:24 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,119
Are you pasting the logs into the email, or using attachments (or both)?

Can you burn a CD of the logs? It is wasteful, but one way to get info here to give us something to work with.
Reply With Quote
  #9  
Old May 30th, 2011, 03:32 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
just pasting, no attachments.

I finally got into my work email by typing the address directly into my browser, but sending still opens the cannot display page.

My laptop does not have a cd drive. I may be able to do it from work on Tuesday.

Hotmail has skydrive. I am going to try that avenue.

Since it was so difficult to access the pc today, is there any harm in leaving it on in safe mode and connected to the internet while we are trouble shooting?

I think I got them:

OTL logfile created on: 5/29/2011 7:52:37 PM - Run 1

OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Jon\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy



2.00 Gb Total Physical Memory | 1.65 Gb Available Physical Memory | 82.34% Memory free

2.60 Gb Paging File | 2.41 Gb Available in Paging File | 92.63% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]



%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 69.97 Gb Total Space | 34.16 Gb Free Space | 48.82% Space Free | Partition Type: NTFS



Computer Name: D61N2T71 | User Name: Jon | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days



========== Processes (SafeList) ==========



PRC - [2011/05/29 19:52:29 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\OTL.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe





========== Modules (SafeList) ==========



MOD - [2011/05/29 19:52:29 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\OTL.exe

MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll





========== Win32 Services (SafeList) ==========



SRV - File not found [Auto | Stopped] -- -- (itlperf)

SRV - File not found [Disabled | Stopped] -- -- (HidServ)

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)

SRV - [2011/05/10 07:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)

SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)

SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)

SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)

SRV - [2004/10/25 21:01:52 | 000,421,888 | ---- | M] (Dell) [On_Demand | Stopped] -- C:\WINDOWS\System32\dlbtcoms.exe -- (dlbt_device)





========== Driver Services (SafeList) ==========



DRV - [2011/05/10 07:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)

DRV - [2011/05/10 07:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)

DRV - [2011/05/10 07:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)

DRV - [2011/05/10 07:02:25 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)

DRV - [2011/05/10 06:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)

DRV - [2011/05/10 06:59:37 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)

DRV - [2011/05/10 06:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)

DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)

DRV - [2008/06/19 17:24:30 | 000,028,544 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Stopped] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)

DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)

DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)

DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)

DRV - [2004/06/16 03:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)

DRV - [2004/03/30 12:29:36 | 000,118,106 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr97310v.sys -- (MR97310_VGA_DUAL_CAMERA)

DRV - [2004/03/06 04:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)

DRV - [2004/03/06 04:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)

DRV - [2004/03/06 04:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)

DRV - [2002/08/23 10:31:36 | 000,026,381 | ---- | M] (Efficient Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\enethusb.sys -- (ENETHUSB)

Last edited by K McK; May 30th, 2011 at 04:05 AM. Reason: OTL logs
Reply With Quote
  #10  
Old May 30th, 2011, 04:10 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
========== Standard Registry (SafeList) ==========





========== Internet Explorer ==========



IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =





IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0





IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com

IE - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data]

IE - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.myspace.com/ [binary data]

IE - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/

IE - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - Reg Error: Key error. File not found

IE - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0



========== FireFox ==========



FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0



FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/03 21:35:17 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/24 14:05:44 | 000,000,000 | ---D | M]



[2010/03/05 20:03:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jon\Application Data\Mozilla\Extensions

[2010/07/26 18:45:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jvbe3icm.default\ext ensions

[2010/07/26 18:35:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jvbe3icm.default\ext ensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011/03/26 09:34:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2009/06/09 07:23:56 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2011/05/03 21:34:45 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll

[2011/03/18 13:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll

[2011/03/18 13:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml



O1 HOSTS File: ([2011/02/28 06:12:48 | 000,430,236 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.123topsearch.com

O1 - Hosts: 127.0.0.1 123topsearch.com

O1 - Hosts: 127.0.0.1 www.132.com

O1 - Hosts: 127.0.0.1 132.com

O1 - Hosts: 127.0.0.1 www.136136.net

O1 - Hosts: 127.0.0.1 136136.net

O1 - Hosts: 14812 more lines...

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)

O2 - BHO: (CitiUSBrowserHelper Class) - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll (Orbiscom Ltd. All rights reserved.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)

O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll (Yahoo! Inc)

O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)

O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)

O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)

O4 - HKLM..\Run: [DLBTCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtim e.DLL ()

O4 - HKLM..\Run: [KernelFaultCheck] File not found

O4 - HKU\.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()

O4 - HKU\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()

O4 - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoCDBurning = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-4057282182-3748449308-1892674105-1014\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDriveTypeAutoRun = 145
Reply With Quote
  #11  
Old May 30th, 2011, 04:19 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
O9 - Extra Button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe (Orbiscom Ltd. All rights reserved.)

O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (America Online, Inc.)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra Button: Go PlaySushi! - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - File not found

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab (QuickTime Object)

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/get...irector/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} http://a516.g.akamai.net/f/516/25175...at-no-eula.cab (Citrix ICA Client)

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/S...in/AvSniff.cab (Symantec AntiVirus scanner)

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/actives.../as2stubie.cab (ActiveScan 2.0 Installer Class)

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab (MSN Games – Buddy Invite)

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeup...tent/opuc3.cab (Office Update Installation Engine)

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab (EPUImageControl Class)

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by102w.bay102.mail.live.com/m...s/MsnPUpld.cab (MSN Photo Upload Tool)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/res...scbase5036.cab (Windows Live Safety Center Base Module)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsu...?1130904919859 (WUWebControl Class)

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/S.../bin/cabsa.cab (Symantec RuFSI Utility Class)

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://atv.disney.go.com/global/down.../OTOYAX29b.cab (Groove Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} http://photo.walmart.com/photo/uploa...loadClient.cab (FujifilmUploader Class)

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} http://a532.g.akamai.net/f/532/6712/.../installer.exe (Virtools WebPlayer Class)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} https://care.alltel.com/lwp/static/i...ller_3-0-0.cab (SecurityManager Class)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...nt/swflash.cab (Shockwave Flash Object)

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe (Virtools WebPlayer Class)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} http://www.imagestation.com/common/c...cab?v=1,0,0,37 (AxRUploadControl Object)

O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} https://care.alltel.com/lwp/static/i...ELControls.cab (ConnectivityTester Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{3ce5ffad-4b4b-11da-a0fd-806d6172696f}\Shell - "" = AutoRun

O33 - MountPoints2\{3ce5ffad-4b4b-11da-a0fd-806d6172696f}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{3ce5ffad-4b4b-11da-a0fd-806d6172696f}\Shell\AutoRun\command - "" = D:\CleoAutoRun.exe

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*



========== Files/Folders - Created Within 30 Days ==========



[2011/05/29 19:49:28 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\OTL.exe

[2011/05/28 20:12:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2011/05/28 20:11:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[2011/05/27 05:09:01 | 000,000,000 | ---D | C] -- C:\Avenger

[2011/05/25 20:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2011/05/25 20:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2011/05/21 00:09:42 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys

[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]



========== Files - Modified Within 30 Days ==========



[2011/05/29 19:52:29 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jon\Desktop\OTL.exe

[2011/05/29 19:46:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/05/29 19:44:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/05/28 21:02:09 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/05/27 20:16:00 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{4A2E71EC-11C3-4437-9261-FE0CB0FB7AE1}.job

[2011/05/25 15:50:51 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2011/05/23 23:10:15 | 000,000,891 | ---- | M] () -- C:\WINDOWS\dellstat.ini

[2011/05/21 00:09:42 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT

[2011/05/10 07:10:59 | 000,040,112 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr

[2011/05/10 07:10:55 | 000,199,304 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe

[2011/05/10 07:03:54 | 000,441,176 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys

[2011/05/10 07:03:44 | 000,307,928 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys

[2011/05/10 07:02:37 | 000,049,240 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys

[2011/05/10 07:02:25 | 000,102,616 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys

[2011/05/10 07:02:22 | 000,096,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys

[2011/05/10 06:59:56 | 000,025,432 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys

[2011/05/10 06:59:37 | 000,030,808 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys

[2011/05/10 06:59:35 | 000,019,544 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys

[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]



========== Files Created - No Company Name ==========



[2010/05/25 15:56:53 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2009/10/27 23:46:14 | 000,123,740 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2008/03/26 09:03:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI

[2007/09/21 19:36:07 | 000,000,315 | ---- | C] () -- C:\WINDOWS\ka.ini

[2007/04/05 12:54:42 | 000,001,763 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2007/01/05 06:39:32 | 000,103,936 | ---- | C] () -- C:\WINDOWS\System32\JPEGACC.DLL

[2007/01/05 06:39:31 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\IGFPX32S.DLL

[2007/01/05 06:39:30 | 000,316,928 | ---- | C] () -- C:\WINDOWS\System32\FPXIG.DLL

[2006/12/26 13:27:45 | 000,000,026 | ---- | C] () -- C:\WINDOWS\marscam.ini

[2006/03/17 21:38:49 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini

[2005/12/10 16:13:09 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE

[2005/12/03 17:41:16 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini

[2005/11/01 22:09:11 | 000,000,891 | ---- | C] () -- C:\WINDOWS\dellstat.ini

[2005/07/01 00:10:02 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2005/07/01 00:00:09 | 000,000,513 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2005/06/30 23:56:48 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2005/06/30 23:54:59 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2005/06/30 23:26:26 | 000,000,430 | ---- | C] () -- C:\WINDOWS\System32\dlbtplc.ini

[2005/06/30 23:26:08 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe

[2005/06/30 23:25:56 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

[2005/06/30 23:25:34 | 000,000,375 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2005/01/28 08:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/11/09 18:11:08 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\dlbtcur.dll

[2004/11/09 18:10:28 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\dlbtjswr.dll

[2004/11/09 18:05:58 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\dlbtcu.dll

[2004/11/09 17:59:26 | 000,405,504 | ---- | C] () -- C:\WINDOWS\System32\dlbtutil.dll

[2004/10/25 20:58:18 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\dlbtih.exe

[2004/08/23 14:42:30 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlbtsnls.dll

[2004/08/23 14:40:14 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\dlbtcoin.dll

[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/08/10 13:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2004/08/10 13:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2004/08/10 12:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2004/08/10 12:57:15 | 000,473,168 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2004/08/10 12:51:35 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll

[2004/08/10 12:51:35 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll

[2004/08/10 12:51:35 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll

[2004/08/10 12:51:35 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll

[2004/08/10 12:51:35 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll

[2004/08/10 12:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/10 12:51:20 | 000,443,244 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/08/10 12:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/10 12:51:20 | 000,072,526 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/08/10 12:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/10 12:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2004/08/10 12:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2004/08/10 12:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2004/08/10 12:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/10 12:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/10 12:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/10 12:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2003/10/08 14:09:46 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbtvs.dll

[2001/10/12 11:58:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\mr310exd.dll

[2001/10/12 11:57:18 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\mr310exv.dll

[2000/12/07 11:13:58 | 000,015,164 | ---- | C] () -- C:\WINDOWS\Mr310twv.ini



========== Alternate Data Streams ==========



@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

@Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5A823589

@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A988B257

< End of report >
Reply With Quote
  #12  
Old May 30th, 2011, 04:41 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
OTL Extras logfile created on: 5/29/2011 7:52:37 PM - Run 1

OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Jon\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy



2.00 Gb Total Physical Memory | 1.65 Gb Available Physical Memory | 82.34% Memory free

2.60 Gb Paging File | 2.41 Gb Available in Paging File | 92.63% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]



%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 69.97 Gb Total Space | 34.16 Gb Free Space | 48.82% Space Free | Partition Type: NTFS



Computer Name: D61N2T71 | User Name: Jon | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days



========== Extra Registry (SafeList) ==========





========== File Associations ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*



========== Shell Spawning ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)



========== Security Center Settings ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]



========== System Restore Settings ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Sr]

"Start" = 0



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SrService]

"Start" = 2



========== Firewall Settings ==========



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 1

"DisableNotifications" = 0



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNetisabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNetisabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNetisabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNetisabled:@xpsp2res.dll,-22002



========== Authorized Applications List ==========



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List]

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]

"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*isabled:Real Player

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*isabled:AOL

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*isabled:AOL

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*isabled:AOL

"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*isabled:LimeWire -- (Lime Wire, LLC)

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enable d:Yahoo! Messenger -- (Yahoo! Inc.)





========== HKEY_LOCAL_MACHINE Uninstall List ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{0346D86C-D5F6-41FF-949B-01329CA424ED}" = Mysteries of Cleopatra

"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player

"{05410044-64A6-4248-A026-9745C1E9E159}" = Microsoft Encarta Encyclopedia Standard 2005

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data

"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support

"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE

"{0EB768CD-EF48-4C66-8BCB-2DA8166B2654}" = GradeQuick Web Plugin

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA

"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up

"{12EA0FCE-663F-45B1-9D35-3715F2B125C8}" = MyxerMagic Web Extensions

"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety

"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter

"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel(R) PROSet for Wired Connections

"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer

"{1AEC8F41-4701-415D-9782-F69CFB535463}" = Creative Zen MicroPhoto

"{1D601240-1E3C-11DE-8C30-0800200C9A66}" = Walmart Photo Manager

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 18

"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com

"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page

"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold

"{3FADAA19-E595-44CA-A072-58B6B0851768}" = Norton Security Scan

"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works

"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5

"{44E75850-B838-43D2-8F37-84D3FB71FF6E}" = VGA Dual-Mode Camera

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 4.1

"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool

"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon

"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0

"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail

"{67E4EE98-59F4-4210-89A6-A20AF5BEC689}" = Microsoft Streets and Trips 2005

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click

"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer

"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore

"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant

"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor

"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport

"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper

"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync

"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox

"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components

"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{976EA7B1-7562-483D-88DA-4323D263B7CD}" = DiMAGE Viewer

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime

"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger

"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio

"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience

"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4

"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{BE8913B7-B2C4-48BE-8A26-84390FF4F231}" = DMX Update

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}" = Microsoft Works Suite Add-in for Microsoft Word

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint Plus

"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery

"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes

"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer

"{DE1AF137-C455-494A-A817-EFE44BCCFDEE}" = Works Upgrade

"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update

"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)

"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1

"{ED57CE70-0DC6-49AB-A33E-FAC212A6AF5E}" = Creative MuVo V100

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call

"{FDF0F423-F81F-4EA7-ABD1-AACBB60F3644}" = G15A922EN

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"3DGroove" = OTOY

"ActiveScan 2.0" = Panda ActiveScan 2.0

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"AOL Instant Messenger (SM)" = AOL Instant Messenger (SM)

"Ask Toolbar_is1" = Ask Toolbar

"avast" = avast! Free Antivirus
Reply With Quote
  #13  
Old May 30th, 2011, 04:41 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
"Citi Virtual Account Numbers" = Citi Virtual Account Numbers

"Citrix ICA Web Client" = MetaFrame Presentation Server Web Client for Win32

"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows

"Creative Removable Disk Manager" = Creative Removable Disk Manager

"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver

"Dell Photo AIO Printer 922" = Dell Photo AIO Printer 922

"EfntSSDSL" = Efficient Networks SpeedStream DSL

"G-Force" = G-Force

"HijackThis" = HijackThis 2.0.2

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ie8" = Windows Internet Explorer 8

"Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem

"InterActual Player" = InterActual Player

"IrfanView" = IrfanView (remove only)

"JumpStart Advanced Language Club" = JumpStart Advanced Language Club

"JumpStart Advanced Preschool" = JumpStart Advanced Preschool

"JumpStart Art for Fun" = JumpStart Art for Fun

"Kidzui" = Kidzui

"LimeWire" = LimeWire 5.5.13

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"McAfee Security Scan" = McAfee Security Scan

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Money2005b" = Microsoft Money 2005

"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)

"mr97310v_d627f051ae9bfa697d2ded113879197412f3f2b1 " = Windows Driver Package - Camera Maker (MR97310_VGA_DUAL_CAMERA) Image 03/30/2004 2.0.0.0

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MSNINST" = MSN

"MuVo Driver" = Creative Mass Storage Drivers

"MySpaceIM" = MySpaceIM

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NSSSetup.{3FADAA19-E595-44CA-A072-58B6B0851768}" = Norton Security Scan (Symantec Corporation)

"Pro Media Director_is1" = Pro Media Director Version 1.1.1.1

"PROSet" = Intel(R) PRO Network Adapters and Drivers

"SoftSkies" = SoftSkies

"SpywareBlaster_is1" = SpywareBlaster 4.4

"StreetPlugin" = Learn2 Player (Uninstall Only)

"SysInfo" = Creative System Information

"The Print Shop Premier Edition 5.1" = The Print Shop Premier Edition 5.0

"UnityWebPlayer" = Unity Web Player

"ViewpointMediaPlayer" = Viewpoint Media Player

"WIC" = Windows Imaging Component

"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinLiveSuite_Wave3" = Windows Live Essentials

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Works2005Setup" = Microsoft Works 2005 Setup Launcher

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"Yahoo! Companion" = Yahoo! Toolbar

"Yahoo! Messenger" = Yahoo! Messenger

"Yahoo! Software Update" = Yahoo! Software Update



========== Last 10 Event Log Errors ==========



[ Antivirus Events ]

Error - 12/7/2009 11:23:01 PM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



Error - 12/7/2009 11:24:07 PM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



Error - 1/8/2010 9:24:25 PM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



Error - 2/20/2010 11:21:54 AM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



Error - 2/20/2010 11:30:15 AM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



Error - 6/26/2010 4:11:17 PM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



Error - 6/26/2010 4:11:17 PM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



Error - 6/26/2010 4:11:26 PM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



Error - 6/26/2010 4:11:27 PM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



Error - 6/26/2010 4:11:29 PM | Computer Name = D61N2T71 | Source = avast! | ID = 33554522

Description =



[ Application Events ]

Error - 5/28/2011 8:35:26 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.



Error - 5/28/2011 8:35:26 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.



Error - 5/28/2011 10:01:25 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.



Error - 5/28/2011 10:01:25 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.



Error - 5/28/2011 10:01:25 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally



Error - 5/28/2011 10:01:25 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.



Error - 5/28/2011 10:01:25 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.



Error - 5/28/2011 10:01:26 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.



Error - 5/28/2011 10:01:26 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.



Error - 5/28/2011 10:01:26 PM | Computer Name = D61N2T71 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.



[ System Events ]

Error - 5/28/2011 8:48:23 PM | Computer Name = D61N2T71 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}



Error - 5/28/2011 8:51:15 PM | Computer Name = D61N2T71 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}



Error - 5/28/2011 9:52:04 PM | Computer Name = D61N2T71 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}



Error - 5/28/2011 9:54:14 PM | Computer Name = D61N2T71 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}



Error - 5/28/2011 10:00:41 PM | Computer Name = D61N2T71 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}



Error - 5/28/2011 10:21:11 PM | Computer Name = D61N2T71 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}



Error - 5/29/2011 8:38:56 PM | Computer Name = D61N2T71 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Aavmker4 aswSnx aswSP aswTdi Fips intelppm pavboot



Error - 5/29/2011 8:42:48 PM | Computer Name = D61N2T71 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Aavmker4 aswSnx aswSP aswTdi Fips intelppm pavboot



Error - 5/29/2011 8:45:52 PM | Computer Name = D61N2T71 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}



Error - 5/29/2011 8:46:08 PM | Computer Name = D61N2T71 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Aavmker4 aswSnx aswSP aswTdi Fips intelppm pavboot





< End of report >
Reply With Quote
  #14  
Old May 30th, 2011, 05:21 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
I used hotmail's online office apps to create a document with the infected computer. There I was able to paste the logs and copy them with my laptop.

I downloaded Gmer. The opening scan did detect an infection; however, I do not see a copy button anywhere. It may be because I can only see part of the window in safe mode. I tried highlighting with my mouse and copy/paste, but it did not work. The RED line in the opening scan reads as follows:

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found

(so I guess you were right about the master boot record)

The other lines read:

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
Device \Driver\atapi -> DriverStartlo \Device\Ide\IdeDeviceP1T1L0-17 8A77231B
Device \Driver\atapi -> DriverStartlo \Device\Ide\IdePort0 8A77231B
Device \Driver\atapi -> DriverStartlo \Device\Ide\IdeDeviceP0TL0-3 8A77231B
Device \Driver\atapi -> DriverStartlo \Device\Ide\IdePort1 8A77231B
Device \Driver\atapi -> DriverStartlo \Device\Ide\IdeDeviceP1T0L0-f 8A77231B
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys
AttachedDevice \Driver\T cpip \Device\Tcp aswRdr.SYS [avast! TDI RDR Driver/AVAST Software]
Reply With Quote
  #15  
Old May 30th, 2011, 05:33 AM
K McK K McK is offline
Senior Member
 
Join Date: Nov 2003
Posts: 110
aswMBR version 0.9.5.317 Copyright(c) 2011 AVAST Software

Run date: 2011-05-29 23:25:18

-----------------------------

23:25:18.046 OS Version: Windows 5.1.2600 Service Pack 3

23:25:18.046 Number of processors: 1 586 0x401

23:25:18.046 ComputerName: D61N2T71 UserName: Jon

23:25:22.125 Initialize success

23:25:31.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

23:25:31.578 Disk 0 Vendor: SAMSUNG_SP0802N TK100-28 Size: 76293MB BusType: 3

23:25:31.593 Device \Driver\atapi -> DriverStartIo 8a77231b

23:25:31.625 Disk 0 MBR read successfully

23:25:31.640 Disk 0 MBR scan

23:25:31.656 Disk 0 TDL4@MBR code has been found

23:25:31.687 Disk 0 MBR hidden

23:25:31.703 Disk 0 MBR [TDL4] **ROOTKIT**

23:25:31.718 Disk 0 trace - called modules:

23:25:31.734 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a7724d0]<<

23:25:31.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a780ab8]

23:25:31.765 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a70c878]

23:25:31.796 \Driver\atapi[0x8a784810] -> IRP_MJ_CREATE -> 0x8a7724d0

23:25:49.640 Unsigned kernel modules:

23:25:50.765 0xf7479000 C:\WINDOWS\system32\drivers\drvmcdb.sys

23:25:51.000 0xf771f000 C:\WINDOWS\system32\drivers\PxHelp20.sys

23:25:56.390 0xf798f000 C:\WINDOWS\system32\drivers\sscdbhk5.sys

23:26:06.078 0xf7797000 C:\WINDOWS\system32\drivers\ssrtln.sys

23:26:18.718 0xb6b88000 C:\DOCUME~1\Jon\LOCALS~1\Temp\kgryapob.sys

23:26:19.468 Scan finished successfully

23:26:37.250 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jon\Desktop\MBR.dat"

23:26:37.265 The log file has been saved successfully to "C:\Documents and Settings\Jon\Desktop\aswMBR.txt"
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 02:03 AM.