Author Topic: Real threat or false positive (with Avast 5)?  (Read 19658 times)

0 Members and 1 Guest are viewing this topic.

ZeroTheHero

  • Guest
Real threat or false positive (with Avast 5)?
« on: August 20, 2010, 08:54:05 PM »
Recently updated to Avast 5 and several times now on different days my behavior shield has alerted me about suspicious  files, and so far I've chosen to delete them and left the box checked to send the files to Avast, but I'm still getting these messages and each time the file name is just slightly different. Here are the file names:
C:\DOCUME~1\guest2\LOCALS~1\Temp\dBP21.tmp
(the rest are all the same except for the last part of the file name)
\dBPBA.tmp
\dBP1B.tmp
The were two more but I scribbled them quickly and it's not really legible, but they do begin with dBP. After deleting them I checked the virus vault to see if they were sent there, but the vault is empty. I tried finding the folder where these files originated, being sure to choose to "show hidden files and folders". I assumed DOCUME~1 was the Documents and Settings folder and LOCALS~1 was the LocalService folder, but there was no TEMP folder located there. I clicked on the Local Settings folder located in LocalService and found a Temp folder, which led me to three more folders, two of which in turn contain more folders. After much searching I can't find any .tmp files in these folders, much less .tmp files with names that begin with dBP. I used the search function to look for files with dBP in their file names but didn't come up with anything that looked like these .tmp files. I've also begun to wonder if these files could be related to dBpoweramp, which is a utility to convert audio files to different formats. I've had this program for years without problems, and from all I've seen the company is legit. I've run both a full system scan and boot-time scan with Avast, as well as full scans with MBAM and SuperAntiSpyware, and haven't found anything. Should I write this off as Avast being paranoid and alerting me about files that aren't really a problem?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37491
  • Not a avast user
Re: Real threat or false positive (with Avast 5)?
« Reply #1 on: August 20, 2010, 09:15:01 PM »
Try this, and see if the problem goes away. tell us if it worked

TFC - Temp File Cleaner by OldTimer ( it will clean ALL and ONLY temp files)
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

ZeroTheHero

  • Guest
Re: Real threat or false positive (with Avast 5)?
« Reply #2 on: August 20, 2010, 11:11:15 PM »
Thanks for the reply. I ran that program and it cleaned out about 500MB of junk. It'll probably be a couple incident-free days before I'd feel comfortable saying the problem is cleared up, but if nothing else at least I freed up a lot of space. And here I was thinking Ccleaner was getting rid of all the junk.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37491
  • Not a avast user
Re: Real threat or false positive (with Avast 5)?
« Reply #3 on: August 20, 2010, 11:18:30 PM »
CCleaner is very good, cleans lots of stuff, but TFC is a specialiced tool for temp file cleaning. I think one of the Malware experts at geekstogo made it.....maybe Essexboy can tell us?

ZeroTheHero

  • Guest
Re: Real threat or false positive (with Avast 5)?
« Reply #4 on: August 21, 2010, 03:20:21 AM »
Well, I'm back. Another alert from avast, this time the file is named dBP96.tmp. Here's the full text of the message: "Suspicious files have been detected (using a heuristic method). This may be a sign of malware infection. Please allow the files to be submitted to our virus lab for analysis." This time, before I deleted it I did a search for the file name and again came back with nothing. So I'm getting an alert about a file that the search can't even find on my computer.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re: Real threat or false positive (with Avast 5)?
« Reply #5 on: August 21, 2010, 03:32:36 AM »
It's a temporary file (most probably infected) that is randomically generated by the malware vector.
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37491
  • Not a avast user
Re: Real threat or false positive (with Avast 5)?
« Reply #6 on: August 21, 2010, 11:32:02 AM »
If tech suggestions does not work then the next to try will be Essexboy`s tricks


Follow this guide from Essexboy and post the log`s here
http://forum.avast.com/index.php?topic=53253.0


lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

ZeroTheHero

  • Guest
Re: Real threat or false positive (with Avast 5)?
« Reply #7 on: August 21, 2010, 11:22:13 PM »
Last night I ran Panda Activescan and it was clean. This morning I ran Spybot S&D and it was also clean. After I checked the responses here, I followed most of Techs suggestions. I cleared my temp files again, then ran a Dr. Web express scan (which wasn't so express at two and a half hours). It found two suspicious files. I thought it might be a false positive given that they were in a folder for Comcast Desktop Doctor, which is a legit program, but to be on the safe side I quarantined these files:
sprtsync.dll
sprtupdate.dll
I ran a Trend Micro RootkitBuster scan, which came back clean. I also disabled and re-enabled system restore. I already have SpywareBlaster installed.  I then tried to do another MBAM scan, but when I came back to my computer to check on the progress, the screen was black and there was this thing floating around telling me that the monitor was working and I should check the video connection. I checked my monitor connection and everything was fine.  The Num Lock button on my keyboard was lit, and I could hear the computer's fan running, but I just had this black screen with that message. The only thing I could think to do was to unplug the computer and then plug it back in. When it started I got a message saying that my computer had recovered from a serious error. It gave me the option to send an error report to Microsoft, which I did, and then it took me to this page, "Troubleshoot a problem with a device driver":
http://tinyurl.com/2at7t6j
I'm going to try running MBAM again, hoping the error doesn't happen again. In the meantime, here's my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:19 PM, on 8/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\guest2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} (PCRHTML3.HTML1) - http://www.pcrecruiter.net/pcrimg/PCRHTML.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate1c9c2bb298f7cc4) (gupdate1c9c2bb298f7cc4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6784 bytes

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Real threat or false positive (with Avast 5)?
« Reply #8 on: August 21, 2010, 11:25:54 PM »
Hi,  You have a hijacked proxy plus there may well be something else hiding

OTL - Download or alternative link here and here to your desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

ZeroTheHero

  • Guest
Re: Real threat or false positive (with Avast 5)?
« Reply #9 on: August 22, 2010, 02:30:34 AM »
I was able to run MBAM, and it didn't find anything. To essexboy: I was wondering if you meant (when you said I had a hijacked proxy) the bit in the log where it says "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080". IIRC that stems from a time when I had an old version of ZoneAlarm that conflicted with Avast's invisible proxy, and after searching around I found a workaround by using the "12080" proxy. Since then I've updated ZoneAlarm and have gone back to using no proxy. Again, I'm not even sure if that's what you meant. I ran otl, and I'll post the logs here (though I'll probably have to break them up to meet the character limit). You'll notice that the times on the logs don't match. The first time I ran the scan both reports opened, and after I closed them I couldn't find them again, so I ran the scan again, but this time only a new "otl" report was created, and not the "extras" report. I ran the scan a third time thinking I must've done something wrong, but again only an "otl" file was created. I did eventually find the "extras" file from the first scan however, so I'm posting that along with the "otl" report from the third scan.

ZeroTheHero

  • Guest
Re: Real threat or false positive (with Avast 5)?
« Reply #10 on: August 22, 2010, 02:38:16 AM »
OTL, part 1



OTL logfile created on: 8/21/2010 7:06:26 PM - Run 3
OTL by OldTimer - Version 3.2.10.0     Folder = C:\Documents and Settings\guest2\My Documents\otl
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
510.00 Mb Total Physical Memory | 80.00 Mb Available Physical Memory | 16.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.50 Gb Total Space | 13.57 Gb Free Space | 18.98% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: GUEST
Current User Name: guest2
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2010/08/21 18:35:19 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\guest2\My Documents\otl\OTL.exe
PRC - [2010/07/24 11:32:06 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/06/28 15:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
PRC - [2010/06/23 13:51:30 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 13:25:22 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/10/14 16:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2004/10/04 15:50:20 | 000,917,611 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell Wireless\PRISMCFG.exe
PRC - [2004/10/04 15:10:16 | 000,327,769 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\SYSTEM32\PRISMSVR.exe
PRC - [2003/10/29 03:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/08/21 18:35:19 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\guest2\My Documents\otl\OTL.exe
MOD - [2007/04/19 14:21:40 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll
MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/04 06:00:00 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\MSVCP60.DLL
MOD - [2004/08/04 06:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\MSSCRIPT.OCX
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/09/03 11:53:00 | 000,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2004/10/04 15:12:50 | 000,057,344 | ---- | M] (Conexant Systems, Inc.) [Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\PRISMSVC.exe -- (PRISMSVC)

ZeroTheHero

  • Guest
Re: Real threat or false positive (with Avast 5)?
« Reply #11 on: August 22, 2010, 02:39:15 AM »
OTL, part 2



========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\guest2\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\vsdatant.sys -- (vsdatant)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/04/18 10:25:13 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\PalmUSBD.sys -- (PalmUSBD)
DRV - [2004/09/26 20:42:00 | 000,345,184 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\PRISMA02.sys -- (DELL_A02)
DRV - [2004/09/17 11:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
DRV - [2004/08/13 03:56:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)
DRV - [2004/08/13 02:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/08/13 02:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/08/13 02:05:00 | 000,086,202 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/08/13 02:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/08/13 02:05:00 | 000,025,723 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/08/13 02:05:00 | 000,014,715 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/08/13 02:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/08/13 02:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/08/13 02:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/08/04 04:21:00 | 000,087,136 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/08/04 00:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 00:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS -- (nv)
DRV - [2004/07/14 12:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 12:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)
DRV - [2003/11/17 16:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 16:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 16:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)

ZeroTheHero

  • Guest
Re: Real threat or false positive (with Avast 5)?
« Reply #12 on: August 22, 2010, 02:41:43 AM »
OTL, part 3



========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:12080
 
========== FireFox ==========
 
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.comcast.net"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 44
FF - prefs.js..extensions.enabledItems: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}:1.0.1
FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.12.0.36949
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.10
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: firegestures@xuldev.org:1.5.7
FF - prefs.js..extensions.enabledItems: {10187899-7ffe-4f9a-b9d2-35fdb3b49690}:0.6.3
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.2.3
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.4
FF - prefs.js..extensions.enabledItems: {e8f509f0-b677-11de-8a39-0800200c9a66}:1.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {5c876f30-10ce-11dd-bd0b-0800200c9a66}:3.6.6
FF - prefs.js..extensions.enabledItems: bloodfire@example.com:3.6
FF - prefs.js..extensions.enabledItems: {241aae70-0022-11de-87af-0800200c9a66}:3.6.30.01.10
FF - prefs.js..extensions.enabledItems: chromifox@altmusictv.com:3.6.5
FF - prefs.js..extensions.enabledItems: {de5809e0-2b07-11dd-bd0b-0800200c9a66}:1.2.0
FF - prefs.js..extensions.enabledItems: nasanightlaunch@example.com:0.6.20100805
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 12080
FF - prefs.js..network.proxy.type: 0
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/14 21:20:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/21 11:15:29 | 000,000,000 | ---D | M]

ZeroTheHero

  • Guest
Re: Real threat or false positive (with Avast 5)?
« Reply #13 on: August 22, 2010, 02:42:38 AM »
OTL, part 4



[2009/11/18 18:23:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Extensions
[2009/11/18 18:23:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Extensions\celtx@celtx.com
[2010/08/21 11:23:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions
[2010/03/25 19:22:12 | 000,000,000 | ---D | M] (Screengrab) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2010/02/05 12:28:28 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2010/03/05 16:07:46 | 000,000,000 | ---D | M] (Auto Copy) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
[2010/04/30 19:45:00 | 000,000,000 | ---D | M] (IMDb Preview) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{10187899-7ffe-4f9a-b9d2-35fdb3b49690}
[2010/01/31 16:55:27 | 000,000,000 | ---D | M] (Blue Fox) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{241aae70-0022-11de-87af-0800200c9a66}
[2009/10/15 10:30:27 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/03/17 19:47:43 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/08/12 20:31:59 | 000,000,000 | ---D | M] (Aero Fox Silver XL) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}
[2010/08/21 11:23:28 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/07/27 09:31:41 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/08/14 21:22:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{ca0849e8-2c76-42ae-9abe-34e14d337acf}
[2010/08/18 13:29:46 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/06/17 14:57:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/05/29 21:27:17 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/04/08 12:45:08 | 000,000,000 | ---D | M] (Gradient iCool) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
[2009/09/11 11:08:03 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/05/22 18:27:02 | 000,000,000 | ---D | M] (Web2PDF converter) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{e8f509f0-b677-11de-8a39-0800200c9a66}
[2010/04/15 07:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\bloodfire@example.com
[2010/03/05 16:07:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\chromifox@altmusictv.com
[2010/04/16 14:42:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\firegestures@xuldev.org
[2010/07/24 11:30:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\https-everywhere@eff.org
[2010/08/10 16:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\nasanightlaunch@example.com
[2010/06/25 23:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\netvideohunter@netvideohunter.com
[2009/07/09 13:37:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\omiazad@msn.com
[2010/04/14 00:18:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\personas@christopher.beard
[2009/04/20 18:57:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\perspectives@cmu.edu
[2010/06/18 20:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\piclens@cooliris.com
[2010/08/04 16:33:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\smarterwiki@wikiatic.com
[2010/08/12 20:31:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\mac\mozapps\extensions
[2010/08/12 20:31:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\win\mozapps\extensions
[2010/08/18 20:03:36 | 000,001,546 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\allmusic---google.xml
[2010/08/18 20:03:38 | 000,005,100 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\box-office-mojo.xml
[2009/09/02 10:42:59 | 000,002,758 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\cuil.xml
[2009/04/20 18:56:34 | 000,000,931 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\dictionary.xml
[2009/04/20 18:56:21 | 000,001,504 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\imdb.xml
[2010/08/18 20:03:38 | 000,001,942 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\mycroft-project.xml
[2010/08/14 23:30:20 | 000,001,189 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\scroogle-1.xml
[2010/05/20 09:27:41 | 000,001,189 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\scroogle.xml
[2010/08/17 16:07:48 | 000,002,314 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\songmeanings---artist.xml
[2010/08/14 23:30:20 | 000,002,320 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\songmeanings---song-title.xml
[2009/12/30 10:37:11 | 000,002,013 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\urban-dictionary.xml
[2009/04/20 18:55:51 | 000,000,705 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\webster.xml
[2009/04/20 19:51:11 | 000,001,032 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\wikipedia-eng.xml
[2009/05/30 09:40:25 | 000,000,945 | ---- | M] () -- C:\Documents and Settings\guest2\Application Data\Mozilla\Firefox\Profiles\vhxfryq9.default\searchplugins\youtube-video-search.xml
[2010/08/21 11:23:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/27 13:40:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/27 13:39:49 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

ZeroTheHero

  • Guest
Re: Real threat or false positive (with Avast 5)?
« Reply #14 on: August 22, 2010, 02:43:25 AM »
OTL, part 5


O1 HOSTS File: ([2010/08/20 10:09:24 | 000,416,778 | R--- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1   www.007guard.com
O1 - Hosts: 127.0.0.1   007guard.com
O1 - Hosts: 127.0.0.1   008i.com
O1 - Hosts: 127.0.0.1   www.008k.com
O1 - Hosts: 127.0.0.1   008k.com
O1 - Hosts: 127.0.0.1   www.00hq.com
O1 - Hosts: 127.0.0.1   00hq.com
O1 - Hosts: 127.0.0.1   010402.com
O1 - Hosts: 127.0.0.1   www.032439.com
O1 - Hosts: 127.0.0.1   032439.com
O1 - Hosts: 127.0.0.1   www.0scan.com
O1 - Hosts: 127.0.0.1   0scan.com
O1 - Hosts: 127.0.0.1   1000gratisproben.com
O1 - Hosts: 127.0.0.1   www.1000gratisproben.com
O1 - Hosts: 127.0.0.1   1001namen.com
O1 - Hosts: 127.0.0.1   www.1001namen.com
O1 - Hosts: 127.0.0.1   100888290cs.com
O1 - Hosts: 127.0.0.1   www.100888290cs.com
O1 - Hosts: 127.0.0.1   www.100sexlinks.com
O1 - Hosts: 127.0.0.1   100sexlinks.com
O1 - Hosts: 127.0.0.1   10sek.com
O1 - Hosts: 127.0.0.1   www.10sek.com
O1 - Hosts: 127.0.0.1   www.1-2005-search.com
O1 - Hosts: 127.0.0.1   1-2005-search.com
O1 - Hosts: 14388 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\SYSTEM32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-21-1784066151-926666739-2172271728-1007..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-1784066151-926666739-2172271728-1007..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe (Dell Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1784066151-926666739-2172271728-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} http://www.pcrecruiter.net/pcrimg/PCRHTML.CAB (PCRHTML3.HTML1)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\DELL.BMP
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*