Author Topic: Win32-Malware-gen --> Unable to remove this malware (Read 109515 times)

jrf274 · « **Reply #30 on:** April 22, 2010, 01:47:26 AM »

essexboy,

Thank you so much for the detailed instructions the pictures.

Here is that report (sorry it took a few days, I was away).

Again, I really appreciate your help!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-21 19:23:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Josh\LOCALS~1\Temp\awliyaob.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF42486B8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF73EFE64]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF73CFEEE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF73D00E0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF73F0652]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF73F0906]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF424814C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF73EEB64]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF424808C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF42480F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF424876E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF73F0D72]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF424872E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF73F0124]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF73CFB5C]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF742B780]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort3 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat EFE78D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

essexboy · « **Reply #31 on:** April 22, 2010, 08:45:58 PM »

Quote

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF742B780]

This states you have the TDSS rootkit

Download TDSSKiller and save it to your Desktop.

Extract the file and run it.
Once completed it will create a log in your C:\ drive
Reboot your computer
Please post the contents of that log

jrf274 · « **Reply #32 on:** April 23, 2010, 02:26:26 AM »

Here it is. Thanks again!!

20:21:17:203 3572   TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
20:21:17:203 3572   ================================================================================
20:21:17:203 3572   SystemInfo:

20:21:17:203 3572   OS Version: 5.1.2600 ServicePack: 3.0
20:21:17:203 3572   Product type: Workstation
20:21:17:203 3572   ComputerName: JOSH-DELLE510
20:21:17:203 3572   UserName: Josh
20:21:17:203 3572   Windows directory: C:\WINDOWS
20:21:17:203 3572   Processor architecture: Intel x86
20:21:17:203 3572   Number of processors: 2
20:21:17:203 3572   Page size: 0x1000
20:21:17:203 3572   Boot type: Normal boot
20:21:17:203 3572   ================================================================================
20:21:17:500 3572   UnloadDriverW: NtUnloadDriver error 2
20:21:17:500 3572   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:21:17:875 3572   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:21:17:875 3572   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:17:875 3572   wfopen_ex: Trying to KLMD file open
20:21:17:875 3572   wfopen_ex: File opened ok (Flags 2)
20:21:17:875 3572   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:21:17:875 3572   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:17:875 3572   wfopen_ex: Trying to KLMD file open
20:21:17:875 3572   wfopen_ex: File opened ok (Flags 2)
20:21:17:875 3572   Initialize success
20:21:17:875 3572
20:21:17:875 3572   Scanning   Services ...
20:21:19:640 3572   Raw services enum returned 313 services
20:21:19:656 3572
20:21:19:656 3572   Scanning   Kernel memory ...
20:21:19:656 3572   Devices to scan: 4
20:21:19:656 3572
20:21:19:656 3572   Driver Name: Disk
20:21:19:656 3572   IRP_MJ_CREATE : F7618BB0
20:21:19:656 3572   IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:19:656 3572   IRP_MJ_CLOSE : F7618BB0
20:21:19:656 3572   IRP_MJ_READ : F7612D1F
20:21:19:656 3572   IRP_MJ_WRITE : F7612D1F
20:21:19:656 3572   IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:19:656 3572   IRP_MJ_SET_INFORMATION : 804F4562
20:21:19:656 3572   IRP_MJ_QUERY_EA : 804F4562
20:21:19:656 3572   IRP_MJ_SET_EA : 804F4562
20:21:19:656 3572   IRP_MJ_FLUSH_BUFFERS : F76132E2
20:21:19:656 3572   IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:19:656 3572   IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:19:656 3572   IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:19:656 3572   IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:19:656 3572   IRP_MJ_DEVICE_CONTROL : F76133BB
20:21:19:656 3572   IRP_MJ_INTERNAL_DEVICE_CONTROL : F7616F28
20:21:19:656 3572   IRP_MJ_SHUTDOWN : F76132E2
20:21:19:656 3572   IRP_MJ_LOCK_CONTROL : 804F4562
20:21:19:656 3572   IRP_MJ_CLEANUP : 804F4562
20:21:19:656 3572   IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:19:656 3572   IRP_MJ_QUERY_SECURITY : 804F4562
20:21:19:656 3572   IRP_MJ_SET_SECURITY : 804F4562
20:21:19:656 3572   IRP_MJ_POWER : F7614C82
20:21:19:656 3572   IRP_MJ_SYSTEM_CONTROL : F761999E
20:21:19:656 3572   IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:19:656 3572   IRP_MJ_QUERY_QUOTA : 804F4562
20:21:19:656 3572   IRP_MJ_SET_QUOTA : 804F4562
20:21:19:718 3572   C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:21:19:718 3572
20:21:19:718 3572   Driver Name: Disk
20:21:19:718 3572   IRP_MJ_CREATE : F7618BB0
20:21:19:718 3572   IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:19:718 3572   IRP_MJ_CLOSE : F7618BB0
20:21:19:718 3572   IRP_MJ_READ : F7612D1F
20:21:19:718 3572   IRP_MJ_WRITE : F7612D1F
20:21:19:718 3572   IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:19:718 3572   IRP_MJ_SET_INFORMATION : 804F4562
20:21:19:718 3572   IRP_MJ_QUERY_EA : 804F4562
20:21:19:718 3572   IRP_MJ_SET_EA : 804F4562
20:21:19:718 3572   IRP_MJ_FLUSH_BUFFERS : F76132E2
20:21:19:718 3572   IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:19:718 3572   IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:19:718 3572   IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:19:718 3572   IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:19:718 3572   IRP_MJ_DEVICE_CONTROL : F76133BB
20:21:19:718 3572   IRP_MJ_INTERNAL_DEVICE_CONTROL : F7616F28
20:21:19:718 3572   IRP_MJ_SHUTDOWN : F76132E2
20:21:19:718 3572   IRP_MJ_LOCK_CONTROL : 804F4562
20:21:19:718 3572   IRP_MJ_CLEANUP : 804F4562
20:21:19:718 3572   IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:19:718 3572   IRP_MJ_QUERY_SECURITY : 804F4562
20:21:19:718 3572   IRP_MJ_SET_SECURITY : 804F4562
20:21:19:718 3572   IRP_MJ_POWER : F7614C82
20:21:19:718 3572   IRP_MJ_SYSTEM_CONTROL : F761999E
20:21:19:718 3572   IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:19:718 3572   IRP_MJ_QUERY_QUOTA : 804F4562
20:21:19:718 3572   IRP_MJ_SET_QUOTA : 804F4562
20:21:19:750 3572   C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:21:19:750 3572
20:21:19:750 3572   Driver Name: Disk
20:21:19:750 3572   IRP_MJ_CREATE : F7618BB0
20:21:19:750 3572   IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:19:750 3572   IRP_MJ_CLOSE : F7618BB0
20:21:19:750 3572   IRP_MJ_READ : F7612D1F
20:21:19:750 3572   IRP_MJ_WRITE : F7612D1F
20:21:19:750 3572   IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_SET_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_EA : 804F4562
20:21:19:750 3572   IRP_MJ_SET_EA : 804F4562
20:21:19:750 3572   IRP_MJ_FLUSH_BUFFERS : F76132E2
20:21:19:750 3572   IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_DEVICE_CONTROL : F76133BB
20:21:19:750 3572   IRP_MJ_INTERNAL_DEVICE_CONTROL : F7616F28
20:21:19:750 3572   IRP_MJ_SHUTDOWN : F76132E2
20:21:19:750 3572   IRP_MJ_LOCK_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_CLEANUP : 804F4562
20:21:19:750 3572   IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_SECURITY : 804F4562
20:21:19:750 3572   IRP_MJ_SET_SECURITY : 804F4562
20:21:19:750 3572   IRP_MJ_POWER : F7614C82
20:21:19:750 3572   IRP_MJ_SYSTEM_CONTROL : F761999E
20:21:19:750 3572   IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_QUOTA : 804F4562
20:21:19:750 3572   IRP_MJ_SET_QUOTA : 804F4562
20:21:19:750 3572   C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:21:19:750 3572
20:21:19:750 3572   Driver Name: atapi
20:21:19:750 3572   IRP_MJ_CREATE : F741F6F2
20:21:19:750 3572   IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:19:750 3572   IRP_MJ_CLOSE : F741F6F2
20:21:19:750 3572   IRP_MJ_READ : 804F4562
20:21:19:750 3572   IRP_MJ_WRITE : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_SET_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_EA : 804F4562
20:21:19:750 3572   IRP_MJ_SET_EA : 804F4562
20:21:19:750 3572   IRP_MJ_FLUSH_BUFFERS : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_DEVICE_CONTROL : F741F712
20:21:19:750 3572   IRP_MJ_INTERNAL_DEVICE_CONTROL : F741B852
20:21:19:750 3572   IRP_MJ_SHUTDOWN : 804F4562
20:21:19:750 3572   IRP_MJ_LOCK_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_CLEANUP : 804F4562
20:21:19:750 3572   IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_SECURITY : 804F4562
20:21:19:750 3572   IRP_MJ_SET_SECURITY : 804F4562
20:21:19:750 3572   IRP_MJ_POWER : F741F73C
20:21:19:750 3572   IRP_MJ_SYSTEM_CONTROL : F7426336
20:21:19:750 3572   IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_QUOTA : 804F4562
20:21:19:750 3572   IRP_MJ_SET_QUOTA : 804F4562
20:21:19:796 3572   C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
20:21:19:796 3572
20:21:19:796 3572   Completed
20:21:19:796 3572
20:21:19:796 3572   Results:
20:21:19:796 3572   Memory objects infected / cured / cured on reboot:   0 / 0 / 0
20:21:19:796 3572   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
20:21:19:796 3572   File objects infected / cured / cured on reboot:   0 / 0 / 0
20:21:19:796 3572
20:21:19:796 3572   fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:21:19:812 3572   fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:21:19:812 3572   KLMD(ARK) unloaded successfully

essexboy · « **Reply #33 on:** April 23, 2010, 08:39:53 PM »

OK you have the new variant

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

jrf274 · « **Reply #34 on:** April 24, 2010, 06:54:34 AM »

Thanks again!!

(Part 1)

ComboFix 10-04-21.01 - Josh 04/24/2010 0:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.619 [GMT -4:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100423-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-07 23:39 . 2010-04-07 23:39   --------   d-sh--w-   c:\documents and settings\LocalService\UserData
2010-04-07 23:37 . 2010-04-07 23:37   --------   d-sh--w-   c:\documents and settings\LocalService\PrivacIE
2010-04-07 23:37 . 2010-04-07 23:37   --------   d-sh--w-   c:\documents and settings\LocalService\IECompatCache
2010-04-07 23:36 . 2010-04-07 23:36   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-04-03 21:46 . 2010-04-03 21:46   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\documents and settings\Josh\Application Data\Malwarebytes
2010-04-03 21:08 . 2010-03-29 19:24   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-03 21:08 . 2010-03-29 19:24   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-02 06:06 . 2010-04-02 06:06   --------   d-----w-   c:\documents and settings\Josh\Local Settings\Application Data\Threat Expert
2010-04-02 03:12 . 2010-04-02 03:12   516480   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll
2010-03-28 15:37 . 2009-11-24 22:48   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-28 15:37 . 2009-11-24 22:49   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-28 15:37 . 2009-11-24 22:47   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-28 15:37 . 2009-11-24 22:51   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-28 15:37 . 2009-11-24 22:50   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-28 15:37 . 2009-11-24 22:50   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-28 15:37 . 2009-11-24 22:50   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-28 15:37 . 2009-11-24 22:47   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2010-03-28 15:37 . 2009-11-24 22:54   1280480   ----a-w-   c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 04:39 . 2009-06-01 22:23   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 04:34 . 2010-03-20 02:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-23 00:19 . 2004-08-04 10:00   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-04-22 03:37 . 2010-03-13 02:22   598368   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-18 09:48 . 2010-03-08 03:19   --------   d-----w-   c:\program files\Google
2010-04-14 03:28 . 2009-06-07 21:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 22:12 . 2009-06-28 19:45   966104   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-10 22:12 . 2009-06-28 19:45   1265264   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-20 19:40 . 2009-05-18 00:08   --------   d-----w-   c:\program files\Alwil Software
2010-03-20 18:30 . 2010-03-20 18:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-20 11:18 . 2009-06-01 22:23   --------   d-----w-   c:\program files\SpywareBlaster
2010-03-20 02:55 . 2010-03-20 02:54   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-03-13 02:22 . 2010-03-13 02:22   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-03-13 02:22 . 2010-03-13 02:22   95024   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-13 02:22 . 2010-03-13 02:22   566608   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-13 02:22 . 2009-06-12 23:47   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2010-03-13 02:22 . 2009-06-01 22:28   15880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-13 02:22 . 2010-03-13 02:22   1230160   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-13 02:22 . 2010-03-13 02:22   247120   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-13 02:22 . 2009-06-28 19:45   6330848   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-13 02:22 . 2010-03-13 02:22   17480   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-13 02:21 . 2010-03-11 19:44   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-12 23:15 . 2009-06-21 14:05   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-12 16:01 . 2010-03-13 01:43   170978   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-03-11 19:44 . 2009-06-01 22:26   --------   d-----w-   c:\program files\Lavasoft
2010-03-10 06:15 . 2004-08-04 10:00   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-03-01 23:28 . 2009-06-28 19:45   25440   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-03-01 23:28 . 2009-09-21 22:28   3701760   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-25 06:24 . 2006-03-04 03:33   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 10:00   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-30 01:21   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
2010-02-04 15:53 . 2010-03-13 02:21   2954656   -c--a-w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2009-06-01 22:28   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

jrf274 · « **Reply #35 on:** April 24, 2010, 06:55:15 AM »

(Part 2)

.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-02 818256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/1/2009 6:28 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/28/2010 11:37 AM 114768]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [11/21/2008 4:37 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2010 11:37 AM 20560]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/7/2010 11:19 PM 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:12]

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac1545c83bbd2.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SafeBoot-klmdb.sys

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3092)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-24 00:49:50
ComboFix-quarantined-files.txt 2010-04-24 04:49

Pre-Run: 65,471,037,440 bytes free
Post-Run: 65,523,560,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7B26023C403890A142785EAC95F3FF8B

essexboy · « **Reply #36 on:** April 24, 2010, 02:37:05 PM »

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

TDL::
c:\windows\system32\drivers\atapi.sys
C:\WINDOWS\system32\drivers\mrxsmb.sys

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new OTListit log.

jrf274 · « **Reply #37 on:** April 24, 2010, 05:15:34 PM »

ok....

Here is Part 1 of the combofix log

ComboFix 10-04-21.01 - Josh 04/24/2010 11:08:39.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.488 [GMT -4:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100424-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-07 23:39 . 2010-04-07 23:39   --------   d-sh--w-   c:\documents and settings\LocalService\UserData
2010-04-07 23:37 . 2010-04-07 23:37   --------   d-sh--w-   c:\documents and settings\LocalService\PrivacIE
2010-04-07 23:37 . 2010-04-07 23:37   --------   d-sh--w-   c:\documents and settings\LocalService\IECompatCache
2010-04-07 23:36 . 2010-04-07 23:36   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-04-03 21:46 . 2010-04-03 21:46   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\documents and settings\Josh\Application Data\Malwarebytes
2010-04-03 21:08 . 2010-03-29 19:24   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-03 21:08 . 2010-03-29 19:24   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-02 06:06 . 2010-04-02 06:06   --------   d-----w-   c:\documents and settings\Josh\Local Settings\Application Data\Threat Expert
2010-04-02 03:12 . 2010-04-02 03:12   516480   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll
2010-03-28 15:37 . 2009-11-24 22:48   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-28 15:37 . 2009-11-24 22:49   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-28 15:37 . 2009-11-24 22:47   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-28 15:37 . 2009-11-24 22:51   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-28 15:37 . 2009-11-24 22:50   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-28 15:37 . 2009-11-24 22:50   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-28 15:37 . 2009-11-24 22:50   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-28 15:37 . 2009-11-24 22:47   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2010-03-28 15:37 . 2009-11-24 22:54   1280480   ----a-w-   c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 04:39 . 2009-06-01 22:23   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 04:34 . 2010-03-20 02:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-23 00:19 . 2004-08-04 10:00   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-04-22 03:37 . 2010-03-13 02:22   598368   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-18 09:48 . 2010-03-08 03:19   --------   d-----w-   c:\program files\Google
2010-04-14 03:28 . 2009-06-07 21:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 22:12 . 2009-06-28 19:45   966104   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-10 22:12 . 2009-06-28 19:45   1265264   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-20 19:40 . 2009-05-18 00:08   --------   d-----w-   c:\program files\Alwil Software
2010-03-20 18:30 . 2010-03-20 18:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-20 11:18 . 2009-06-01 22:23   --------   d-----w-   c:\program files\SpywareBlaster
2010-03-20 02:55 . 2010-03-20 02:54   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-03-13 02:22 . 2010-03-13 02:22   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-03-13 02:22 . 2010-03-13 02:22   95024   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-13 02:22 . 2010-03-13 02:22   566608   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-13 02:22 . 2009-06-12 23:47   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2010-03-13 02:22 . 2009-06-01 22:28   15880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-13 02:22 . 2010-03-13 02:22   1230160   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-13 02:22 . 2010-03-13 02:22   247120   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-13 02:22 . 2009-06-28 19:45   6330848   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-13 02:22 . 2010-03-13 02:22   17480   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-13 02:21 . 2010-03-11 19:44   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-12 23:15 . 2009-06-21 14:05   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-12 16:01 . 2010-03-13 01:43   170978   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-03-11 19:44 . 2009-06-01 22:26   --------   d-----w-   c:\program files\Lavasoft
2010-03-10 06:15 . 2004-08-04 10:00   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-03-01 23:28 . 2009-06-28 19:45   25440   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-03-01 23:28 . 2009-09-21 22:28   3701760   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-25 06:24 . 2006-03-04 03:33   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 10:00   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-30 01:21   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
2010-02-04 15:53 . 2010-03-13 02:21   2954656   -c--a-w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2009-06-01 22:28   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
.

jrf274 · « **Reply #38 on:** April 24, 2010, 05:16:10 PM »

Part 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-02 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-02 818256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/1/2009 6:28 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/28/2010 11:37 AM 114768]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [11/21/2008 4:37 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2010 11:37 AM 20560]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/7/2010 11:19 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:12]

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac1545c83bbd2.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3948)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-24 11:13:28
ComboFix-quarantined-files.txt 2010-04-24 15:13

Pre-Run: 65,504,874,496 bytes free
Post-Run: 65,514,487,808 bytes free

- - End Of File - - 39B33A5F3808B757960FF01885244759

jrf274 · « **Reply #39 on:** April 24, 2010, 05:22:00 PM »

OTL Part 1.....

OTL logfile created on: 4/24/2010 11:17:30 AM - Run 2
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\Josh\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 162.00 Mb Available Physical Memory | 16.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 61.02 Gb Free Space | 86.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOSH-DELLE510
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/18 10:23:42 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
PRC - [2010/04/10 18:12:52 | 001,265,264 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/04/02 00:08:54 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2010/04/01 23:12:19 | 000,818,256 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/11/24 18:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/17 03:35:18 | 000,408,424 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/10 12:17:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe

========== Modules (SafeList) ==========

MOD - [2010/04/18 10:23:42 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2010/04/10 18:12:52 | 001,265,264 | ---- | M] (Lavasoft) [On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2005/10/28 08:41:52 | 000,491,520 | ---- | M] ( ) [On_Demand | Stopped] -- C:\WINDOWS\System32\dlcccoms.exe -- (dlcc_device)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

jrf274 · « **Reply #40 on:** April 24, 2010, 05:22:33 PM »

OTL Part 2....

O1 HOSTS File: ([2010/04/02 00:09:08 | 000,385,900 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1   www.007guard.com
O1 - Hosts: 127.0.0.1   007guard.com
O1 - Hosts: 127.0.0.1   008i.com
O1 - Hosts: 127.0.0.1   www.008k.com
O1 - Hosts: 127.0.0.1   008k.com
O1 - Hosts: 127.0.0.1   www.00hq.com
O1 - Hosts: 127.0.0.1   00hq.com
O1 - Hosts: 127.0.0.1   010402.com
O1 - Hosts: 127.0.0.1   www.032439.com
O1 - Hosts: 127.0.0.1   032439.com
O1 - Hosts: 127.0.0.1   www.0scan.com
O1 - Hosts: 127.0.0.1   0scan.com
O1 - Hosts: 127.0.0.1   1000gratisproben.com
O1 - Hosts: 127.0.0.1   www.1000gratisproben.com
O1 - Hosts: 127.0.0.1   1001namen.com
O1 - Hosts: 127.0.0.1   www.1001namen.com
O1 - Hosts: 127.0.0.1   100888290cs.com
O1 - Hosts: 127.0.0.1   www.100888290cs.com
O1 - Hosts: 127.0.0.1   www.100sexlinks.com
O1 - Hosts: 127.0.0.1   100sexlinks.com
O1 - Hosts: 127.0.0.1   10sek.com
O1 - Hosts: 127.0.0.1   www.10sek.com
O1 - Hosts: 127.0.0.1   www.1-2005-search.com
O1 - Hosts: 127.0.0.1   1-2005-search.com
O1 - Hosts: 13312 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244848019812 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/17 19:37:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

jrf274 · « **Reply #41 on:** April 24, 2010, 05:23:14 PM »

OTL Part 3...

========== Files/Folders - Created Within 14 Days ==========

[2010/04/24 11:07:36 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/04/24 00:43:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/24 00:43:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/24 00:43:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/24 00:43:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/24 00:43:08 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/24 00:43:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/24 00:23:52 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/22 20:18:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Desktop\tdsskiller
[2010/04/22 00:04:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Josh\Recent
[2010/04/18 10:23:28 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
[2010/04/07 19:39:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/07 19:37:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/07 19:36:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/07 19:36:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Threat Expert
[2010/04/07 19:36:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/04/07 19:36:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2010/03/24 21:48:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/07 23:24:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/08/07 13:46:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/06/01 19:54:26 | 000,638,976 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpmui.dll
[2009/06/01 19:54:24 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcclmpm.dll
[2009/06/01 19:54:24 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomm.dll
[2009/06/01 19:54:24 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpplc.dll
[2009/06/01 19:54:23 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccusb1.dll
[2009/06/01 19:54:23 | 000,774,144 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcchbn3.dll
[2009/06/01 19:54:22 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomc.dll
[2009/06/01 19:54:22 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccprox.dll
[2009/06/01 19:54:21 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccserv.dll
[2009/05/17 19:36:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/24 11:13:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/24 11:11:51 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/24 11:07:17 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/24 10:47:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/24 08:39:28 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Josh\My Documents\~$Doc1.docx
[2010/04/24 08:39:19 | 007,077,888 | ---- | M] () -- C:\Documents and Settings\Josh\NTUSER.DAT
[2010/04/24 05:47:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/24 01:15:30 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Microsoft Word 2007.lnk
[2010/04/24 00:43:57 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/24 00:41:15 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/24 00:41:05 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/04/24 00:41:04 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cac1545c83bbd2.job
[2010/04/24 00:40:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/24 00:39:58 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Josh\ntuser.ini
[2010/04/24 00:37:38 | 003,923,062 | R--- | M] () -- C:\Documents and Settings\Josh\Desktop\ComboFix.exe
[2010/04/23 13:46:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/22 20:17:32 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\tdsskiller.zip
[2010/04/22 20:14:45 | 000,017,861 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Josh Freeman Case 19.xlsx
[2010/04/21 22:26:50 | 000,012,179 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Josh Freeman Case 19.docx
[2010/04/21 18:38:39 | 000,237,917 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Doc1.docx
[2010/04/19 21:08:15 | 000,000,165 | -H-- | M] () -- C:\Documents and Settings\Josh\Desktop\~$Josh Freeman Case 19.xlsx
[2010/04/18 12:23:59 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\gmer.zip
[2010/04/18 10:23:42 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
[2010/04/17 18:15:22 | 000,670,673 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\doc.docx
[2010/04/17 17:52:17 | 000,177,935 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Fed Government Applications.docx
[2010/04/17 17:46:20 | 000,016,610 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Joshua Freeman - USAJOBS Resume.docx
[2010/04/15 06:09:51 | 000,078,230 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Josh Freeman Case 2.pptx
[2010/04/15 06:08:33 | 000,029,614 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Josh Freeman Case 2.xlsx
[2010/04/14 16:46:56 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Microsoft PowerPoint 2007.lnk
[2010/04/13 23:27:20 | 000,000,283 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/04/12 19:33:23 | 000,033,955 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\HADM 543 Final Paper - Josh Freeman.docx
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

jrf274 · « **Reply #42 on:** April 24, 2010, 05:23:43 PM »

Part 4 (OTL)

========== Files Created - No Company Name ==========

[2010/04/24 08:39:28 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Josh\My Documents\~$Doc1.docx
[2010/04/24 00:43:57 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/24 00:43:54 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/24 00:43:08 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/24 00:43:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/24 00:43:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/24 00:43:08 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/24 00:43:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/24 00:23:14 | 003,923,062 | R--- | C] () -- C:\Documents and Settings\Josh\Desktop\ComboFix.exe
[2010/04/22 20:17:31 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\tdsskiller.zip
[2010/04/21 22:26:49 | 000,012,179 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\Josh Freeman Case 19.docx
[2010/04/21 18:38:38 | 000,237,917 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Doc1.docx
[2010/04/21 18:00:26 | 000,017,861 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\Josh Freeman Case 19.xlsx
[2010/04/19 21:08:15 | 000,000,165 | -H-- | C] () -- C:\Documents and Settings\Josh\Desktop\~$Josh Freeman Case 19.xlsx
[2010/04/18 12:23:56 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\gmer.zip
[2010/04/17 18:15:22 | 000,670,673 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\doc.docx
[2010/04/15 06:08:45 | 000,078,230 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Josh Freeman Case 2.pptx
[2010/04/15 06:08:26 | 000,029,614 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Josh Freeman Case 2.xlsx
[2010/04/13 23:27:20 | 000,000,283 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/04/12 19:33:23 | 000,033,955 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\HADM 543 Final Paper - Josh Freeman.docx
[2009/12/17 18:43:57 | 000,199,784 | ---- | C] () -- C:\Documents and Settings\Josh\Application Data\JuniperSetup.exe
[2009/12/03 22:17:53 | 000,045,132 | ---- | C] () -- C:\Documents and Settings\Josh\Application Data\JuniperExtXP.exe
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/01 19:54:26 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlccinsr.dll
[2009/06/01 19:54:25 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccins.dll
[2009/06/01 19:54:25 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlccvs.dll
[2009/06/01 19:54:20 | 000,430,080 | ---- | C] () -- C:\WINDOWS\System32\dlccutil.dll
[2009/06/01 19:54:20 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcccu.dll
[2009/06/01 19:54:20 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcccur.dll
[2009/06/01 19:54:16 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlccinsb.dll
[2009/06/01 19:54:16 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcccub.dll
[2009/06/01 19:54:15 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlccjswr.dll
[2009/06/01 19:54:08 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcccfg.dll
[2009/05/17 19:55:02 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Josh\ntuser.dat.LOG
[2009/05/17 19:55:02 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Josh\ntuser.ini
[2009/05/17 19:55:01 | 007,077,888 | ---- | C] () -- C:\Documents and Settings\Josh\NTUSER.DAT

========== LOP Check ==========

[2010/03/20 14:30:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/12/03 22:18:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2010/04/24 00:39:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/12 22:21:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2009/12/18 06:11:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Juniper Networks
[2010/04/24 11:07:17 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/04/24 00:41:05 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

essexboy · « **Reply #43 on:** April 24, 2010, 07:48:35 PM »

Do you still have redirects ?

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No CLSID value found.

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

jrf274 · « **Reply #44 on:** April 24, 2010, 08:37:32 PM »

essex boy....I ran that....thanks again for such detailed instructions....I can't thank you enough.

I apologize, but I'm not 100 % sure what you mean by "redirects"? Do you mean, when I open Avast for a scan? As I originally said, before you helped me, there was a warning coming up on my screen saying I had this Win32 Malware virus....however, I just tried opening Avast and it looks like it's gone since there was no error message.

I guess I can assume that took care of the problem, because that warning didn't pop up, my computer hasn't been as loud, and it seems to be running better.

Here is the log of that last scan if you need it for anything.

Thank you so much!!! (I'm assuming I should go ahead and enable all of my virus scans again??)

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Josh
->Temp folder emptied: 12040817 bytes
->Temporary Internet Files folder emptied: 43814465 bytes
->Java cache emptied: 227463 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 8792 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16823 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 56.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: Josh
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.1.2 log created on 04242010_142826

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Josh\Local Settings\Temp\fla2B.tmp not found!
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\;afc=1;kga=-1;shortform=1;u=Zx3m4e45bTo%7C119;kgg=-1;kcr=us;khd=0;dc_dedup=1;kpu=parlophone;kmyd=watch-channel-brand-div;dc_seed=215454529;tile=1;ord=486015402[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\AshleyY[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\inbox[2].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\index[5].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\load_ad[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\main[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\tpp[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\watch[1].txt moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\xd_receiver[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\DVLV2D3R\index[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\DVLV2D3R\load_ad[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\DVLV2D3R\login_status[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\DVLV2D3R\start[2].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\5ACAKLVX\container[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\0I76EBCO\left[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\0I76EBCO\load_ad[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_574.dat moved successfully.

Registry entries deleted on Reboot...

Author Topic: Win32-Malware-gen --> Unable to remove this malware (Read 109515 times)

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

essexboy

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

essexboy

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

essexboy

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware

essexboy

Re: Win32-Malware-gen --> Unable to remove this malware

jrf274

Re: Win32-Malware-gen --> Unable to remove this malware