WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Closed] Trojan Horse BackDoor.Generic 12 AAVT

Started by Bikerider , Jan 31 2010 12:53 PM

This topic is locked

54 replies to this topic

#1 Bikerider

Authentic Member

Authentic Member
26 posts

Posted 31 January 2010 - 12:53 PM

Hi. Trying to fix my ex's computer. AVG reports Trojan Horse BackDoor.Generic 12 AAVT detected every time I run Spybot or Spyware Doctor or Adaware, it deletes it but it comes back next time. AVG updates every day but the log said all updates failed for the past two weeks. Firefox and IE will not start. Have gone through the "Are You Infected" topic and followed it. Malwarebytes' Anti-Malware was able to update and run and produced a log, GMER had to run several times before I was successful in making a copy of the log, DDS gave me a log. I have put those logs on a CD, how do I get them in to this forum? Is there any danger of transferring problems into my computer, I am running AVG which is updated and Spybot with Tea timer. Thank you for your help, just not sure about getting the three logs and one attachment to you. Thank you Ian

Advertisements

Register to Remove

#2 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 06 February 2010 - 08:53 AM

The text documents burned to a CD will not infect your computer.

Log on to this site with your computer and press the add reply to this topic button.

Open the text documents on the CD on your computer, and copy/paste them into the thread one at a time.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#3 Bikerider

Authentic Member

Authentic Member
26 posts

Posted 06 February 2010 - 03:36 PM

Thank you CatByte

Here are the logs

Malwarebytes' Anti-Malware 1.44
Database version: 3664
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/30/2010 7:26:35 PM
mbam-log-2010-01-30 (19-26-35).txt

Scan type: Quick Scan
Objects scanned: 125760
Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-31 09:42:39
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwtdapog.sys

---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF723B514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF722A282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF722A474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF723BD00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF723BFB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF723A3FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF723C422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF723B7D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7229F32]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Disk \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074 F41DBBDE

---- Threads - GMER 1.0.15 ----

Thread System [4:132] F41DC93A
---- Processes - GMER 1.0.15 ----

Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\AVG\AVG9\avgemc.exe [388] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [736] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [944] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [988] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1116] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [1288] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1724] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1804] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2304] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2836] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Spare Backup\SpareBackup.exe [2868] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [2948] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG9\avgtray.exe [3028] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 9:51:00.29 on Sun 01/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.234 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\program files\Bigfix\bigfix.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3644
uSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3644
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [EPSON NX100 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieda.exe /fu "c:\docume~1\owner\locals~1\temp\E_S5E.tmp" /EF "HKCU"
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [BigFix] c:\program files\bigfix\bigfix.exe /atstartup
mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\5eo35kw1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.winfieldcourier.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\5eo35kw1.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-3 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-31 130936]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2008-2-3 4064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-16 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-23 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-16 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-6 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-6 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-6-30 69692]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-17 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-17 1095560]

=============== Created Last 30 ================

2010-01-30 18:41 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-30 18:41 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-01-30 17:52 <DIR> --ds---- C:\ComboFix
2010-01-28 21:38 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2010-01-28 21:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-28 21:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 22:19 <DIR> --d----- c:\program files\Trend Micro
2010-01-21 08:30 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-11-21 09:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-11-10 18:04 746 ac------ c:\docume~1\owner\applic~1\wklnhst.dat
2009-11-06 09:59 12,464 a------- c:\windows\system32\avgrsstx.dll
2007-11-09 22:36 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-02-15 20:13 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021520090216\index.dat
2008-02-04 10:45 32,768 ac-sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 9:52:04.07 ===============

Thank you
Ian

#4 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 06 February 2010 - 05:26 PM

The machine has a nasty rootkit infection.

This can be cleaned, but I will be asking for a lot of diagnostic scans, we need to identify the infected driver before we can clean it and there are certain precautions we need to take so your computer does not become unbootable:

Does the infected machine have internet access? as it would be better to work directly from the infected machine?

Please do the following

Please download and execute this file, and post the log produced. The log is also saved at C:\maxhandle.txt

http://noahdfear.net...s/maxhandle.exe

If the infection I suspect is not found...Nothing found! is echoed to the screen - no log is produced.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#5 Bikerider

Authentic Member

Authentic Member
26 posts

Posted 06 February 2010 - 08:57 PM

Thank You Here is the log from maxhandle Run from E:\maxhandle.exe on Sat 02/06/2010 at 20:49:50.84 System pid: 4 F28: C:\WINDOWS\system32\config\mmakmqna.sav lsass.exe pid: 728 4E4: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 svchost.exe pid: 980 6AC: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 svchost.exe pid: 1040 120: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 svchost.exe pid: 1104 208: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 AAWService.exe pid: 1200 7BC: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 spoolsv.exe pid: 1592 120: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 svchost.exe pid: 1760 274: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 avgemc.exe pid: 416 5D4: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 alg.exe pid: 2244 78: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 GoogleDesktop.exe pid: 2828 20C: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 SpareBackup.exe pid: 2880 550: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 apdproxy.exe pid: 2956 6C: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 avgtray.exe pid: 3072 33C: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86 msfeedssync.exe pid: 3776 464: \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86

#6 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 06 February 2010 - 09:39 PM

Hi,

I need to make sure the recovery console is installed on the machine

do you have your installation CD?

Please install the Recovery Console following these instructions:

How to install and use the Windows XP Recovery Console

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#7 Bikerider

Authentic Member

Authentic Member
26 posts

Posted 06 February 2010 - 10:27 PM

Hi Good question, This is an "E Machines" computer that my Ex bought before we separated and neither one of us remembers there being a disk with it. There is a partition labeled Recovery on the hard drive, is that what we need? I have a XP Home upgrade disk for one of my computers, will that help? Thank You

#8 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 07 February 2010 - 06:49 AM

No,

We are just looking for the recovery console.

First - let's make sure that it isn't already installed before I have you continue.

Open notepad and copy/paste the text in the quotebox below into it:

type "C:\boot.ini">C:\look.txt
Start notepad C:\Look.txt
del peek.bat

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Posted Image

Double click on peek.bat & allow it to run.
A notepad file will open.

you may see something similar to this

[boot loader]
timeout=4
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

If you do not see:

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

in your log - then continue on with the instructions - If it is there, then don't continue as you already have it and report back to me.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If not there - continue with these instructions:

See if the the machine will boot into the recovery console from the disk you have.

Check the link I provided to you previously.

or lastly - if nothing else works - try this:

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

You can get help on disabling your protection programs here
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Then comboFix will ask if you wish to continue scanning for malware - Click on No.

I only want tit to install the Recovery Console at this time.

let me know how it goes.

I will have further instructions once you have access to the recovery console.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#9 Bikerider

Authentic Member

Authentic Member
26 posts

Posted 07 February 2010 - 07:43 AM

Hi I half to work today (Sun.) will work through all this tonight and get back to you. Thank You Ian

#10 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 07 February 2010 - 08:11 AM

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Advertisements

Register to Remove

#11 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 07 February 2010 - 09:44 AM

Please run this scan as well

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears change the Output to "minimal Output"
select the "none" button - top left of OTL
Under the Custom Scan box paste this in

%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad OTL.Txt. This is saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it in your next reply.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#12 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 10 February 2010 - 06:18 PM

It's been a few days Are you having any difficulty with the instructions?

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#13 Bikerider

Authentic Member

Authentic Member
26 posts

Posted 10 February 2010 - 10:36 PM

Hi

Sorry it took so long. Don't have much time in the evenings and this process is very tedious working with two computers. Had to use ComboFix to install Recovery Console. Could not find a way to turn AVG off. All seemed to go well. Installed OTL and ran as you said. Here is the report.

Thank You Ian

OTL logfile created on: 2/10/2010 10:16:44 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

895.00 Mb Total Physical Memory | 189.00 Mb Available Physical Memory | 21.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.95 Gb Total Space | 121.92 Gb Free Space | 84.69% Space Free | Partition Type: NTFS
Drive D: | 5.08 Gb Total Space | 2.58 Gb Free Space | 50.73% Space Free | Partition Type: FAT32
Drive E: | 0.08 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEBBIE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (avg9emc) -- C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (sdCoreService) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (sdAuxService) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (GoogleDesktopManager) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
SRV - (GameConsoleService) -- C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe (WildTangent, Inc.)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (RichVideo) Cyberlink RichVideo Service(CRVS) -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe ()

========== Driver Services (SafeList) ==========

DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (PID_0928) Logitech QuickCam Express(PID_0928) -- C:\WINDOWS\system32\drivers\LV561AV.SYS (Logitech Inc.)
DRV - (LVPr2Mon) -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys ()
DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)
DRV - (RasPppoe) -- C:\WINDOWS\system32\drivers\raspppoe.sys ()
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvgts) -- C:\WINDOWS\SYSTEM32\DRIVERS\NVGTS.SYS (NVIDIA Corporation)
DRV - (LVUSBSta) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (el575nd5) -- C:\WINDOWS\system32\drivers\el575ND5.sys (3Com Corporation)
DRV - (irsir) -- C:\WINDOWS\system32\drivers\irsir.sys (Microsoft Corporation)
DRV - (UMAXPCLS) -- C:\WINDOWS\system32\drivers\umaxpcls.sys (Microsoft Corporation)
DRV - (ATMhelpr) -- C:\WINDOWS\system32\drivers\ATMHELPR.SYS (Adobe Systems Incorporated)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...DTP&M=W3644

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...DTP&M=W3644
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo....-8&fr=ytff-&p="
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://www.winfieldcourier.com/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071101000055
FF - prefs.js..keyword.URL: "http://us.yhs.search...2-tb-web_us&p="
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/12/12 08:42:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/01/21 08:29:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/22 22:58:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/22 22:58:50 | 000,000,000 | ---D | M]

[2008/12/16 19:37:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/02/05 21:05:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5eo35kw1.default\extensions
[2008/04/05 19:20:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5eo35kw1.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008/09/25 15:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5eo35kw1.default\extensions\moveplayer@movenetworks.com
[2008/12/12 12:23:54 | 000,002,158 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5eo35kw1.default\searchplugins\MySpace.xml
[2008/12/16 19:37:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/04 00:03:34 | 000,000,789 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (Yahoo! ¤u¨ã¦C) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [EPSON NX100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [Power2GoExpress] File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk = C:\Program Files\BigFix\bigfix.exe (BigFix Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (\\.\globalroot\systemroot\system32\userinit.exe) - \\.\globalroot\systemroot\system32\userinit.exe ()
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/06 18:38:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O33 - MountPoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 30 Days ==========

[2010/02/10 22:13:31 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/09 23:32:43 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/09 23:01:11 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/09 23:01:11 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/09 23:01:11 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/09 23:01:07 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/02/06 20:49:47 | 000,417,136 | ---- | C] (Sysinternals) -- C:\WINDOWS\handle.exe
[2010/02/03 23:51:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\DoctorWeb
[2010/02/02 23:44:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/02/02 23:44:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2010/02/02 23:44:33 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/02/02 23:43:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/02/02 23:37:10 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\TFC.exe
[2010/01/30 18:41:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/30 18:41:50 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/30 18:40:13 | 005,115,840 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2010/01/30 18:12:28 | 000,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Owner\Desktop\SysRestorePoint.exe
[2010/01/30 18:05:48 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2010/01/30 17:51:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/01/28 21:38:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/01/28 21:38:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/28 21:38:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/28 21:35:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/28 21:29:47 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/24 22:19:12 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/06 09:57:04 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/06 09:57:04 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/06 09:57:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/11/06 09:57:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/02/10 22:14:01 | 000,000,890 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2010/02/10 22:05:42 | 000,000,275 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\create restore point 1.rtf
[2010/02/10 21:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/10 21:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/02/10 21:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/02/10 21:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/02/10 21:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/02/10 21:48:01 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{5ADBB937-B690-4056-926C-6C21BB99172C}.job
[2010/02/10 21:47:38 | 000,000,532 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/10 21:47:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/10 21:47:16 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/10 21:47:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/10 21:47:11 | 939,053,056 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/10 07:38:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/10 00:31:50 | 008,126,464 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/02/10 00:31:50 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/09 23:32:47 | 000,000,282 | RHS- | M] () -- C:\boot.ini
[2010/02/09 22:56:52 | 003,852,933 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/02/09 21:30:31 | 000,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/02/06 20:55:21 | 055,199,147 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/06 20:53:50 | 000,068,620 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\6k6up97m.exe.part
[2010/02/06 20:48:12 | 000,000,303 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to maxhandle.lnk
[2010/02/04 00:03:34 | 000,000,789 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/02 23:44:42 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/02/02 22:13:16 | 029,501,072 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\yfrr422k.exe
[2010/02/02 22:01:02 | 007,520,288 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware.exe
[2010/02/02 21:53:48 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\TFC.exe
[2010/01/30 18:41:57 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/30 18:10:26 | 000,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\Owner\Desktop\SysRestorePoint.exe
[2010/01/30 18:02:52 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2010/01/28 21:29:52 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2010/01/28 21:29:52 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/01/28 21:18:38 | 000,359,929 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/01/28 21:16:26 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/01/27 22:55:38 | 005,115,840 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2010/01/24 22:19:13 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2010/01/22 23:01:57 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows Explorer.lnk
[2010/01/22 22:59:04 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/01/21 09:42:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/21 08:35:59 | 000,142,495 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/01/21 08:24:43 | 007,302,240 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db

========== Files Created - No Company Name ==========

[2010/02/10 22:13:43 | 000,000,275 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\create restore point 1.rtf
[2010/02/09 23:32:47 | 000,000,212 | ---- | C] () -- C:\Boot.bak
[2010/02/09 23:32:45 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/09 23:01:11 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/09 23:01:11 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/09 23:01:11 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/09 23:01:11 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/09 23:01:11 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/09 23:00:15 | 003,852,933 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/02/06 20:53:01 | 000,068,620 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\6k6up97m.exe.part
[2010/02/06 20:48:12 | 000,000,303 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to maxhandle.lnk
[2010/02/04 08:20:35 | 939,053,056 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/03 23:31:36 | 029,501,072 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\yfrr422k.exe
[2010/02/02 23:44:42 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/02/02 23:42:53 | 007,520,288 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware.exe
[2010/01/31 09:50:41 | 000,359,929 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/01/30 18:41:57 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/29 06:37:27 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/01/28 21:29:52 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2010/01/28 21:29:52 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2010/01/24 22:19:13 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2010/01/23 20:27:57 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/23 20:27:56 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/23 20:27:56 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/23 20:27:56 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/20 14:17:22 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/09/27 08:14:58 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/09/17 21:38:26 | 000,000,890 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2009/05/08 09:13:04 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/30 15:00:12 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/01/14 19:01:31 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/05/25 12:35:18 | 000,000,742 | ---- | C] () -- C:\WINDOWS\EZPHOTO.INI
[2008/05/25 11:13:07 | 000,000,035 | ---- | C] () -- C:\WINDOWS\ppdrv.ini
[2008/02/03 10:33:45 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2008/02/03 10:33:45 | 000,000,114 | ---- | C] () -- C:\WINDOWS\kpcms.ini
[2008/01/26 19:34:48 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/20 17:25:00 | 000,007,208 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2008/01/20 17:24:35 | 000,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2007/11/09 17:38:35 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/11/09 17:38:35 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/11/09 17:38:33 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/11/09 17:38:32 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/11/09 17:38:30 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/11/09 17:38:30 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/11/09 17:38:23 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/07/01 00:01:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/06 18:24:27 | 000,001,364 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/05/06 18:24:27 | 000,000,456 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2006/05/06 18:24:14 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\raspppoe.sys
[2004/07/14 16:51:48 | 000,237,638 | ---- | C] () -- C:\WINDOWS\System32\bahrurlib.dll
[2002/07/24 17:13:46 | 000,667,648 | ---- | C] () -- C:\WINDOWS\System32\freeimage.dll

========== Custom Scans ==========

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/05/06 11:29:39 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/02/10 21:46:51 | 016,777,216 | -HS- | M] () -- C:\WINDOWS\system32\config\mmakmqna.sav
[2006/05/06 11:29:39 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/05/06 11:29:39 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#14 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 11 February 2010 - 01:49 AM

Hi,

Please do the following:

Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

Posted Image

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

How to boot to Recovery Console:

Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start (you will only have a couple of seconds to do this)
Use the up and down arrow key to select Microsoft Windows Recovery Console
You must enter which Windows installation to log onto. Type 1 and press enter.
Then at the C:\Windows prompt, type the batch look.bat command, and press Enter:

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#15 Bikerider

Authentic Member

Authentic Member
26 posts

Posted 11 February 2010 - 10:55 PM

Hi I have a problem. I followed the instructions on how to boot to recovery console and when asked to enter which windows installation to log on to (you said to type 1 and press enter) but I was given the choises of 1) D:\MiniNT or 2) C:\WINDOWS I decided to go with 1 as per your instructions which gave me D:\MiniNT and no idea what to do with it. So I rebooted in to recovery console and tried 2 which gave me C:\WINDOWS Type the Administrator password: I have know idea what the administrator password is. I can call my Ex tomorrow morning and ask if she knows but she may not. Do I shut down the computer tonight and boot into recovery Console tomorrow? What can we do about the password if she does not know it? Thanks for your help Ian

Body Background

skin color theme