Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ZeroTheHero on August 20, 2010, 08:54:05 PM

Title: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 20, 2010, 08:54:05 PM
Recently updated to Avast 5 and several times now on different days my behavior shield has alerted me about suspicious  files, and so far I've chosen to delete them and left the box checked to send the files to Avast, but I'm still getting these messages and each time the file name is just slightly different. Here are the file names:
C:\DOCUME~1\guest2\LOCALS~1\Temp\dBP21.tmp
(the rest are all the same except for the last part of the file name)
\dBPBA.tmp
\dBP1B.tmp
The were two more but I scribbled them quickly and it's not really legible, but they do begin with dBP. After deleting them I checked the virus vault to see if they were sent there, but the vault is empty. I tried finding the folder where these files originated, being sure to choose to "show hidden files and folders". I assumed DOCUME~1 was the Documents and Settings folder and LOCALS~1 was the LocalService folder, but there was no TEMP folder located there. I clicked on the Local Settings folder located in LocalService and found a Temp folder, which led me to three more folders, two of which in turn contain more folders. After much searching I can't find any .tmp files in these folders, much less .tmp files with names that begin with dBP. I used the search function to look for files with dBP in their file names but didn't come up with anything that looked like these .tmp files. I've also begun to wonder if these files could be related to dBpoweramp, which is a utility to convert audio files to different formats. I've had this program for years without problems, and from all I've seen the company is legit. I've run both a full system scan and boot-time scan with Avast, as well as full scans with MBAM and SuperAntiSpyware, and haven't found anything. Should I write this off as Avast being paranoid and alerting me about files that aren't really a problem?
Title: Re: Real threat or false positive (with Avast 5)?
Post by: Pondus on August 20, 2010, 09:15:01 PM
Try this, and see if the problem goes away. tell us if it worked

TFC - Temp File Cleaner by OldTimer ( it will clean ALL and ONLY temp files)
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 20, 2010, 11:11:15 PM
Thanks for the reply. I ran that program and it cleaned out about 500MB of junk. It'll probably be a couple incident-free days before I'd feel comfortable saying the problem is cleared up, but if nothing else at least I freed up a lot of space. And here I was thinking Ccleaner was getting rid of all the junk.
Title: Re: Real threat or false positive (with Avast 5)?
Post by: Pondus on August 20, 2010, 11:18:30 PM
CCleaner is very good, cleans lots of stuff, but TFC is a specialiced tool for temp file cleaning. I think one of the Malware experts at geekstogo made it.....maybe Essexboy can tell us?
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 21, 2010, 03:20:21 AM
Well, I'm back. Another alert from avast, this time the file is named dBP96.tmp. Here's the full text of the message: "Suspicious files have been detected (using a heuristic method). This may be a sign of malware infection. Please allow the files to be submitted to our virus lab for analysis." This time, before I deleted it I did a search for the file name and again came back with nothing. So I'm getting an alert about a file that the search can't even find on my computer.
Title: Re: Real threat or false positive (with Avast 5)?
Post by: Lisandro on August 21, 2010, 03:32:36 AM
It's a temporary file (most probably infected) that is randomically generated by the malware vector.
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan (http://www.abelhadigital.com) tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
9. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
Title: Re: Real threat or false positive (with Avast 5)?
Post by: Pondus on August 21, 2010, 11:32:02 AM
If tech suggestions does not work then the next to try will be Essexboy`s tricks


Follow this guide from Essexboy and post the log`s here
http://forum.avast.com/index.php?topic=53253.0


lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 21, 2010, 11:22:13 PM
Last night I ran Panda Activescan and it was clean. This morning I ran Spybot S&D and it was also clean. After I checked the responses here, I followed most of Techs suggestions. I cleared my temp files again, then ran a Dr. Web express scan (which wasn't so express at two and a half hours). It found two suspicious files. I thought it might be a false positive given that they were in a folder for Comcast Desktop Doctor, which is a legit program, but to be on the safe side I quarantined these files:
sprtsync.dll
sprtupdate.dll
I ran a Trend Micro RootkitBuster scan, which came back clean. I also disabled and re-enabled system restore. I already have SpywareBlaster installed.  I then tried to do another MBAM scan, but when I came back to my computer to check on the progress, the screen was black and there was this thing floating around telling me that the monitor was working and I should check the video connection. I checked my monitor connection and everything was fine.  The Num Lock button on my keyboard was lit, and I could hear the computer's fan running, but I just had this black screen with that message. The only thing I could think to do was to unplug the computer and then plug it back in. When it started I got a message saying that my computer had recovered from a serious error. It gave me the option to send an error report to Microsoft, which I did, and then it took me to this page, "Troubleshoot a problem with a device driver":
http://tinyurl.com/2at7t6j
I'm going to try running MBAM again, hoping the error doesn't happen again. In the meantime, here's my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:19 PM, on 8/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\guest2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} (PCRHTML3.HTML1) - http://www.pcrecruiter.net/pcrimg/PCRHTML.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate1c9c2bb298f7cc4) (gupdate1c9c2bb298f7cc4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6784 bytes
Title: Re: Real threat or false positive (with Avast 5)?
Post by: essexboy on August 21, 2010, 11:25:54 PM
Hi,  You have a hijacked proxy plus there may well be something else hiding

(http://www.geekstogo.com/misc/guide_icons/OTLI.gif) OTL - Download (http://oldtimer.geekstogo.com/OTL.exe) or alternative link here (http://www.itxassociates.com/OT-Tools/OTL.exe) and here (http://www.itxassociates.com/OT-Tools/OTL.com) to your desktop

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:30:34 AM
I was able to run MBAM, and it didn't find anything. To essexboy: I was wondering if you meant (when you said I had a hijacked proxy) the bit in the log where it says "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080". IIRC that stems from a time when I had an old version of ZoneAlarm that conflicted with Avast's invisible proxy, and after searching around I found a workaround by using the "12080" proxy. Since then I've updated ZoneAlarm and have gone back to using no proxy. Again, I'm not even sure if that's what you meant. I ran otl, and I'll post the logs here (though I'll probably have to break them up to meet the character limit). You'll notice that the times on the logs don't match. The first time I ran the scan both reports opened, and after I closed them I couldn't find them again, so I ran the scan again, but this time only a new "otl" report was created, and not the "extras" report. I ran the scan a third time thinking I must've done something wrong, but again only an "otl" file was created. I did eventually find the "extras" file from the first scan however, so I'm posting that along with the "otl" report from the third scan.
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:38:16 AM
OTL, part 1



OTL logfile created on: 8/21/2010 7:06:26 PM - Run 3
OTL by OldTimer - Version 3.2.10.0     Folder = C:\Documents and Settings\guest2\My Documents\otl
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
510.00 Mb Total Physical Memory | 80.00 Mb Available Physical Memory | 16.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.50 Gb Total Space | 13.57 Gb Free Space | 18.98% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: GUEST
Current User Name: guest2
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2010/08/21 18:35:19 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\guest2\My Documents\otl\OTL.exe
PRC - [2010/07/24 11:32:06 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/06/28 15:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
PRC - [2010/06/23 13:51:30 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 13:25:22 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/10/14 16:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2004/10/04 15:50:20 | 000,917,611 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell Wireless\PRISMCFG.exe
PRC - [2004/10/04 15:10:16 | 000,327,769 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\SYSTEM32\PRISMSVR.exe
PRC - [2003/10/29 03:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/08/21 18:35:19 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\guest2\My Documents\otl\OTL.exe
MOD - [2007/04/19 14:21:40 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll
MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/04 06:00:00 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\MSVCP60.DLL
MOD - [2004/08/04 06:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\MSSCRIPT.OCX
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/09/03 11:53:00 | 000,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2004/10/04 15:12:50 | 000,057,344 | ---- | M] (Conexant Systems, Inc.) [Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\PRISMSVC.exe -- (PRISMSVC)
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:39:15 AM
OTL, part 2



========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\guest2\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\vsdatant.sys -- (vsdatant)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/04/18 10:25:13 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\PalmUSBD.sys -- (PalmUSBD)
DRV - [2004/09/26 20:42:00 | 000,345,184 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\PRISMA02.sys -- (DELL_A02)
DRV - [2004/09/17 11:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
DRV - [2004/08/13 03:56:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)
DRV - [2004/08/13 02:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/08/13 02:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/08/13 02:05:00 | 000,086,202 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/08/13 02:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/08/13 02:05:00 | 000,025,723 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/08/13 02:05:00 | 000,014,715 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/08/13 02:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/08/13 02:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/08/13 02:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/08/04 04:21:00 | 000,087,136 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/08/04 00:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 00:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS -- (nv)
DRV - [2004/07/14 12:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 12:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)
DRV - [2003/11/17 16:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 16:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 16:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:41:43 AM
OTL, part 3



========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:12080
 
========== FireFox ==========
 
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.comcast.net"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 44
FF - prefs.js..extensions.enabledItems: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}:1.0.1
FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.12.0.36949
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.10
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: firegestures@xuldev.org:1.5.7
FF - prefs.js..extensions.enabledItems: {10187899-7ffe-4f9a-b9d2-35fdb3b49690}:0.6.3
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.2.3
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.4
FF - prefs.js..extensions.enabledItems: {e8f509f0-b677-11de-8a39-0800200c9a66}:1.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {5c876f30-10ce-11dd-bd0b-0800200c9a66}:3.6.6
FF - prefs.js..extensions.enabledItems: bloodfire@example.com:3.6
FF - prefs.js..extensions.enabledItems: {241aae70-0022-11de-87af-0800200c9a66}:3.6.30.01.10
FF - prefs.js..extensions.enabledItems: chromifox@altmusictv.com:3.6.5
FF - prefs.js..extensions.enabledItems: {de5809e0-2b07-11dd-bd0b-0800200c9a66}:1.2.0
FF - prefs.js..extensions.enabledItems: nasanightlaunch@example.com:0.6.20100805
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 12080
FF - prefs.js..network.proxy.type: 0
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/14 21:20:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/21 11:15:29 | 000,000,000 | ---D | M]
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:42:38 AM
OTL, part 4



[2009/11/18 18:23:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Extensions
[2009/11/18 18:23:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Extensions\celtx@celtx.com
[2010/08/21 11:23:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions
[2010/03/25 19:22:12 | 000,000,000 | ---D | M] (Screengrab) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2010/02/05 12:28:28 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2010/03/05 16:07:46 | 000,000,000 | ---D | M] (Auto Copy) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
[2010/04/30 19:45:00 | 000,000,000 | ---D | M] (IMDb Preview) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{10187899-7ffe-4f9a-b9d2-35fdb3b49690}
[2010/01/31 16:55:27 | 000,000,000 | ---D | M] (Blue Fox) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{241aae70-0022-11de-87af-0800200c9a66}
[2009/10/15 10:30:27 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/03/17 19:47:43 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/08/12 20:31:59 | 000,000,000 | ---D | M] (Aero Fox Silver XL) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}
[2010/08/21 11:23:28 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/07/27 09:31:41 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/08/14 21:22:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{ca0849e8-2c76-42ae-9abe-34e14d337acf}
[2010/08/18 13:29:46 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/06/17 14:57:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/05/29 21:27:17 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/04/08 12:45:08 | 000,000,000 | ---D | M] (Gradient iCool) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
[2009/09/11 11:08:03 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/05/22 18:27:02 | 000,000,000 | ---D | M] (Web2PDF converter) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{e8f509f0-b677-11de-8a39-0800200c9a66}
[2010/04/15 07:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\bloodfire@example.com
[2010/03/05 16:07:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\chromifox@altmusictv.com
[2010/04/16 14:42:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\firegestures@xuldev.org
[2010/07/24 11:30:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\https-everywhere@eff.org
[2010/08/10 16:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\nasanightlaunch@example.com
[2010/06/25 23:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\netvideohunter@netvideohunter.com
[2009/07/09 13:37:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\omiazad@msn.com
[2010/04/14 00:18:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\personas@christopher.beard
[2009/04/20 18:57:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\perspectives@cmu.edu
[2010/06/18 20:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\piclens@cooliris.com
[2010/08/04 16:33:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\smarterwiki@wikiatic.com
[2010/08/12 20:31:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\mac\mozapps\extensions
[2010/08/12 20:31:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\win\mozapps\extensions
[2010/08/18 20:03:36 | 000,001,546 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\allmusic---google.xml
[2010/08/18 20:03:38 | 000,005,100 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\box-office-mojo.xml
[2009/09/02 10:42:59 | 000,002,758 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\cuil.xml
[2009/04/20 18:56:34 | 000,000,931 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\dictionary.xml
[2009/04/20 18:56:21 | 000,001,504 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\imdb.xml
[2010/08/18 20:03:38 | 000,001,942 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\mycroft-project.xml
[2010/08/14 23:30:20 | 000,001,189 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\scroogle-1.xml
[2010/05/20 09:27:41 | 000,001,189 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\scroogle.xml
[2010/08/17 16:07:48 | 000,002,314 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\songmeanings---artist.xml
[2010/08/14 23:30:20 | 000,002,320 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\songmeanings---song-title.xml
[2009/12/30 10:37:11 | 000,002,013 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\urban-dictionary.xml
[2009/04/20 18:55:51 | 000,000,705 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\webster.xml
[2009/04/20 19:51:11 | 000,001,032 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\wikipedia-eng.xml
[2009/05/30 09:40:25 | 000,000,945 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\youtube-video-search.xml
[2010/08/21 11:23:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/27 13:40:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/27 13:39:49 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:43:25 AM
OTL, part 5


O1 HOSTS File: ([2010/08/20 10:09:24 | 000,416,778 | R--- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1   www.007guard.com
O1 - Hosts: 127.0.0.1   007guard.com
O1 - Hosts: 127.0.0.1   008i.com
O1 - Hosts: 127.0.0.1   www.008k.com
O1 - Hosts: 127.0.0.1   008k.com
O1 - Hosts: 127.0.0.1   www.00hq.com
O1 - Hosts: 127.0.0.1   00hq.com
O1 - Hosts: 127.0.0.1   010402.com
O1 - Hosts: 127.0.0.1   www.032439.com
O1 - Hosts: 127.0.0.1   032439.com
O1 - Hosts: 127.0.0.1   www.0scan.com
O1 - Hosts: 127.0.0.1   0scan.com
O1 - Hosts: 127.0.0.1   1000gratisproben.com
O1 - Hosts: 127.0.0.1   www.1000gratisproben.com
O1 - Hosts: 127.0.0.1   1001namen.com
O1 - Hosts: 127.0.0.1   www.1001namen.com
O1 - Hosts: 127.0.0.1   100888290cs.com
O1 - Hosts: 127.0.0.1   www.100888290cs.com
O1 - Hosts: 127.0.0.1   www.100sexlinks.com
O1 - Hosts: 127.0.0.1   100sexlinks.com
O1 - Hosts: 127.0.0.1   10sek.com
O1 - Hosts: 127.0.0.1   www.10sek.com
O1 - Hosts: 127.0.0.1   www.1-2005-search.com
O1 - Hosts: 127.0.0.1   1-2005-search.com
O1 - Hosts: 14388 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\SYSTEM32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-21-1784066151-926666739-2172271728-1007..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-1784066151-926666739-2172271728-1007..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe (Dell Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} http://www.pcrecruiter.net/pcrimg/PCRHTML.CAB (PCRHTML3.HTML1)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\DELL.BMP
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:44:13 AM
OTL, part 6



NetSvcs: 6to4 -  File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias -  File not found
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: Wmi - C:\WINDOWS\System32\WMI.DLL (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54619700398653440)
 
========== Files/Folders - Created Within 90 Days ==========
 
[2010/08/21 19:05:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\guest2\My Documents\otl
[2010/08/21 16:23:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\guest2\Recent
[2010/08/21 15:55:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/08/21 11:46:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\guest2\DoctorWeb
[2010/08/21 11:05:37 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/08/21 11:04:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\guest2\My Documents\New Folder
[2010/08/20 20:29:34 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/08/16 23:14:34 | 000,165,456 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/08/16 23:14:34 | 000,017,744 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/08/16 23:14:32 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/08/16 23:14:31 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/08/16 23:14:30 | 000,100,176 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/08/16 23:14:30 | 000,094,544 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/08/16 23:14:29 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/08/16 23:13:23 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/08/16 23:13:22 | 000,165,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/08/16 23:12:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/08/16 17:51:50 | 000,000,000 | ---D | C] -- C:\Temp
[2010/08/16 17:44:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\guest2\Application Data\Digital Album Organizer
[2010/08/16 17:35:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\guest2\Application Data\Wal-Mart Digital Photo Viewer
[2010/08/03 19:00:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
[2010/08/03 19:00:23 | 000,000,000 | ---D | C] -- C:\Program Files\FreeRIP3
[2010/07/28 14:24:04 | 000,000,000 | ---D | C] -- C:\Program Files\AnvSoft
[2010/07/12 20:11:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\guest2\Application Data\Stella
[2010/07/12 20:10:44 | 000,000,000 | ---D | C] -- C:\Program Files\Stella
[2010/07/08 15:37:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\guest2\Application Data\vlc
[2010/06/27 13:40:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/06/27 01:19:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2010/06/23 22:22:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2010/06/23 22:22:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2010/06/23 22:20:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie7
[2010/06/23 22:19:47 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2010/06/23 22:19:19 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2010/06/23 15:46:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/06/17 21:57:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2010/06/17 21:57:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2010/06/13 19:36:17 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2010/06/08 11:50:45 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/06/03 01:38:44 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/06/01 22:50:56 | 000,000,000 | ---D | C] -- C:\!KillBox
[2010/05/28 17:37:27 | 000,000,000 | ---D | C] -- C:\Program Files\Recuva
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:45:49 AM
OTL, part 7


========== Files - Modified Within 90 Days ==========
 
[2010/08/21 18:53:01 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1784066151-926666739-2172271728-1007UA.job
[2010/08/21 18:22:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/21 15:55:57 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/08/21 15:55:40 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/21 15:55:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/21 15:55:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/08/21 15:55:07 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/21 11:34:23 | 014,680,064 | -H-- | M] () -- C:\Documents and Settings\guest2\NTUSER.DAT
[2010/08/21 11:33:59 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\guest2\NTUSER.INI
[2010/08/21 11:15:30 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/21 11:05:37 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/08/20 22:53:14 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1784066151-926666739-2172271728-1007Core.job
[2010/08/20 21:06:32 | 000,002,293 | ---- | M] () -- C:\Documents and Settings\guest2\Desktop\Google Chrome.lnk
[2010/08/20 11:48:01 | 000,044,544 | ---- | M] () -- C:\Documents and Settings\guest2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/20 10:09:24 | 000,416,778 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\HOSTS
[2010/08/16 23:14:35 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/08/16 23:14:30 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/08/11 14:03:48 | 000,416,571 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100820-100924.backup
[2010/08/03 21:33:24 | 000,966,656 | -H-- | M] () -- C:\Documents and Settings\guest2\My Documents\photothumb.db
[2010/08/03 19:11:12 | 000,000,073 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/08/03 19:00:46 | 000,001,264 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
[2010/08/03 19:00:25 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\guest2\Desktop\FreeRIP.lnk
[2010/07/28 14:24:15 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\guest2\Desktop\Any Video Converter.lnk
[2010/07/28 14:19:42 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\guest2\Desktop\CCleaner.lnk
[2010/07/25 13:06:47 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\mcs.rma
[2010/07/25 13:06:47 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\570BB0
[2010/07/18 12:08:08 | 000,412,044 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100811-140348.backup
[2010/07/08 15:35:34 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/07/08 15:27:18 | 000,002,519 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Comcast Desktop Doctor.lnk
[2010/07/08 15:22:07 | 000,411,842 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100718-120808.backup
[2010/07/08 15:12:57 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/07/08 15:05:20 | 000,420,800 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/07/08 15:04:35 | 000,000,731 | ---- | M] () -- C:\Documents and Settings\guest2\Desktop\ZoneAlarm Security.lnk
[2010/06/28 15:57:33 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/06/28 15:57:12 | 000,165,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/06/28 15:32:42 | 000,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/06/24 16:34:07 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/06/24 16:23:00 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2010/06/23 22:36:10 | 000,408,505 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100708-152207.backup
[2010/06/23 22:25:42 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/06/23 22:08:38 | 000,000,800 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100623-223610.backup
[2010/06/23 22:08:18 | 000,000,800 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100623-220837.backup
[2010/06/23 21:53:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/06/23 16:01:25 | 000,408,517 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100623-220818.backup
[2010/06/23 15:45:54 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/16 16:59:45 | 000,408,391 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100623-160125.backup
[2010/06/14 11:08:41 | 000,000,963 | ---- | M] () -- C:\Documents and Settings\guest2\Desktop\Spybot - Search & Destroy.lnk
[2010/06/13 19:39:35 | 000,404,329 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100616-165945.backup
[2010/06/13 19:36:21 | 000,001,512 | ---- | M] () -- C:\Documents and Settings\guest2\Desktop\Speccy.lnk
[2010/06/10 10:02:18 | 000,270,192 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/08 11:51:16 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/06/07 11:48:38 | 000,403,630 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100613-193935.backup
[2010/06/03 01:38:45 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\guest2\Desktop\SpywareBlaster.lnk
[2010/06/03 01:32:27 | 000,403,630 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20100607-114838.backup
[2010/05/31 22:37:54 | 002,641,454 | -H-- | M] () -- C:\Documents and Settings\guest2\Local Settings\Application Data\IconCache.db
[2010/05/28 17:37:33 | 000,001,512 | ---- | M] () -- C:\Documents and Settings\guest2\Desktop\Recuva.lnk
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:46:24 AM
OTL, part 8



========== Files Created - No Company Name ==========
 
[2010/08/16 23:14:35 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/08/16 22:56:53 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/03 19:01:38 | 000,000,073 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/08/03 19:00:46 | 000,001,264 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
[2010/08/03 19:00:25 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\guest2\Desktop\FreeRIP.lnk
[2010/07/28 14:24:15 | 000,000,799 | ---- | C] () -- C:\Documents and Settings\guest2\Desktop\Any Video Converter.lnk
[2010/07/08 15:35:34 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/07/08 15:04:35 | 000,000,731 | ---- | C] () -- C:\Documents and Settings\guest2\Desktop\ZoneAlarm Security.lnk
[2010/07/08 15:04:18 | 000,420,800 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/06/24 16:23:00 | 000,002,187 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/06/24 16:23:00 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\guest2\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2010/06/23 15:45:54 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/13 19:36:21 | 000,001,512 | ---- | C] () -- C:\Documents and Settings\guest2\Desktop\Speccy.lnk
[2010/06/08 11:51:16 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/06/08 11:42:26 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/06/03 01:38:45 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\guest2\Desktop\SpywareBlaster.lnk
[2010/05/28 17:37:33 | 000,001,512 | ---- | C] () -- C:\Documents and Settings\guest2\Desktop\Recuva.lnk
[2010/02/07 20:59:44 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2009/08/24 14:41:00 | 000,000,478 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2009/04/25 16:26:17 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\guest2\Application Data\570BB0
[2009/04/25 16:26:16 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\guest2\Application Data\mcs.rma
[2009/04/19 17:08:51 | 000,044,544 | ---- | C] () -- C:\Documents and Settings\guest2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/14 12:21:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2008/01/02 19:05:46 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/12/25 20:05:37 | 000,002,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/12/25 17:47:41 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/04/26 17:09:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\wdt2u.dll
[2005/04/27 20:02:06 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\pcrrtxtc.dll
[2005/02/06 08:55:45 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/02/06 08:48:54 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/02/06 08:15:26 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/09/15 23:03:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/18 13:01:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\CoPrism.dll
[2004/08/10 14:13:12 | 000,000,780 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/04 06:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2003/09/22 15:35:20 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\decode.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:47:03 AM
OTL, part 9



========== LOP Check ==========
 
[2010/08/16 23:12:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/08/03 19:00:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
[2009/03/14 11:36:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2005/02/06 08:55:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism
[2009/04/20 02:03:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/08/17 18:38:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2005/02/06 08:53:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/23 21:42:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/04/07 08:33:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/07/27 00:11:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\.BitTornado
[2009/12/05 10:27:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\AnvSoft
[2010/02/12 11:50:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Any Video Converter
[2009/04/21 15:02:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\COWON
[2009/05/01 09:12:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\dBpoweramp
[2009/11/18 18:23:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Greyfirst
[2010/02/23 20:38:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mael
[2009/06/12 18:48:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\SecondLife
[2010/07/12 20:12:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Stella
[2009/12/02 22:08:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Thunderbird
[2010/08/16 17:36:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Wal-Mart Digital Photo Viewer
[2008/10/15 03:07:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\true_til_death\Application Data\FrostWire
[2009/03/14 11:33:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\true_til_death\Application Data\HotSync
[2008/11/04 09:05:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\true_til_death\Application Data\Viewpoint
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:47:46 AM
OTL, part 10



========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.* >
[2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/04/20 11:00:56 | 000,000,211 | RHS- | M] () -- C:\BOOT.INI
[2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005/02/06 08:20:34 | 000,004,711 | RH-- | M] () -- C:\DELL.SDR
[2010/08/21 15:55:07 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/03 13:12:49 | 000,000,863 | ---- | M] () -- C:\hpfr3500.log
[2004/08/10 14:14:36 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2004/08/10 14:04:08 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2005/02/06 08:53:47 | 000,000,746 | -H-- | M] () -- C:\IPH.PH
[2010/04/30 14:10:51 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2004/08/10 14:04:08 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 06:00:00 | 000,250,032 | RHS- | M] () -- C:\NTLDR
[2010/08/21 15:55:06 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2010/08/21 15:56:41 | 000,001,530 | ---- | M] () -- C:\SMax.log
[2005/02/06 08:37:02 | 000,001,528 | ---- | M] () -- C:\SMax.log.bak
[2005/02/06 08:53:56 | 000,000,087 | ---- | M] () -- C:\SystemInfo.ini
[2009/01/15 09:29:17 | 000,000,150 | ---- | M] () -- C:\YServer.txt
 
< %systemroot%\Fonts\*.com >
 
< %systemroot%\Fonts\*.dll >
 
< %systemroot%\Fonts\*.ini >
[2004/08/10 14:03:42 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\DESKTOP.INI
 
< %systemroot%\Fonts\*.ini2 >
 
< %systemroot%\Fonts\*.exe >
 
< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2003/06/18 18:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\mdippr.dll
 
< %systemroot%\REPAIR\*.bak1 >
 
< %systemroot%\REPAIR\*.ini >
 
< %systemroot%\system32\*.jpg >
 
< %systemroot%\*.jpg >
 
< %systemroot%\*.png >
 
< %systemroot%\*.scr >
[2010/06/28 15:57:33 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
 
< %systemroot%\*._sy >
 
< %APPDATA%\Adobe\Update\*.* >
 
< %ALLUSERSPROFILE%\Favorites\*.* >
 
< %APPDATA%\Microsoft\*.* >
 
< %PROGRAMFILES%\*.* >
 
< %APPDATA%\Update\*.* >
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\System32\config\*.sav >
[2004/08/10 13:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.SAV
[2004/08/10 13:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.SAV
[2004/08/10 13:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.SAV
 
< %PROGRAMFILES%\bak. /s >
 
< %systemroot%\system32\bak. /s >
 
< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2004/08/10 14:04:12 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\DESKTOP.INI
 
< %systemroot%\system32\config\systemprofile\*.dat /x >
 
< %systemroot%\*.config >
 
< %systemroot%\system32\*.db >
 
< %PROGRAMFILES%\Internet Explorer\*.dat >
 
< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009/04/18 10:53:15 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\guest2\Application Data\Microsoft\Internet Explorer\Quick Launch\DESKTOP.INI
[2004/08/10 14:08:38 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
 
< %USERPROFILE%\Desktop\*.exe >
 
< %PROGRAMFILES%\Common Files\*.* >
 
< %systemroot%\*.src >
 
< %systemroot%\install\*.* >
 
< %systemroot%\system32\DLL\*.* >
 
< %systemroot%\system32\HelpFiles\*.* >
 
< %systemroot%\system32\rundll\*.* >
 
< %systemroot%\winn32\*.* >
 
< %systemroot%\Java\*.* >
 
< %systemroot%\system32\test\*.* >
 
< %systemroot%\system32\Rundll32\*.* >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-15 04:10:36
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8CE646EE
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:49:06 AM
Extras, part 1



OTL Extras logfile created on: 8/21/2010 6:38:26 PM - Run 1
OTL by OldTimer - Version 3.2.10.0     Folder = C:\Documents and Settings\guest2\My Documents
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
510.00 Mb Total Physical Memory | 209.00 Mb Available Physical Memory | 41.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.50 Gb Total Space | 13.66 Gb Free Space | 19.10% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: GUEST
Current User Name: guest2
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
 
[HKEY_USERS\S-1-5-21-1784066151-926666739-2172271728-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with Paint Shop Pro Studio] -- "C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\\Paint Shop Pro Studio.exe" "/Browse" "%L" (Jasc Software, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:50:30 AM
Extras, part 2



========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:LimeWire -- File not found
"C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe" = C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe:*:Enabled:vsmon -- (Check Point Software Technologies LTD)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel(R) PROSet for Wired Connections
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{29D3773E-54F4-23C2-D523-236A4453B844}_is1" = FileAlyzer
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.42
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}" = USB 2.0 Wireless LAN Card Utility
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{AFAC914D-9E83-4A89-8ABE-427521C82CCF}" = Safari
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}" = COWON Media Center - jetAudio Basic
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:51:06 AM
Extras, part 3


"7-Zip" = 7-Zip 4.65
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Any Video Converter_is1" = Any Video Converter 3.0.7
"AoA Audio Extractor_is1" = AoA Audio Extractor 1.0
"AoA Video Joiner_is1" = AoA Video Joiner
"avast5" = avast! Free Antivirus
"BitTornado" = BitTornado 0.3.18
"CCleaner" = CCleaner
"Celtx (2.5.1)" = Celtx (2.5.1)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Comcast Rhapsody" = Comcast Rhapsody
"dBpoweramp AIFF Codec" = dBpoweramp AIFF Codec
"dBpoweramp m4a Codec" = dBpoweramp m4a Codec
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"dBpoweramp Ogg Vorbis Codec" = dBpoweramp Ogg Vorbis Codec
"dBpoweramp Shorten Codec" = dBpoweramp Shorten Codec
"dBpoweramp Windows Media Audio 10 Codec" = dBpoweramp Windows Media Audio 10 Codec
"DellSupport" = Dell Support 5.0.0 (630)
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"HxD Hex Editor_is1" = HxD Hex Editor version 1.7.7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MyWaySearchAssistantDE" = My Way Search Assistant
"Nero - Burning Rom!UninstallKey" = Ahead Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PeerGuardian_is1" = PeerGuardian 2.0
"PhotoScape" = PhotoScape
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"Recuva" = Recuva
"SecondLife" = SecondLife (remove only)
"Speccy" = Speccy
"SpywareBlaster_is1" = SpywareBlaster 4.3
"Stella_is1" = Stella 3.1.2
"StreetPlugin" = Learn2 Player (Uninstall Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.1.0
"WAVSPLIT210_is1" = Wave Splitter 2.10
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"ZoneAlarm" = ZoneAlarm
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-1784066151-926666739-2172271728-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 8/19/2010 3:56:39 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
Error - 8/19/2010 4:25:43 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
Error - 8/19/2010 4:56:43 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
Error - 8/19/2010 5:57:00 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
Error - 8/19/2010 6:56:40 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
Error - 8/19/2010 10:25:50 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
Error - 8/21/2010 3:56:39 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
Error - 8/21/2010 4:25:42 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
Error - 8/21/2010 5:56:46 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
Error - 8/21/2010 6:56:41 PM | Computer Name = GUEST | Source = Google Update | ID = 20
Description =
 
[ System Events ]
Error - 8/21/2010 12:37:07 PM | Computer Name = GUEST | Source = ipnathlp | ID = 32003
Description = The Network Address Translator (NAT) was unable to request an operation
of
 the kernel-mode translation module.  This may indicate misconfiguration, insufficient
 resources, or  an internal error.  The data is the error code.
 
Error - 8/21/2010 12:38:09 PM | Computer Name = GUEST | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.2 on
 the  Network Card with network address 001111C440B1.
 
Error - 8/21/2010 12:38:58 PM | Computer Name = GUEST | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.2 on
 the  Network Card with network address 001111C440B1.
 
Error - 8/21/2010 4:37:10 PM | Computer Name = GUEST | Source = Service Control Manager | ID = 7034
Description = The SupportSoft Sprocket Service (ddoctorv2) service terminated unexpectedly.
  It has done this 1 time(s).
 
Error - 8/21/2010 4:55:10 PM | Computer Name = GUEST | Source = Dhcp | ID = 1002
Description = The IP address lease 67.175.218.139 for the Network Card with network
 address 001111C440B1 has been  denied by the DHCP server 192.168.100.1 (The DHCP
Server sent a DHCPNACK message).
 
Error - 8/21/2010 4:55:49 PM | Computer Name = GUEST | Source = Service Control Manager | ID = 7000
Description = The avast! iAVS4 Control Service service failed to start due to the
 following error:   %%3
 
Error - 8/21/2010 4:55:49 PM | Computer Name = GUEST | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error:   %%2
 
Error - 8/21/2010 4:56:34 PM | Computer Name = GUEST | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.2 on
 the  Network Card with network address 001111C440B1.
 
Error - 8/21/2010 4:56:58 PM | Computer Name = GUEST | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.2 on
 the  Network Card with network address 001111C440B1.
 
Error - 8/21/2010 4:57:37 PM | Computer Name = GUEST | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 00000023, parameter2 00000002, parameter3
 00000000, parameter4 804f217b.
 
 
< End of report >
Title: Re: Real threat or false positive (with Avast 5)?
Post by: Pondus on August 22, 2010, 02:53:38 AM
Quote
I ran otl, and I'll post the logs here (though I'll probably have to break them up to meet the character limit).
and that is why i posted this in my reply #6

lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 02:56:34 AM
Sorry, didn't see that. I've already copy/pasted the logs, however in case some find it easier to just read the attached .txt. files, I'll put those up as well.
Title: Re: Real threat or false positive (with Avast 5)?
Post by: YoKenny on August 22, 2010, 01:37:02 PM
Quote
I ran otl, and I'll post the logs here (though I'll probably have to break them up to meet the character limit).
and that is why i posted this in my reply #6

lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

Looks like ZeroTheHero has a lot of work to do
Quote
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Windows XP Home Edition Service Pack 2 went out of support on July 13, 2010 July http://support.microsoft.com/gp/lifean31
Title: Re: Real threat or false positive (with Avast 5)?
Post by: essexboy on August 22, 2010, 01:50:23 PM
The proxy server is a loophole in your security that will need to be closed.  And getting SP3/IE8 is a must 

I will also clear the temp files as CC does not go deep enough

Run OTL
Title: Re: Real threat or false positive (with Avast 5)?
Post by: DavidR on August 22, 2010, 03:31:38 PM
@ essexboy
These proxy settings are for the web shield, yes (as Localhost port 12080 is the web shield redirect local proxy) ?
Quote
IE - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:12080

However, that said it should only be present if set by the user I believe.
Title: Re: Real threat or false positive (with Avast 5)?
Post by: essexboy on August 22, 2010, 03:45:19 PM
That is correct it need to be set by the user, in this case it is onlly set for one user as well and a defunct user at that  ;D
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 22, 2010, 07:21:39 PM
I've attached the log to this post. Also, I don't know if I've said it yet, so thanks everyone for the help.
Title: Re: Real threat or false positive (with Avast 5)?
Post by: essexboy on August 22, 2010, 10:33:07 PM
Quote
Total Files Cleaned = 46.00 mb
That cleared a bit  ;D

It also found the network temp and local service temp.  So any alerts should be gone.  Do you have any problems ?

All processes killed
========== OTL ==========
HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\guest2\My Documents\otl\cmd.bat deleted successfully.
C:\Documents and Settings\guest2\My Documents\otl\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: guest2
->Temp folder emptied: 522407 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 47929942 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 838 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: true_til_death
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 512 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 46.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: guest2
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: NetworkService
 
User: true_til_death
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore points cleared and new OTL Restore Point set!
 
OTL by OldTimer - Version 3.2.10.0 log created on 08222010_120012

Files\Folders moved on Reboot...
C:\Documents and Settings\guest2\Local Settings\Temp\~DF92E.tmp moved successfully.
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\ZLT02524.TMP not found!

Registry entries deleted on Reboot...
Title: Re: Real threat or false positive (with Avast 5)?
Post by: YoKenny on August 22, 2010, 10:39:08 PM
I've attached the log to this post. Also, I don't know if I've said it yet, so thanks everyone for the help.
Congratulations you have reached 20 posts. :)

Please Go to PROFILE then Modify Profile then Forum Profile Information then update your Signature: with information like my signature as this helps the helpers offer pertinent advice.
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 23, 2010, 09:22:03 PM
I added as much info to my sig as I could. Don't really know what else to add. I got another warning this morning when I turned my computer on about two more .tmp files. I ran Dr. Web again, this time a full scan (I just did an express scan last time). It found something, but this time I looked into it and confirmed it was a false positive (the file belonged to SDFix, which I used once a long time ago).
Title: Re: Real threat or false positive (with Avast 5)?
Post by: essexboy on August 23, 2010, 09:29:24 PM
Could you update to IE8 https://www.microsoft.com/uk/windows/internet-explorer/worldwide-sites.aspx then once installed
Go to Tools > Internet options >Advanced>Security and place a check mark against "Empty temporary internet files folders when browser is closed"
Title: Re: Real threat or false positive (with Avast 5)?
Post by: YoKenny on August 23, 2010, 10:23:45 PM
Could you update to IE8 https://www.microsoft.com/uk/windows/internet-explorer/worldwide-sites.aspx then once installed
Go to Tools > Internet options >Advanced>Security and place a check mark against "Empty temporary internet files folders when browser is closed"
+1

Quote
Stay Safer Online
The Internet has enhanced our lives in nearly every way. However, as more of the things we do every day depend on the Internet, online crime has risen in turn.

Cybercriminals are using increasingly sophisticated and deceptive methods such as:

Malware - software that a cybercriminal can use to steal your bank account information, track everything you type, send out malicious software or spam, or harm your computer.

Phishing - an attack where a cybercriminal pretends to be a legitimate organization, such as your bank, in order to deceive you into giving up personal information such as credit card numbers and account information.
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx

Quote
Increased performance
Internet Explorer 8 includes many performance improvements that contribute to a faster, more responsive web browsing experience in the areas that matter most. Internet Explorer 8 starts quickly, loads pages fast and instantly gets you started on what you want to do next by using a powerful new tab page. In addition, the script engine in Internet Explorer 8 is significantly faster than in previous versions, minimizing the load time for webpages based on JavaScript or Asynchronous JavaScript and XML (AJAX).
http://www.microsoft.com/windows/internet-explorer/features/faster.aspx
Title: Re: Real threat or false positive (with Avast 5)?
Post by: ZeroTheHero on August 23, 2010, 11:37:55 PM
Thanks again for the responses. I never use IE, so I don't know if I want to take the time to update it. I've used Firefox for a few years now, and that's up to date. I also have Safari and Chrome,though I don't use Safari (it was on the computer already when I got it from a relative), and I rarely use Chrome.
Title: Re: Real threat or false positive (with Avast 5)?
Post by: YoKenny on August 24, 2010, 02:47:10 PM
You do not have to use IE but it is the basic part of the Windows Shell
Quote
Windows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the operating system that presents many user interface items on the monitor such as the taskbar and desktop. Controlling the computer is possible without Windows Explorer running (for example, the File | Run command in Task Manager on NT-derived versions of Windows will function without it, as will commands typed in a command prompt window). It is sometimes referred to as the Windows Shell, explorer.exe, or simply “Explorer”.
http://en.wikipedia.org/wiki/Windows_Explorer
Title: Re: Real threat or false positive (with Avast 5)?
Post by: CharleyO on August 24, 2010, 06:18:03 PM
***

You do not have to use IE but it is the basic part of the Windows Shell
Quote
Windows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the operating system that presents many user interface items on the monitor such as the taskbar and desktop. Controlling the computer is possible without Windows Explorer running (for example, the File | Run command in Task Manager on NT-derived versions of Windows will function without it, as will commands typed in a command prompt window). It is sometimes referred to as the Windows Shell, explorer.exe, or simply “Explorer”.
http://en.wikipedia.org/wiki/Windows_Explorer

Which means IE needs to be updated.


***
Title: Re: Real threat or false positive (with Avast 5)?
Post by: YoKenny on August 24, 2010, 09:53:43 PM

Which means IE needs to be updated.
You Got It Pontiac
http://www.youtube.com/watch?v=sFf0Lq_k19Q
Title: Re: Real threat or false positive (with Avast 5)?
Post by: johnk4 on September 26, 2010, 12:40:57 AM
I presume you sorted this out but for the benefit of other Avast users -- I had the same problem (file alerts with files in the format dBP*.tmp).

I guessed they were temp files created by the ripping program dBpoweramp (http://www.dbpoweramp.com/ (http://www.dbpoweramp.com/)) -- confirmed by the author: http://forum.dbpoweramp.com/showthread.php?t=22043 (http://forum.dbpoweramp.com/showthread.php?t=22043)
Title: Re: Real threat or false positive (with Avast 5)?
Post by: akama1 on September 26, 2010, 05:53:58 AM
hey how did the behaviour shield alert looked like?