WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

INFECTED PLEASE HELP

Started by MARIANNE97 , Nov 07 2011 01:03 AM

This topic is locked

61 replies to this topic

#16 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 08 November 2011 - 04:50 PM

Hello MARIANNE97

Thanks for letting me know.

Lets see if we can get it to complete from Safe Mode:

Reboot Your System in Safe Mode
Restart your computer.
As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
Use the arrow keys to select the Safe mode menu item.
Press Enter.

Once in Safe Mode Double click on the ComboFix.exe icon and see if the scan will complete.

If it does, save the log produced then boot back into Normal Mode to post it back here.

If the program freezes again don't worry, just let me know and we will try a different approach

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

Advertisements

Register to Remove

#17 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 08 November 2011 - 05:41 PM

The last time I tried to run the combofix, I had it in safe mode. It didn't freeze, but never completed. It ran for over an hour with no results.

#18 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 08 November 2011 - 06:30 PM

Hello MARIANNE97

The last time I tried to run the combofix, I had it in safe mode. It didn't freeze, but never completed. It ran for over an hour with no results.

Thank you for letting me know. I suspect that we are dealing with one of the newer variants of a particularly nasty piece of malware that can be very difficult to remove.

As a precaution, it would be wise to backup any important data you have just in case.

Lets proceed as follows:

Please drag the copy of ComboFix that is on the desktop of the infected machine to the Recycle Bin and then empty the Bin.

Download a fresh copy of ComboFix to the desktop of an uninfected machine.

Next, we need to make sure that file extensions (which are usually hidden) are visible so we can rename the new ComboFix download.

If the uninfected machine runs on XP do the following:

Please make all files and folders Visible:
- Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
- Choose to "Show hidden files and folders".
- Uncheck the "Hide protected operating system files" and the "Hide extensions for known file types" boxes.
- Close the window with "OK".
If it runs on Vista/Win7 use these instructions instead:
Please make all files and folders Visible:
- Close all programs so that you are on your desktop.
- Click on the "Windows Orb" and select the Control Panel menu option.
- When the control panel opens you will either be in Classic View or Control Panel Home view:
- If you are in Classic View do the following:
- Double-click on the Folder Options icon.
- Click on the View tab.
- Under the "Hidden files and folders" section, select the radio button labeled "Show hidden files and folders".
- Remove the checkmark from the checkbox labeled "Hide extensions for known file types".
- Remove the checkmark from the checkbox labeled "Hide protected operating system files".
- Press the "Apply" button and then the "OK" button.
- If you are in Control Panel Home view do the following:
- Click on the Appearance and Personalization link.
- Click on "Show Hidden Files or Folders".
- Under the "Hidden files and folders" section, select the radio button labeled "Show hidden files and folders".
- Remove the checkmark from the checkbox labeled "Hide extensions for known file types".
- Remove the checkmark from the checkbox labeled "Hide protected operating system files".
- Press the "Apply" button and then the "OK" button.
You should now be able to see the file extension in the ComboFix icon (.exe)

Rename ComboFix.exe it to jontom.com

Drag jontom.com onto a flash drive, but rather than placing it on the desktop of the infected machine, transfer it directly to the C drive (C:\jontom.com)

Disable all of your security programs then navigate to jontom.com and double click to run.

Let me know if ComboFix is able to complete its run in your next reply (I'll catch up with you after some sleep - it has just turned Wednesday where I am).

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#19 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 09 November 2011 - 07:22 AM

Hello Jontom

Unfortunately, Combofix still would not complete. I was wondering if the avast sandbox would have anything to do with this? It comes up and asks me if I want to open the file jontom\HIDEC.3XE normally but it's recommending that I open it with the sandbox. It also comes up for another jontom file that I didn't catch.

I will keep checking back for your reply

Thank you

#20 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 09 November 2011 - 07:27 AM

P.S. The PC had some updates last night and a malicious software remover followed immediately after. I saved a screen shot and ran another avast scan as it recommended. I saved a screen shot of what was found there too.

Attached Thumbnails

#21 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 09 November 2011 - 10:59 AM

Hello MARIANNE97

I was wondering if the avast sandbox would have anything to do with this?

Thats a possibility, but ComboFix failed to complete from Safe Mode (where the sandbox would have been disabled). This machine is terribly infected and the malware we are dealing with purposefully interferes with our tools to prevent them from running.

Lets see if the following can help us:

Please open OTL

Copy and paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL.

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
O1 - Hosts: 94.63.240.131	www.google.com
O1 - Hosts: 94.63.240.132	www.bing.com
O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - No CLSID value found.
O4 - HKLM..\Run: [volmgr] %APPDATA%\volmgr.exe File not found
O4 - HKU\.DEFAULT..\Run: [volmgr] %APPDATA%\volmgr.exe File not found
O4 - HKU\.DEFAULT..\Run: [winupd] C:\WINDOWS\Temp\winupd.exe ()
O4 - HKU\S-1-5-18..\Run: [volmgr] %APPDATA%\volmgr.exe File not found
O4 - HKU\S-1-5-18..\Run: [winupd] C:\WINDOWS\Temp\winupd.exe ()
O15 - HKU\S-1-5-21-854245398-764733703-725345543-1003\..Trusted Domains:   ([]msn in My Computer)
[2011/11/06 20:01:12 | 000,001,466 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Privacy Protection.lnk
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\xyxe.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\rgsg.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\qdvq.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\lukc.exe
[2011/08/11 18:13:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\BQXUVTWGYG
[2011/01/28 02:00:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\FEYUVTWGYG
[2011/06/27 23:48:37 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\FJYUVTWGYG
[2011/02/17 00:35:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GFYUVTWGYG
[2011/10/19 22:07:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GQXUVTWGYG
[2011/09/15 13:45:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\HHYUVTWGYG
[2011/02/26 01:34:55 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\HXXUVTWGYG
[2011/08/20 04:05:47 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\IBYUVTWGYG
[2010/12/28 10:54:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\JVXUVTWGYG
[2011/09/14 23:23:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\LIYUVTWGYG
[2011/02/17 02:04:37 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\LTXUVTWGYG
[2011/06/27 23:50:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\LWXUVTWGYG
[2011/01/21 02:25:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\NRXUVTWGYG
[2011/02/20 23:33:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\PKYUVTWGYG
[2011/09/07 09:24:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\RVXUVTWGYG
[2011/09/07 09:43:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\RXXUVTWGYG
[2011/09/22 00:38:25 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\SBYUVTWGYG
[2011/03/10 03:13:19 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\SRXUVTWGYG
[2010/12/04 04:26:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\VYXUVTWGYG
[2011/02/16 01:54:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\XZXUVTWGYG
[2011/09/02 04:14:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\YFYUVTWGYG
[2009/01/30 05:57:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ZXXUVTWGYG
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FDF9B285
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EEB25EAE
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9EF92A1A

:Commands
[resethosts]
[purity]
[emptyflash]
[start explorer]
[Reboot]

Once you have pasted the information into the Custom Scans/Fixes box, click the "Run Fix" button at the top.
Allow the program to run unhindered.
Your machine will re-start itself. This is normal.
A log will be created after your machine reboots. Please post the contents of the log in your next reply.

TDSS Killer
- Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and double click on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Once you have completed the above steps, see if ComboFix will run (please make sure that the sandbox is disabled).

Please post the OTL log and the TDSSKiller log in your next reply (and the ComboFix log if it completes).

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#22 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 09 November 2011 - 01:26 PM

Hello Jontom

Sorry I was MIA for a bit...I ran the programs as directed but they did not generate any logs and I couldn't find them in the search. I then ran Combofix again and it seems to be running it went all the way through stage 50 then it said deleting files and gave the name of some files then deleting folders and gave the name of a folder this was right about the 10 minute mark... then the desktop icons and clock disappeared so I am hoping it isn't frozen at this point, I can't tell because I have been able to tell by the clock freezing.

I will wait for your reply before doing anything but if it gives me a log I will send it to you promptly:)

Thank you

#23 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 09 November 2011 - 01:34 PM

Yay...I got a log this time...It ran all the way through

Thank you...I will be here

ComboFix 11-11-09.01 - Owner 11/09/2011 14:09:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.574 [GMT -5:00]
Running from: C:\jontom.com
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\Local Settings\Application Data\aeyi.exe
c:\documents and settings\Owner\Local Settings\Application Data\dkyc.exe
c:\documents and settings\Owner\Local Settings\Application Data\quti.exe
c:\documents and settings\Owner\Local Settings\Application Data\wdih.exe
c:\documents and settings\Owner\uzbksqeuwv.tmp
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-10-09 to 2011-11-09 )))))))))))))))))))))))))))))))
.
.
2011-11-09 19:18 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-11-09 19:18 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-09 18:38 . 2011-11-09 18:38 -------- d-----w- C:\_OTL
2011-11-09 11:34 . 2011-11-09 11:34 -------- d--h--w- c:\windows\PIF
2011-11-07 14:13 . 2011-10-03 10:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-07 07:11 . 2011-11-07 07:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2011-11-07 00:48 . 2011-11-07 00:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-07 00:48 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 00:46 . 2011-11-07 00:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-11-07 00:16 . 2011-11-07 00:19 -------- d-----w- c:\documents and settings\Guest
2011-11-06 21:55 . 2011-11-06 21:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-06 21:06 . 2011-11-06 21:06 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-06 20:55 . 2011-11-06 20:55 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-10-18 21:30 . 2011-10-18 21:30 -------- d-----w- C:\extensions
2011-10-18 21:30 . 2011-10-18 21:30 -------- d-----w- c:\program files\Conduit
2011-10-18 21:30 . 2011-10-18 21:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Conduit
2011-10-18 21:30 . 2011-10-18 21:30 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-10-18 21:29 . 2011-10-18 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2011-10-16 08:12 . 2011-10-16 08:12 -------- d-----w- c:\documents and settings\Owner\Application Data\SulusGames
2011-10-16 08:12 . 2011-10-16 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2011-10-16 08:11 . 2011-10-16 08:12 -------- d-----w- c:\program files\Strange Cases - The Tarot Card Mystery
2011-10-16 08:09 . 2011-11-07 14:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games
2011-10-16 08:08 . 2011-11-07 14:05 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2011-10-10 23:04 . 2011-10-10 23:04 -------- d-----w- C:\Temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-16 01:09 . 2011-05-14 09:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-09-18 17:39 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 07:37 . 2010-05-01 05:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 20:45 . 2010-06-30 20:36 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2010-04-13 03:29 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-02-28 10:44 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2010-04-13 03:29 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2010-04-13 03:29 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2010-04-13 03:29 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2010-04-13 03:29 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2010-04-13 03:29 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2010-04-13 03:29 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2010-04-13 03:29 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-06 13:20 . 2008-09-18 18:07 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-09-18 18:11 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2008-09-19 01:13 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-20 8429568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AdSubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\AdSubtract.lnk
backup=c:\windows\pss\AdSubtract.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 -c----r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2006-06-28 11:46 622592 -c----w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-06-29 16:18 77824 -c--a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 19:40 155648 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-04-20 13:32 8429568 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-04-20 13:32 81920 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-04-20 13:32 1626112 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 23:42 32768 -c--a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-07-05 08:08 16380416 -c----r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-26 22:02 49152 -c--a-w- c:\program files\Brother\Brmfl06b\BrStDvPt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-06-15 08:45 1826816 -c----r- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/28/2011 5:44 AM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/12/2010 10:29 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/12/2010 10:29 PM 20568]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://pogo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-Gamevance - c:\program files\Gamevance\gamevance32.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-kuRLTCDnyhmgyh - c:\documents and settings\All Users\Application Data\kuRLTCDnyhmgyh.exe
MSConfigStartUp-My Faster PC - c:\program files\consumersoft\my faster pc\mfpchelper.exe
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\documents and settings\Owner\Desktop\Uniblue\RegistryBooster\RegistryBooster.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-09 14:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2376)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2011-11-09 14:30:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-09 19:29
.
Pre-Run: 53,035,126,784 bytes free
Post-Run: 54,038,609,920 bytes free
.
- - End Of File - - D5FED9A161C35C15E38B2D8DC84406B5

#24 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 09 November 2011 - 02:53 PM

Hello again

I went through and searched for the TDSS log after the combo fix ran and I was able to find it this time. I was also able to bring up some OTL logs ...Says one was at 1:38 and one at 1:45 I do believe I ran it twice because it didn't produce a log for me but able to find them in OTL folder in search now

Hope these help along with the Combofix log.

Thank you

(TDSSkiller LOG)

13:55:46.0203 0812 TDSS rootkit removing tool 2.6.16.0 Nov 7 2011 16:26:51
13:55:46.0359 0812 ============================================================
13:55:46.0359 0812 Current date / time: 2011/11/09 13:55:46.0359
13:55:46.0359 0812 SystemInfo:
13:55:46.0359 0812
13:55:46.0359 0812 OS Version: 5.1.2600 ServicePack: 3.0
13:55:46.0359 0812 Product type: Workstation
13:55:46.0359 0812 ComputerName: OWNER-BZ2MQ7E6C
13:55:46.0359 0812 UserName: Owner
13:55:46.0359 0812 Windows directory: C:\WINDOWS
13:55:46.0359 0812 System windows directory: C:\WINDOWS
13:55:46.0359 0812 Processor architecture: Intel x86
13:55:46.0359 0812 Number of processors: 1
13:55:46.0359 0812 Page size: 0x1000
13:55:46.0359 0812 Boot type: Normal boot
13:55:46.0359 0812 ============================================================
13:55:48.0171 0812 Initialize success
13:55:51.0906 2500 ============================================================
13:55:51.0906 2500 Scan started
13:55:51.0906 2500 Mode: Manual;
13:55:51.0906 2500 ============================================================
13:55:53.0312 2500 Aavmker4 (95d1de2a6613494e853a9738d5d9acd4) C:\WINDOWS\system32\drivers\Aavmker4.sys
13:55:53.0312 2500 Aavmker4 - ok
13:55:53.0515 2500 Abiosdsk - ok
13:55:53.0609 2500 abp480n5 - ok
13:55:53.0687 2500 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:55:53.0687 2500 ACPI - ok
13:55:53.0750 2500 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:55:53.0750 2500 ACPIEC - ok
13:55:53.0781 2500 adpu160m - ok
13:55:53.0859 2500 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:55:53.0859 2500 aec - ok
13:55:53.0968 2500 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
13:55:53.0968 2500 AFD - ok
13:55:54.0015 2500 Aha154x - ok
13:55:54.0046 2500 aic78u2 - ok
13:55:54.0078 2500 aic78xx - ok
13:55:54.0125 2500 AliIde - ok
13:55:54.0171 2500 amsint - ok
13:55:54.0234 2500 asc - ok
13:55:54.0250 2500 asc3350p - ok
13:55:54.0281 2500 asc3550 - ok
13:55:54.0343 2500 aswFsBlk (c47623ffd181a1e7d63574dde2a0a711) C:\WINDOWS\system32\drivers\aswFsBlk.sys
13:55:54.0343 2500 aswFsBlk - ok
13:55:54.0390 2500 aswMon2 (fff2dbb17a3c89f87f78d5fa72ca47fd) C:\WINDOWS\system32\drivers\aswMon2.sys
13:55:54.0406 2500 aswMon2 - ok
13:55:54.0500 2500 aswRdr (36239e24470a3dd81fae37510953cc6c) C:\WINDOWS\system32\drivers\aswRdr.sys
13:55:54.0500 2500 aswRdr - ok
13:55:54.0593 2500 aswSnx (caa846e9c83836bdc3d2d700c678db65) C:\WINDOWS\system32\drivers\aswSnx.sys
13:55:54.0593 2500 aswSnx - ok
13:55:54.0640 2500 aswSP (748ae7f2d7da33adb063fe05704a9969) C:\WINDOWS\system32\drivers\aswSP.sys
13:55:54.0640 2500 aswSP - ok
13:55:54.0671 2500 aswTdi (ca9925ce1dbd07ffe1eb357752cf5577) C:\WINDOWS\system32\drivers\aswTdi.sys
13:55:54.0671 2500 aswTdi - ok
13:55:54.0718 2500 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:55:54.0718 2500 AsyncMac - ok
13:55:54.0765 2500 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:55:54.0765 2500 atapi - ok
13:55:54.0890 2500 Atdisk - ok
13:55:54.0921 2500 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:55:54.0921 2500 Atmarpc - ok
13:55:54.0984 2500 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:55:54.0984 2500 audstub - ok
13:55:55.0031 2500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:55:55.0031 2500 Beep - ok
13:55:55.0125 2500 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
13:55:55.0125 2500 BrScnUsb - ok
13:55:55.0171 2500 BrSerIf (d48c13f4a409aee8dafaddac81e34557) C:\WINDOWS\system32\Drivers\BrSerIf.sys
13:55:55.0171 2500 BrSerIf - ok
13:55:55.0203 2500 BrUsbSer (8fa0ac830a8312912a3aa0c0431cba0d) C:\WINDOWS\system32\Drivers\BrUsbSer.sys
13:55:55.0203 2500 BrUsbSer - ok
13:55:55.0390 2500 catchme - ok
13:55:55.0484 2500 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:55:55.0484 2500 cbidf2k - ok
13:55:55.0515 2500 cd20xrnt - ok
13:55:55.0531 2500 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:55:55.0531 2500 Cdaudio - ok
13:55:55.0593 2500 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:55:55.0593 2500 Cdfs - ok
13:55:55.0625 2500 Cdrom - ok
13:55:55.0640 2500 Changer - ok
13:55:55.0671 2500 CmdIde - ok
13:55:55.0734 2500 Cpqarray - ok
13:55:55.0765 2500 dac2w2k - ok
13:55:55.0781 2500 dac960nt - ok
13:55:55.0812 2500 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:55:55.0812 2500 Disk - ok
13:55:56.0000 2500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:55:56.0031 2500 dmboot - ok
13:55:56.0062 2500 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:55:56.0062 2500 dmio - ok
13:55:56.0109 2500 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:55:56.0109 2500 dmload - ok
13:55:56.0187 2500 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:55:56.0187 2500 DMusic - ok
13:55:56.0265 2500 dpti2o - ok
13:55:56.0312 2500 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:55:56.0312 2500 drmkaud - ok
13:55:56.0421 2500 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:55:56.0453 2500 Fastfat - ok
13:55:56.0515 2500 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:55:56.0515 2500 Fdc - ok
13:55:56.0625 2500 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:55:56.0625 2500 Fips - ok
13:55:56.0687 2500 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:55:56.0703 2500 Flpydisk - ok
13:55:56.0765 2500 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:55:56.0781 2500 FltMgr - ok
13:55:56.0843 2500 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:55:56.0843 2500 Fs_Rec - ok
13:55:56.0906 2500 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:55:56.0921 2500 Ftdisk - ok
13:55:56.0968 2500 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:55:56.0968 2500 Gpc - ok
13:55:57.0031 2500 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
13:55:57.0031 2500 HDAudBus - ok
13:55:57.0078 2500 hpn - ok
13:55:57.0093 2500 hpt3xx - ok
13:55:57.0171 2500 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:55:57.0171 2500 HTTP - ok
13:55:57.0203 2500 i2omgmt - ok
13:55:57.0234 2500 i2omp - ok
13:55:57.0265 2500 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:55:57.0281 2500 i8042prt - ok
13:55:57.0343 2500 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:55:57.0359 2500 Imapi - ok
13:55:57.0390 2500 ini910u - ok
13:55:58.0046 2500 IntcAzAudAddService (1ebde650d97a8eccdc1cc4a0804647cd) C:\WINDOWS\system32\drivers\RtkHDAud.sys
13:55:58.0078 2500 IntcAzAudAddService - ok
13:55:58.0250 2500 IntelIde - ok
13:55:58.0328 2500 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:55:58.0328 2500 ip6fw - ok
13:55:58.0390 2500 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:55:58.0390 2500 IpFilterDriver - ok
13:55:58.0468 2500 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:55:58.0468 2500 IpInIp - ok
13:55:58.0562 2500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:55:58.0562 2500 IpNat - ok
13:55:58.0625 2500 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:55:58.0625 2500 IPSec - ok
13:55:58.0656 2500 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:55:58.0656 2500 IRENUM - ok
13:55:58.0703 2500 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:55:58.0703 2500 isapnp - ok
13:55:58.0734 2500 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:55:58.0734 2500 Kbdclass - ok
13:55:58.0750 2500 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:55:58.0765 2500 kmixer - ok
13:55:58.0812 2500 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:55:58.0812 2500 KSecDD - ok
13:55:58.0875 2500 lbrtfdc - ok
13:55:58.0937 2500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:55:58.0937 2500 mnmdd - ok
13:55:59.0000 2500 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:55:59.0000 2500 Modem - ok
13:55:59.0046 2500 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:55:59.0062 2500 Mouclass - ok
13:55:59.0109 2500 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:55:59.0109 2500 MountMgr - ok
13:55:59.0125 2500 mraid35x - ok
13:55:59.0187 2500 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:55:59.0187 2500 MRxDAV - ok
13:55:59.0312 2500 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:55:59.0359 2500 MRxSmb - ok
13:55:59.0406 2500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:55:59.0406 2500 Msfs - ok
13:55:59.0468 2500 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:55:59.0468 2500 MSKSSRV - ok
13:55:59.0484 2500 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:55:59.0484 2500 MSPCLOCK - ok
13:55:59.0515 2500 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:55:59.0515 2500 MSPQM - ok
13:55:59.0546 2500 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:55:59.0578 2500 mssmbios - ok
13:55:59.0625 2500 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:55:59.0625 2500 Mup - ok
13:55:59.0718 2500 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:55:59.0718 2500 NDIS - ok
13:55:59.0781 2500 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:55:59.0781 2500 NdisTapi - ok
13:55:59.0812 2500 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:55:59.0812 2500 Ndisuio - ok
13:55:59.0828 2500 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:55:59.0828 2500 NdisWan - ok
13:55:59.0937 2500 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:55:59.0953 2500 NDProxy - ok
13:56:00.0000 2500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:56:00.0000 2500 NetBIOS - ok
13:56:00.0078 2500 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:56:00.0093 2500 NetBT - ok
13:56:00.0171 2500 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:56:00.0187 2500 Npfs - ok
13:56:00.0234 2500 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:56:00.0250 2500 Ntfs - ok
13:56:00.0312 2500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:56:00.0328 2500 Null - ok
13:56:01.0203 2500 nv (f43b110e1e97eb5606ab51aea2a26247) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
13:56:02.0437 2500 nv - ok
13:56:02.0656 2500 NVENETFD (d875346596bd48d74ac9b9be791b8d69) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
13:56:02.0656 2500 NVENETFD - ok
13:56:02.0718 2500 nvnetbus (f02c1c5e84c37667ecd3eea5958449bc) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
13:56:02.0718 2500 nvnetbus - ok
13:56:02.0796 2500 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:56:02.0796 2500 NwlnkFlt - ok
13:56:02.0828 2500 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:56:02.0843 2500 NwlnkFwd - ok
13:56:02.0906 2500 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:56:02.0906 2500 Parport - ok
13:56:02.0953 2500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:56:02.0953 2500 PartMgr - ok
13:56:03.0031 2500 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:56:03.0031 2500 ParVdm - ok
13:56:03.0140 2500 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:56:03.0140 2500 PCI - ok
13:56:03.0156 2500 PCIDump - ok
13:56:03.0203 2500 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:56:03.0203 2500 PCIIde - ok
13:56:03.0250 2500 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:56:03.0281 2500 Pcmcia - ok
13:56:03.0296 2500 PDCOMP - ok
13:56:03.0343 2500 PDFRAME - ok
13:56:03.0359 2500 PDRELI - ok
13:56:03.0390 2500 PDRFRAME - ok
13:56:03.0421 2500 perc2 - ok
13:56:03.0437 2500 perc2hib - ok
13:56:03.0515 2500 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:56:03.0531 2500 PptpMiniport - ok
13:56:03.0578 2500 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
13:56:03.0578 2500 Processor - ok
13:56:03.0640 2500 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:56:03.0640 2500 PSched - ok
13:56:03.0656 2500 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:56:03.0656 2500 Ptilink - ok
13:56:03.0703 2500 ql1080 - ok
13:56:03.0750 2500 Ql10wnt - ok
13:56:03.0765 2500 ql12160 - ok
13:56:03.0781 2500 ql1240 - ok
13:56:03.0796 2500 ql1280 - ok
13:56:03.0828 2500 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:56:03.0828 2500 RasAcd - ok
13:56:03.0859 2500 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:56:03.0859 2500 Rasl2tp - ok
13:56:03.0890 2500 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:56:03.0906 2500 RasPppoe - ok
13:56:03.0937 2500 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:56:03.0937 2500 Raspti - ok
13:56:04.0015 2500 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:56:04.0015 2500 Rdbss - ok
13:56:04.0046 2500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:56:04.0046 2500 RDPCDD - ok
13:56:04.0140 2500 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:56:04.0140 2500 rdpdr - ok
13:56:04.0203 2500 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
13:56:04.0218 2500 RDPWD - ok
13:56:04.0265 2500 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:56:04.0281 2500 redbook - ok
13:56:04.0375 2500 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:56:04.0375 2500 Secdrv - ok
13:56:04.0406 2500 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:56:04.0406 2500 serenum - ok
13:56:04.0437 2500 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:56:04.0437 2500 Serial - ok
13:56:04.0531 2500 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:56:04.0531 2500 Sfloppy - ok
13:56:04.0578 2500 Simbad - ok
13:56:04.0609 2500 Sparrow - ok
13:56:04.0656 2500 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:56:04.0656 2500 splitter - ok
13:56:04.0703 2500 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:56:04.0703 2500 sr - ok
13:56:04.0812 2500 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:56:04.0828 2500 Srv - ok
13:56:04.0859 2500 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:56:04.0859 2500 swenum - ok
13:56:04.0890 2500 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:56:04.0890 2500 swmidi - ok
13:56:04.0921 2500 symc810 - ok
13:56:04.0953 2500 symc8xx - ok
13:56:04.0968 2500 sym_hi - ok
13:56:05.0031 2500 sym_u3 - ok
13:56:05.0078 2500 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:56:05.0078 2500 sysaudio - ok
13:56:05.0156 2500 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:56:05.0171 2500 Tcpip - ok
13:56:05.0234 2500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:56:05.0234 2500 TDPIPE - ok
13:56:05.0281 2500 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:56:05.0281 2500 TDTCP - ok
13:56:05.0312 2500 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:56:05.0312 2500 TermDD - ok
13:56:05.0375 2500 TosIde - ok
13:56:05.0406 2500 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:56:05.0421 2500 Udfs - ok
13:56:05.0437 2500 ultra - ok
13:56:05.0546 2500 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:56:05.0593 2500 Update - ok
13:56:05.0656 2500 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
13:56:05.0671 2500 USBAAPL - ok
13:56:05.0718 2500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:56:05.0734 2500 usbccgp - ok
13:56:05.0750 2500 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:56:05.0765 2500 usbehci - ok
13:56:05.0781 2500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:56:05.0781 2500 usbhub - ok
13:56:05.0828 2500 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
13:56:05.0828 2500 usbohci - ok
13:56:05.0843 2500 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:56:05.0843 2500 usbprint - ok
13:56:05.0906 2500 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:56:05.0906 2500 usbscan - ok
13:56:05.0921 2500 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:56:05.0921 2500 USBSTOR - ok
13:56:05.0953 2500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:56:05.0953 2500 VgaSave - ok
13:56:05.0968 2500 ViaIde - ok
13:56:06.0015 2500 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:56:06.0015 2500 VolSnap - ok
13:56:06.0109 2500 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:56:06.0109 2500 Wanarp - ok
13:56:06.0171 2500 WDICA - ok
13:56:06.0218 2500 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:56:06.0218 2500 wdmaud - ok
13:56:06.0296 2500 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
13:56:06.0312 2500 WmiAcpi - ok
13:56:06.0453 2500 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:56:06.0453 2500 WudfPf - ok
13:56:06.0500 2500 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:56:06.0500 2500 WudfRd - ok
13:56:06.0546 2500 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
13:56:06.0578 2500 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
13:56:06.0578 2500 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
13:56:06.0578 2500 Boot (0x1200) (ede9411145df7f165495cb3c6929701e) \Device\Harddisk0\DR0\Partition0
13:56:06.0578 2500 \Device\Harddisk0\DR0\Partition0 - ok
13:56:06.0578 2500 ============================================================
13:56:06.0578 2500 Scan finished
13:56:06.0578 2500 ============================================================
13:56:06.0593 3900 Detected object count: 1
13:56:06.0609 3900 Actual detected object count: 1
13:57:07.0640 3900 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
13:57:07.0640 3900 \Device\Harddisk0\DR0 - ok
13:57:07.0640 3900 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
13:57:22.0859 2064 Deinitialize success

(OTL log 1)

========== OTL ==========
Process explorer.exe killed successfully!
HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
94.63.240.131 www.google.com removed from HOSTS file successfully
94.63.240.132 www.bing.com removed from HOSTS file successfully
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\volmgr deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\volmgr deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\winupd not found.
File C:\WINDOWS\Temp\winupd.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\volmgr not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\winupd not found.
File C:\WINDOWS\Temp\winupd.exe not found.
Registry value HKEY_USERS\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\ deleted successfully.
C:\Documents and Settings\All Users\Desktop\Privacy Protection.lnk moved successfully.
C:\Documents and Settings\All Users\Application Data\xyxe.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\rgsg.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\qdvq.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\lukc.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\BQXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\FEYUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\FJYUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\GFYUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\GQXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\HHYUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\HXXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\IBYUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\JVXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\LIYUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\LTXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\LWXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\NRXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\PKYUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\RVXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\RXXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\SBYUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\SRXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\VYXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\XZXUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\YFYUVTWGYG folder moved successfully.
C:\Documents and Settings\All Users\Application Data\ZXXUVTWGYG folder moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FDF9B285 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:EEB25EAE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9EF92A1A deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 1378 bytes

User: All Users

User: Default User

User: Guest
->Flash cache emptied: 456 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 16552 bytes

User: Owner
->Flash cache emptied: 1527178 bytes

Total Flash Files Cleaned = 1.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 11092011_133807

(OTL log 2)

========== OTL ==========
Process explorer.exe killed successfully!
HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\volmgr not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\volmgr not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\winupd not found.
File C:\WINDOWS\Temp\winupd.exe not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\volmgr not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\winupd not found.
File C:\WINDOWS\Temp\winupd.exe not found.
Registry value HKEY_USERS\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\ not found.
File C:\Documents and Settings\All Users\Desktop\Privacy Protection.lnk not found.
File C:\Documents and Settings\All Users\Application Data\xyxe.exe not found.
File C:\Documents and Settings\All Users\Application Data\rgsg.exe not found.
File C:\Documents and Settings\All Users\Application Data\qdvq.exe not found.
File C:\Documents and Settings\All Users\Application Data\lukc.exe not found.
Folder C:\Documents and Settings\All Users\Application Data\BQXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\FEYUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\FJYUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\GFYUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\GQXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\HHYUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\HXXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\IBYUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\JVXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\LIYUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\LTXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\LWXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\NRXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\PKYUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\RVXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\RXXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\SBYUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\SRXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\VYXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\XZXUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\YFYUVTWGYG\ not found.
Folder C:\Documents and Settings\All Users\Application Data\ZXXUVTWGYG\ not found.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:FDF9B285 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:EEB25EAE .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:9EF92A1A .
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

#25 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 09 November 2011 - 06:20 PM

Hello MARIANNE97

Sorry I was MIA for a bit

No problem at all - there is no rush.

Hope these help along with the Combofix log

All of those logs are very helpful

You did a really great job getting those tools to run :thumbup:

then the desktop icons and clock disappeared

These should have re-appeared when ComboFix completed its run. Please let me know if they did.

Lets continue:

MalwareBytes AntiMalware:
- I can see that you have MBAM installed.
- Double click on your MalwareBytes AntiMalware icon to launch the program.
- Click on the "Update" tab and then on "Check for Updates".
- The program will now install the latest Malware definition files.
- Once complete, click on the "Scanner" tab, select "Perform Full Scan"and then click on "Scan".
- Once the program has scanned your computer, a log file will be created in Notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
- The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
- Come back here to this thread and Paste the log in your next reply.
Please update your Java
- To update your Java, Click on "Start" then on "Control Panel" and then on the Java icon (looks like a coffee cup).
- In the window that opens, click on the "Update" tab, and then on "Update Now".
- Your Java should begin to update. Please follow any prompts that you receive.
OTL
- Please scan the machine with OTL again (exactly the same way as you did in your very first post).
Please post the MBAM log and the OTL log in your next reply.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

Advertisements

Register to Remove

#26 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 09 November 2011 - 11:09 PM

[/quote] No problem at all - there is no rush.

Thank you for being so patient with me

[/quote] All of those logs are very helpful

Great! I was so happy when I could finally get them for you :woot:

You did a really great job getting those tools to run :thumbup:

You are doing a fantastic job! I'm merely the puppet ...I was pulling out my hair before I got your help lol :pullhair:

[/quote] These should have re-appeared when ComboFix completed its run. Please let me know if they did.

They sure did

thank you!

Ok here we go with the new logs ....

(MBAM LOG)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8129

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/9/2011 11:48:16 PM
mbam-log-2011-11-09 (23-48-16).txt

Scan type: Full scan (C:\|)
Objects scanned: 270839
Time elapsed: 32 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(JAVA)

It says that I already have the latest Java

(OTL log)

OTL logfile created on: 11/9/2011 11:53:14 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop\New Folder
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

895.17 Mb Total Physical Memory | 409.20 Mb Available Physical Memory | 45.71% Memory free
2.12 Gb Paging File | 1.80 Gb Available in Paging File | 85.11% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 50.34 Gb Free Space | 67.55% Space Free | Partition Type: NTFS

Computer Name: OWNER-BZ2MQ7E6C | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\New Folder\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\Alwil Software\Avast5\defs\11110901\algo.dll ()
MOD - C:\Program Files\Alwil Software\Avast5\defs\11110901\aswRep.dll ()

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)

========== Driver Services (SafeList) ==========

DRV - (catchme) -- File not found
DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pogo.com/
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

O1 HOSTS File: ([2011/11/09 14:25:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-764733703-725345543-1003\..\Toolbar\ShellBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-764733703-725345543-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-764733703-725345543-1003\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-854245398-764733703-725345543-1003\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1221784093359 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1256451306250 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace....ceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{722AA42D-3320-47D2-A261-FC87E700BDDD}: DhcpNameServer = 68.87.72.134 68.87.77.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/18 12:42:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/09 15:05:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/11/09 14:18:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/11/09 14:18:25 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdrom.sys
[2011/11/09 13:38:07 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/11/09 06:34:28 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/11/09 05:43:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/11/09 05:37:22 | 004,287,742 | R--- | C] (Swearware) -- C:\jontom.com
[2011/11/08 12:09:22 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/11/08 12:07:06 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/11/08 12:07:06 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/11/08 12:07:06 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/11/08 12:07:06 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/11/08 12:06:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/11/08 12:06:49 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/11/07 13:32:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis
[2011/11/07 13:12:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\M
[2011/11/07 09:13:17 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/11/07 09:13:17 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/11/07 09:13:17 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/11/07 09:13:17 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/11/07 01:32:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\New Folder
[2011/11/07 01:20:23 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/11/07 01:19:12 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
[2011/11/06 19:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/11/06 19:48:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/06 19:48:36 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/06 19:48:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/11/06 18:17:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Recent
[2011/11/06 16:55:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/11/06 05:46:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/11/06 05:46:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/10/18 16:30:49 | 000,000,000 | ---D | C] -- C:\extensions
[2011/10/18 16:30:48 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2011/10/18 16:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Temp
[2011/10/18 16:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Conduit
[2011/10/18 16:29:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2011/10/16 03:12:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SulusGames
[2011/10/16 03:12:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SulusGames
[2011/10/16 03:11:56 | 000,000,000 | ---D | C] -- C:\Program Files\Strange Cases - The Tarot Card Mystery
[2011/10/16 03:11:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Strange Cases - The Tarot Card Mystery
[2011/10/16 03:09:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2011/10/16 03:08:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/09 14:25:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/09 14:25:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/11/09 14:24:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/09 14:07:07 | 004,287,742 | R--- | M] (Swearware) -- C:\jontom.com
[2011/11/09 03:20:36 | 000,000,129 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/11/08 16:17:41 | 000,433,098 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/08 16:17:41 | 000,067,862 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/08 12:09:27 | 000,000,339 | RHS- | M] () -- C:\boot.ini
[2011/11/07 21:14:43 | 000,031,351 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Documentapril.rtf
[2011/11/07 13:22:36 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/07 09:16:23 | 000,000,223 | ---- | M] () -- C:\Boot.bak
[2011/11/07 01:20:24 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/11/07 01:19:13 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
[2011/11/06 20:14:58 | 000,000,194 | -HS- | M] () -- C:\Program Files\Common Files\winset.ini
[2011/11/06 05:07:53 | 000,000,211 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google.url
[2011/11/05 20:30:38 | 000,035,122 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-wrap-your-head-around-that-math.jpg
[2011/11/05 20:30:37 | 000,048,042 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-its-important-to-know-where-to-measure-from.jpg
[2011/11/05 17:46:51 | 000,029,943 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\jeffrey-campbell-lita-shag.jpg
[2011/11/05 03:51:58 | 000,000,179 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\LoudCity.com.url
[2011/11/04 08:20:54 | 000,020,553 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Important Information Regarding the National EAS Test on Nov_ 9.eml
[2011/11/02 19:35:00 | 000,012,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\JOB CREATED.jpg
[2011/11/02 19:03:52 | 000,302,346 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Find area code lookup by number on WebShoppingHelper.mht
[2011/10/24 03:18:51 | 000,000,119 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dayam YOU AUTOCORRECT.url
[2011/10/21 21:13:52 | 000,010,467 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\JEALOUS WOMEN.jpg
[2011/10/21 02:47:09 | 000,000,139 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Tippecanoe Waste Removal, Inc Home.url
[2011/10/17 04:03:42 | 000,001,210 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Earmarks Map – 2011 Requests Ending Spending EndingSpending.com.url
[2011/10/17 03:20:21 | 001,333,597 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Jakie_time_out_lol.jpg
[2011/10/15 20:09:32 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/10/13 17:57:09 | 000,148,400 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/13 03:34:47 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/10/11 17:11:59 | 000,882,519 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Conjoined twins 34 amazing photos (GRAPHIC IMAGES) Pictures - CBS News.mht
[2011/10/11 15:13:51 | 000,007,919 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Be Strong and Save Now with Os-Cal.eml
[2011/10/11 04:26:38 | 000,000,172 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Free Polls, Questions, and Answers, News Discussions - SodaHead.url
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/09 14:15:22 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/09 14:15:22 | 000,000,242 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Internet Options.lnk
[2011/11/09 03:20:36 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/11/08 12:09:27 | 000,000,223 | ---- | C] () -- C:\Boot.bak
[2011/11/08 12:09:26 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/11/08 12:07:06 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/11/08 12:07:06 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/11/08 12:07:06 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/11/08 12:07:06 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/11/08 12:07:06 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/11/07 13:32:19 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/11/07 13:32:19 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/11/07 13:32:19 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/11/07 13:32:19 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Outlook Express.lnk
[2011/11/07 13:32:19 | 000,000,680 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\EmailStripper.lnk
[2011/11/07 13:32:19 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to XuMouse.lnk
[2011/11/07 13:32:19 | 000,000,211 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google.url
[2011/11/07 13:32:19 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/11/07 13:32:17 | 000,002,391 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2011/11/07 13:32:17 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/11/07 13:32:17 | 000,001,844 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN Explorer.lnk
[2011/11/07 13:32:17 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2011/11/07 13:32:17 | 000,000,785 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2011/11/07 13:32:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat.com.lnk
[2011/11/06 20:03:26 | 000,000,194 | -HS- | C] () -- C:\Program Files\Common Files\winset.ini
[2011/11/06 05:47:25 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/05 20:34:15 | 000,035,122 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-wrap-your-head-around-that-math.jpg
[2011/11/05 20:32:09 | 000,048,042 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-its-important-to-know-where-to-measure-from.jpg
[2011/11/05 17:52:54 | 000,029,943 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\jeffrey-campbell-lita-shag.jpg
[2011/11/04 08:48:16 | 000,031,351 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Documentapril.rtf
[2011/11/04 08:20:54 | 000,020,553 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Important Information Regarding the National EAS Test on Nov_ 9.eml
[2011/11/02 19:36:28 | 000,012,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\JOB CREATED.jpg
[2011/11/02 19:03:47 | 000,302,346 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Find area code lookup by number on WebShoppingHelper.mht
[2011/10/24 03:18:51 | 000,000,119 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dayam YOU AUTOCORRECT.url
[2011/10/21 21:16:50 | 000,010,467 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\JEALOUS WOMEN.jpg
[2011/10/21 02:47:09 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Tippecanoe Waste Removal, Inc Home.url
[2011/10/17 04:03:42 | 000,001,210 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Earmarks Map – 2011 Requests Ending Spending EndingSpending.com.url
[2011/10/17 03:20:30 | 001,333,597 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Jakie_time_out_lol.jpg
[2011/10/11 17:11:51 | 000,882,519 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Conjoined twins 34 amazing photos (GRAPHIC IMAGES) Pictures - CBS News.mht
[2011/10/11 15:13:51 | 000,007,919 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Be Strong and Save Now with Os-Cal.eml
[2011/01/15 05:33:35 | 000,091,712 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/05 17:01:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/09/14 20:12:31 | 000,017,532 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/06/30 22:53:06 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Launch Internet Explorer Browser.lnk
[2009/05/25 18:40:40 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/05/25 18:40:40 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/05/25 18:38:56 | 000,000,228 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/05/25 18:38:56 | 000,000,094 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/05/25 18:38:56 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf06a.dat
[2009/05/25 18:38:11 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/05/25 18:38:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
[2009/02/23 21:52:49 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/13 00:25:32 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/11/12 03:11:23 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/19 01:58:51 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\adsubtb.dll
[2008/09/19 01:58:51 | 000,002,150 | ---- | C] () -- C:\WINDOWS\System32\nshxml.ini
[2008/09/18 13:20:44 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2008/09/18 12:56:12 | 000,001,732 | R--- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2008/09/18 12:44:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/09/18 12:39:12 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/09/18 08:35:22 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/09/18 08:34:05 | 000,148,400 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/04/20 08:32:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/20 08:32:00 | 001,626,112 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2007/04/20 08:32:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/20 08:32:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2007/04/20 08:32:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/20 08:32:00 | 001,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2007/04/20 08:32:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/20 08:32:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2007/04/20 08:32:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2007/04/20 08:32:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,433,098 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,067,862 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >

Before I forget to ask ...Would the files that are backed up on our USB flash drives be infected?

I will get some sleep now and be back with you in the morning

Thank you

#27 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 11 November 2011 - 07:09 AM

Hello MARIANNE97

Thank you for the logs.

Before I forget to ask ...Would the files that are backed up on our USB flash drives be infected?

Its certainly possible. The flash drives can be scanned with MBAM as a precaution.

Lets continue:

Temporary File Cleaner
- Download TFC to your desktop.
- Close any open windows.
- Double click the TFC icon to run the program.
- TFC will close all open programs itself in order to run.
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish.
- Once complete it should automatically reboot your machine.
- If your machine does not reboot automatically, manually reboot to ensure a complete clean.
- Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.
Please run the following scan
- Note:Internet Explorer is preferred for this scan, although it will run with other browsers.
- Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
- Please disable your real time security programs before performing the scan.
- Scan your system with Eset Online Scanner
- Place a check mark in the box YES, I accept the Terms Of Use.
- Click the button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
- Check
- Click the button.
- Accept any security warnings from your browser.
- Check
- Make sure that the option to "Remove Found Threats" is UN checked.
- Push the "Start" button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
- Push the button.
- Push
Please post the ESET log in your next reply and let me know how the machine is behaving now

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#28 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 11 November 2011 - 04:39 PM

Hello Jontom

I ran the scans as directed. The Eset scan did not produce a log or have a back button on the internet explorer page but I took a screen shot of the final page. I did find a log saved on the desktop and I don't know if it was generated from the Eset scan...I'm sure that you will know. (see below) (hs_err_pid3992.log)

Also when Avast ran a scan it came up no threats but the results on the log said....

(C:\3425165832 error: the file can not be accessed)

Thank you, I'll be around all evening

(hs_err_pid3992.log)

#
# A fatal error has been detected by the Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x006e0065, pid=3992, tid=1192
#
# JRE version: 6.0_29-b11
# Java VM: Java HotSpot™ Client VM (20.4-b02 mixed mode, sharing windows-x86 )
# Problematic frame:
# C 0x006e0065
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/...eport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

--------------- T H R E A D ---------------

Current thread (0x00dfec00): JavaThread "AWT-Windows" daemon [_thread_in_native, id=1192, stack(0x009d0000,0x00ad0000)]

siginfo: ExceptionCode=0xc0000005, reading address 0x006e0065

Registers:
EAX=0x03443af0, EBX=0x00000001, ECX=0x03eb7250, EDX=0x00000004
ESP=0x00acfae0, EBP=0x00acfb0c, ESI=0x00dfed28, EDI=0x03eb7250
EIP=0x006e0065, EFLAGS=0x00010293

Top of Stack: (sp=0x00acfae0)
0x00acfae0: 6d09ccc0 00acfb74 6d09c780 00000000
0x00acfaf0: 00000000 00000001 00dfed28 00acfae4
0x00acfb00: 00acfb90 6d0c0628 00000001 00acfb38
0x00acfb10: 7e418734 00120262 0000981a 03eb7250
0x00acfb20: 00000000 6d09c780 dcbaabcd 00000000
0x00acfb30: 00acfb74 6d09c780 00acfba0 7e418816
0x00acfb40: 6d09c780 00120262 0000981a 03eb7250
0x00acfb50: 00000000 00acfc34 00acfc2c 005bd190

Instructions: (pc=0x006e0065)
0x006e0045:
[error occurred during error reporting (printing registers, top of stack, instructions near pc), id 0xc0000005]

Register to memory mapping:

EAX=0x03443af0 is an unknown value
EBX=0x00000001 is an unknown value
ECX=0x03eb7250 is an unknown value
EDX=0x00000004 is an unknown value
ESP=0x00acfae0 is pointing into the stack for thread: 0x00dfec00
EBP=0x00acfb0c is pointing into the stack for thread: 0x00dfec00
ESI=0x00dfed28 is an unknown value
EDI=0x03eb7250 is an unknown value

Stack: [0x009d0000,0x00ad0000], sp=0x00acfae0, free space=1022k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C 0x006e0065
C [USER32.dll+0x8734] GetDC+0x6d
C [USER32.dll+0x8816] GetDC+0x14f
C [USER32.dll+0x89cd] GetWindowLongW+0x127
C [USER32.dll+0x8a10] DispatchMessageW+0xf

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j sun.awt.windows.WToolkit.eventLoop()V+0
j sun.awt.windows.WToolkit.run()V+52
v ~StubRoutines::call_stub

--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x033d5400 JavaThread "Direct Clip" daemon [_thread_blocked, id=3504, stack(0x050b0000,0x05100000)]
0x057e8400 JavaThread "Direct Clip" daemon [_thread_blocked, id=2924, stack(0x060c0000,0x06110000)]
0x00d19c00 JavaThread "Direct Clip" daemon [_thread_blocked, id=3908, stack(0x05100000,0x05150000)]
0x03435400 JavaThread "Image Animator 0" daemon [_thread_blocked, id=1072, stack(0x05310000,0x05360000)]
0x00db5400 JavaThread "TickTimer" daemon [_thread_blocked, id=1316, stack(0x06070000,0x060c0000)]
0x03486800 JavaThread "Timer2" daemon [_thread_blocked, id=2756, stack(0x06020000,0x06070000)]
0x03ea7400 JavaThread "ScrollingLabel" daemon [_thread_blocked, id=2652, stack(0x056d0000,0x05720000)]
0x03e65400 JavaThread "InvalQueue-com.pogo.ui2.awt.q[ClientApplet-GamePanel,3,0,548x394]-ClientApplet-GamePanel" daemon [_thread_blocked, id=1340, stack(0x05680000,0x056d0000)]
0x033cf800 JavaThread "InvalQueue-com.pogo.ui2.awt.q[ClientApplet-ChatPanel,6,0,180x392,layout=com.pogo.ui2.awt.e]-ClientApplet-ChatPanel" daemon [_thread_blocked, id=3684, stack(0x05630000,0x05680000)]
0x00d9fc00 JavaThread "SocketConnection" daemon [_thread_in_native, id=3336, stack(0x055e0000,0x05630000)]
0x040e7c00 JavaThread "ScrollBar" daemon [_thread_blocked, id=3092, stack(0x05590000,0x055e0000)]
0x032bbc00 JavaThread "TextField" daemon [_thread_blocked, id=1256, stack(0x05540000,0x05590000)]
0x041a1800 JavaThread "ScrollBar" daemon [_thread_blocked, id=2448, stack(0x054f0000,0x05540000)]
0x03294000 JavaThread "ScrollBar" daemon [_thread_blocked, id=1216, stack(0x054a0000,0x054f0000)]
0x03edf800 JavaThread "TickTimer" daemon [_thread_blocked, id=2704, stack(0x05450000,0x054a0000)]
0x041b2400 JavaThread "ScrollBar" daemon [_thread_blocked, id=2260, stack(0x05400000,0x05450000)]
0x03ea4c00 JavaThread "Applet-EventThread" daemon [_thread_blocked, id=2572, stack(0x053b0000,0x05400000)]
0x03f48400 JavaThread "drawpoker AlarmQueue" [_thread_blocked, id=2072, stack(0x05360000,0x053b0000)]
0x032b4c00 JavaThread "AsynchRasterManager.avatar" daemon [_thread_blocked, id=2892, stack(0x052c0000,0x05310000)]
0x0339d800 JavaThread "Thread-445" daemon [_thread_blocked, id=744, stack(0x05270000,0x052c0000)]
0x03eb4800 JavaThread "Thread-444" daemon [_thread_blocked, id=3004, stack(0x05220000,0x05270000)]
0x03e6c400 JavaThread "Thread-443" daemon [_thread_blocked, id=3880, stack(0x05150000,0x051a0000)]
0x03fac400 JavaThread "thread applet-com.pogo.game.client2.drawpoker.DrawPokerApplet-12" [_thread_blocked, id=3924, stack(0x05010000,0x05060000)]
0x00df6000 JavaThread "thread applet-com.pogo.game.client2.shell.ShellApplet-11" [_thread_blocked, id=3476, stack(0x04f70000,0x04fc0000)]
0x03e38800 JavaThread "Applet 11 LiveConnect Worker Thread" [_thread_blocked, id=2512, stack(0x049c0000,0x04a10000)]
0x033f2c00 JavaThread "thread applet-com.pogo.game.client2.shell.ShellApplet-10" [_thread_blocked, id=2888, stack(0x04880000,0x048d0000)]
0x03e4e000 JavaThread "Applet 10 LiveConnect Worker Thread" [_thread_blocked, id=1496, stack(0x03630000,0x03680000)]
0x03f2b800 JavaThread "Image Animator 1" daemon [_thread_in_native, id=1432, stack(0x05060000,0x050b0000)]
0x03f4d400 JavaThread "TickTimer" daemon [_thread_blocked, id=472, stack(0x03b90000,0x03be0000)]
0x03293400 JavaThread "ScrollBar" daemon [_thread_blocked, id=3568, stack(0x04e20000,0x04e70000)]
0x03ef6400 JavaThread "InvalQueue-com.pogo.ui2.awt.q[ClientApplet-GamePanel,0,0,458x276,invalid]-ClientApplet-GamePanel" daemon [_thread_blocked, id=2356, stack(0x04c50000,0x04ca0000)]
0x03458400 JavaThread "InvalQueue-com.pogo.ui2.awt.q[ClientApplet-ChatPanel,0,276,458x127,layout=com.pogo.ui2.awt.e]-ClientApplet-ChatPanel" daemon [_thread_blocked, id=1656, stack(0x04c00000,0x04c50000)]
0x03e7c400 JavaThread "ScrollBar" daemon [_thread_blocked, id=2584, stack(0x04bb0000,0x04c00000)]
0x03e80800 JavaThread "TextField" daemon [_thread_blocked, id=2428, stack(0x04b60000,0x04bb0000)]
0x03f4b400 JavaThread "ScrollBar" daemon [_thread_blocked, id=4052, stack(0x04b10000,0x04b60000)]
0x00df6c00 JavaThread "TickTimer" daemon [_thread_blocked, id=1640, stack(0x04ac0000,0x04b10000)]
0x03410400 JavaThread "ScrollBar" daemon [_thread_blocked, id=3984, stack(0x04a70000,0x04ac0000)]
0x03436000 JavaThread "BadgeStorage" daemon [_thread_blocked, id=3808, stack(0x04a10000,0x04a60000)]
0x03351c00 JavaThread "SocketConnection" daemon [_thread_in_native, id=2208, stack(0x04920000,0x04970000)]
0x033d1800 JavaThread "Applet-EventThread" daemon [_thread_blocked, id=3892, stack(0x048d0000,0x04920000)]
0x03f69400 JavaThread "Direct Clip" daemon [_thread_blocked, id=2620, stack(0x04830000,0x04880000)]
0x03ebb400 JavaThread "AsynchRasterManager.avatar" daemon [_thread_blocked, id=248, stack(0x044d0000,0x04520000)]
0x0345b800 JavaThread "Thread-433" daemon [_thread_blocked, id=2088, stack(0x04480000,0x044d0000)]
0x03ef6800 JavaThread "Thread-432" daemon [_thread_blocked, id=1244, stack(0x03dc0000,0x03e10000)]
0x03eb2800 JavaThread "Thread-431" daemon [_thread_blocked, id=2732, stack(0x03c30000,0x03c80000)]
0x033b0800 JavaThread "thread applet-com.pogo.game.client2.drawpoker.DrawPokerTableSelectorApplet-9" [_thread_blocked, id=2816, stack(0x03720000,0x03770000)]
0x03f0d800 JavaThread "AWT-EventQueue-7" [_thread_in_native, id=320, stack(0x035e0000,0x03630000)]
0x0334dc00 JavaThread "Applet 9 LiveConnect Worker Thread" [_thread_blocked, id=3460, stack(0x036d0000,0x03720000)]
0x0420f800 JavaThread "AWT-Shutdown" [_thread_blocked, id=3796, stack(0x031d0000,0x03220000)]
0x032ed000 JavaThread "Java Sound Event Dispatcher" daemon [_thread_blocked, id=2028, stack(0x03810000,0x03860000)]
0x0334e000 JavaThread "D3D Screen Updater" daemon [_thread_blocked, id=848, stack(0x03d60000,0x03db0000)]
0x03305000 JavaThread "JVM[id=0]-Heartbeat" daemon [_thread_blocked, id=2384, stack(0x03be0000,0x03c30000)]
0x032ef000 JavaThread "Browser Side Object Cleanup Thread" [_thread_blocked, id=2400, stack(0x03b40000,0x03b90000)]
0x032ea800 JavaThread "Windows Tray Icon Thread" [_thread_in_native, id=216, stack(0x037c0000,0x03810000)]
0x032e8000 JavaThread "CacheCleanUpThread" daemon [_thread_blocked, id=680, stack(0x03770000,0x037c0000)]
0x032ba400 JavaThread "CacheMemoryCleanUpThread" daemon [_thread_blocked, id=3780, stack(0x034e0000,0x03530000)]
0x032b9000 JavaThread "SysExecutionTheadCreator" daemon [_thread_blocked, id=3320, stack(0x03680000,0x036d0000)]
=>0x00dfec00 JavaThread "AWT-Windows" daemon [_thread_in_native, id=1192, stack(0x009d0000,0x00ad0000)]
0x00dfd400 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=3724, stack(0x03590000,0x035e0000)]
0x00de4800 JavaThread "Java Plug-In Pipe Worker Thread (Client-Side)" daemon [_thread_in_native, id=2708, stack(0x03530000,0x03580000)]
0x032b0800 JavaThread "Timer-0" [_thread_blocked, id=3284, stack(0x03490000,0x034e0000)]
0x00d86c00 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=2580, stack(0x03240000,0x03290000)]
0x00d71c00 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=3624, stack(0x01000000,0x01050000)]
0x00d63000 JavaThread "C1 CompilerThread0" daemon [_thread_blocked, id=3052, stack(0x00fb0000,0x01000000)]
0x00d61800 JavaThread "Attach Listener" daemon [_thread_blocked, id=1508, stack(0x00f60000,0x00fb0000)]
0x00d60000 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=2200, stack(0x00f10000,0x00f60000)]
0x00d5c800 JavaThread "Finalizer" daemon [_thread_blocked, id=3272, stack(0x00ea0000,0x00ef0000)]
0x00d57c00 JavaThread "Reference Handler" daemon [_thread_blocked, id=3888, stack(0x00e50000,0x00ea0000)]
0x008d8000 JavaThread "main" [_thread_blocked, id=1668, stack(0x00960000,0x009b0000)]

Other Threads:
0x00d1bc00 VMThread [stack: 0x00e00000,0x00e50000] [id=3484]
0x00d73c00 WatcherThread [stack: 0x01050000,0x010a0000] [id=3020]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
def new generation total 11776K, used 9167K [0x289e0000, 0x296a0000, 0x2b480000)
eden space 10496K, 87% used [0x289e0000, 0x292cb9a0, 0x29420000)
from space 1280K, 2% used [0x29560000, 0x29568548, 0x296a0000)
to space 1280K, 0% used [0x29420000, 0x29420000, 0x29560000)
tenured generation total 26024K, used 21530K [0x2b480000, 0x2cdea000, 0x309e0000)
the space 26024K, 82% used [0x2b480000, 0x2c9868d8, 0x2c986a00, 0x2cdea000)
compacting perm gen total 12288K, used 5020K [0x309e0000, 0x315e0000, 0x349e0000)
the space 12288K, 40% used [0x309e0000, 0x30ec7110, 0x30ec7200, 0x315e0000)
ro space 10240K, 51% used [0x349e0000, 0x34f0d0b8, 0x34f0d200, 0x353e0000)
rw space 12288K, 54% used [0x353e0000, 0x35a79570, 0x35a79600, 0x35fe0000)

Code Cache [0x010d0000, 0x01458000, 0x030d0000)
total_blobs=1793 nmethods=1550 adapters=177 free_code_cache=29879040 largest_free_block=320

Dynamic libraries:
0x00400000 - 0x00424000 C:\Program Files\Java\jre6\bin\java.exe
0x7c900000 - 0x7c9b2000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f6000 C:\WINDOWS\system32\kernel32.dll
0x64d00000 - 0x64d34000 C:\Program Files\Alwil Software\Avast5\snxhk.dll
0x77dd0000 - 0x77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f03000 C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 - 0x77ff1000 C:\WINDOWS\system32\Secur32.dll
0x5cb70000 - 0x5cb96000 C:\WINDOWS\system32\ShimEng.dll
0x71590000 - 0x71609000 C:\WINDOWS\AppPatch\AcLayers.DLL
0x7e410000 - 0x7e4a1000 C:\WINDOWS\system32\USER32.dll
0x77f10000 - 0x77f59000 C:\WINDOWS\system32\GDI32.dll
0x7c9c0000 - 0x7d1d7000 C:\WINDOWS\system32\SHELL32.dll
0x77c10000 - 0x77c68000 C:\WINDOWS\system32\msvcrt.dll
0x77f60000 - 0x77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
0x774e0000 - 0x7761e000 C:\WINDOWS\system32\ole32.dll
0x769c0000 - 0x76a74000 C:\WINDOWS\system32\USERENV.dll
0x73000000 - 0x73026000 C:\WINDOWS\system32\WINSPOOL.DRV
0x76390000 - 0x763ad000 C:\WINDOWS\system32\IMM32.DLL
0x773d0000 - 0x774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
0x7c340000 - 0x7c396000 C:\Program Files\Java\jre6\bin\msvcr71.dll
0x6d7f0000 - 0x6da9f000 C:\Program Files\Java\jre6\bin\client\jvm.dll
0x76b40000 - 0x76b6d000 C:\WINDOWS\system32\WINMM.dll
0x6d7a0000 - 0x6d7ac000 C:\Program Files\Java\jre6\bin\verify.dll
0x6d320000 - 0x6d33f000 C:\Program Files\Java\jre6\bin\java.dll
0x6d000000 - 0x6d14c000 C:\Program Files\Java\jre6\bin\awt.dll
0x5ad70000 - 0x5ada8000 C:\WINDOWS\system32\uxtheme.dll
0x6d7e0000 - 0x6d7ef000 C:\Program Files\Java\jre6\bin\zip.dll
0x4fdd0000 - 0x4ff76000 C:\WINDOWS\system32\d3d9.dll
0x00b30000 - 0x00b36000 C:\WINDOWS\system32\d3d8thk.dll
0x77c00000 - 0x77c08000 C:\WINDOWS\system32\VERSION.dll
0x74720000 - 0x7476c000 C:\WINDOWS\system32\MSCTF.dll
0x77b40000 - 0x77b62000 C:\WINDOWS\system32\apphelp.dll
0x755c0000 - 0x755ee000 C:\WINDOWS\system32\msctfime.ime
0x6d420000 - 0x6d426000 C:\Program Files\Java\jre6\bin\jp2native.dll
0x6d1d0000 - 0x6d1e3000 C:\Program Files\Java\jre6\bin\deploy.dll
0x77a80000 - 0x77b15000 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 - 0x77b32000 C:\WINDOWS\system32\MSASN1.dll
0x77120000 - 0x771ab000 C:\WINDOWS\system32\OLEAUT32.dll
0x3d930000 - 0x3da16000 C:\WINDOWS\system32\WININET.dll
0x010a0000 - 0x010a9000 C:\WINDOWS\system32\Normaliz.dll
0x78130000 - 0x78263000 C:\WINDOWS\system32\urlmon.dll
0x3dfd0000 - 0x3e1bb000 C:\WINDOWS\system32\iertutil.dll
0x6d6a0000 - 0x6d6e6000 C:\Program Files\Java\jre6\bin\regutils.dll
0x6d600000 - 0x6d613000 C:\Program Files\Java\jre6\bin\net.dll
0x71ab0000 - 0x71ac7000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 - 0x71aa8000 C:\WINDOWS\system32\WS2HELP.dll
0x6d620000 - 0x6d629000 C:\Program Files\Java\jre6\bin\nio.dll
0x6d230000 - 0x6d27f000 C:\Program Files\Java\jre6\bin\fontmanager.dll
0x71a50000 - 0x71a8f000 C:\WINDOWS\System32\mswsock.dll
0x76f20000 - 0x76f47000 C:\WINDOWS\system32\DNSAPI.dll
0x76d60000 - 0x76d79000 C:\WINDOWS\system32\iphlpapi.dll
0x76fb0000 - 0x76fb8000 C:\WINDOWS\System32\winrnr.dll
0x76f60000 - 0x76f8c000 C:\WINDOWS\system32\WLDAP32.dll
0x16080000 - 0x160a5000 C:\Program Files\Bonjour\mdnsNSP.dll
0x76fc0000 - 0x76fc6000 C:\WINDOWS\system32\rasadhlp.dll
0x662b0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 - 0x71a98000 C:\WINDOWS\System32\wshtcpip.dll
0x6d510000 - 0x6d535000 C:\Program Files\Java\jre6\bin\jsound.dll
0x6d540000 - 0x6d548000 C:\Program Files\Java\jre6\bin\jsoundds.dll
0x73f10000 - 0x73f6c000 C:\WINDOWS\system32\DSOUND.dll
0x72d20000 - 0x72d29000 C:\WINDOWS\system32\wdmaud.drv
0x76c30000 - 0x76c5e000 C:\WINDOWS\system32\WINTRUST.dll
0x76c90000 - 0x76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
0x72d10000 - 0x72d18000 C:\WINDOWS\system32\msacm32.drv
0x77be0000 - 0x77bf5000 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000 - 0x77bd7000 C:\WINDOWS\system32\midimap.dll
0x73ee0000 - 0x73ee4000 C:\WINDOWS\system32\KsUser.dll
0x6d440000 - 0x6d465000 C:\Program Files\Java\jre6\bin\jpeg.dll
0x76bf0000 - 0x76bfb000 C:\WINDOWS\system32\PSAPI.DLL

VM Arguments:
jvm_args: -D__jvm_launched=13752591149 -Xbootclasspath/a:C:\PROGRA~1\Java\jre6\lib\deploy.jar;C:\PROGRA~1\Java\jre6\lib\javaws.jar;C:\PROGRA~1\Java\jre6\lib\plugin.jar -Dsun.awt.warmup=true -Xmx128m
java_command: sun.plugin2.main.client.PluginMain write_pipe_name=jpi2_pid492_pipe3,read_pipe_name=jpi2_pid492_pipe2
Launcher Type: SUN_STANDARD

Environment Variables:
PATH=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
USERNAME=Owner
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 15 Model 95 Stepping 3, AuthenticAMD

--------------- S Y S T E M ---------------

OS: Windows XP Build 2600 Service Pack 3

CPU:total 1 (1 cores per cpu, 1 threads per core) family 15 model 95 stepping 3, cmov, cx8, fxsr, mmx, sse, sse2, sse3, mmxext, 3dnow, 3dnowext

Memory: 4k page, physical 916656k(342964k free), swap 2220612k(1755028k free)

vm_info: Java HotSpot™ Client VM (20.4-b02) for windows-x86 JRE (1.6.0_29-b11), built on Oct 3 2011 01:01:08 by "java_re" with MS VC++ 7.1 (VS2003)

time: Fri Nov 11 03:11:26 2011
elapsed time: 2403 seconds

Attached Thumbnails

#29 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 11 November 2011 - 04:42 PM

Hi again ...Sorry...Would the memory sticks (USB flash) themselves be infected? We backed up files on them from the infected PC and I'm afraid to put them into the PC or another.

Thanx again

#30 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 12 November 2011 - 06:29 AM

Hello MARIANNE97

That log appears to be related to a Java issue.

The Eset scan did not produce a log

No log is produced if no infection is found

We backed up files on them from the infected PC and I'm afraid to put them into the PC or another

I cannot give you a guarantee that the sticks themselves are 100% malware free but we can scan them with MBAM. (If you have aby doubts aout the sticks take no risks and get new ones).

We have already disabled thr autorun facility on the sticks we used which allows us to plug them into the machine without worry.

Plug the flash drive into the computer.

Open MBAM and update it.

Click on Full Scan and you will be presented with a choice of drives to scan.

Select the drive that corresponds to your flash drive then click on scan.

Post the log in your next reply.

Are the other computers you have behaving okay? Are they displaying any signs of infection?

Let me know how the machine we have been working on is running in your next reply

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

Body Background

skin color theme