"XP Antivirus Pro 2010" infection...No success in deleting at all!

Post new topic   Reply to topic

View previous topic View next topic Go down

"XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Sat Feb 27, 2010 12:32 am

Can you help? I've had no success...no money for good programs...I'm almost bawling...please help...

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Sat Feb 27, 2010 8:34 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Sun Feb 28, 2010 12:05 am

OTL.Txt









OTL logfile created on: 2/27/2010 6:56:11 PM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 401.36 Gb Free Space | 86.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-B76099523F
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/27 18:55:29 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
PRC - [2010/02/26 17:45:34 | 000,186,368 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe
PRC - [2010/01/21 18:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2009/12/11 16:17:03 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/12/11 16:16:55 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/12/08 10:32:18 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/12/08 10:32:14 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/12/08 10:32:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/10/03 04:08:38 | 000,035,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/13 18:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 18:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2007/09/25 01:11:35 | 000,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
PRC - [2007/08/15 02:49:26 | 000,063,040 | ---- | M] () -- C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
PRC - [2006/07/13 00:33:14 | 000,053,248 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
PRC - [2006/07/13 00:22:50 | 000,057,344 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
PRC - [2006/04/17 12:42:14 | 000,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2006/04/17 12:41:24 | 000,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE
PRC - [2006/03/23 20:17:50 | 000,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2006/03/23 20:13:40 | 000,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2004/10/14 14:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2003/10/31 20:42:40 | 000,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe


========== Modules (SafeList) ==========

MOD - [2010/02/27 18:55:29 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/21 18:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/01/18 14:14:24 | 001,141,712 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/12/11 16:16:55 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/12/09 15:23:34 | 000,365,280 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/12/08 10:32:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/08/15 02:49:26 | 000,063,040 | ---- | M] () [Auto | Running] -- C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe -- (PnkBstrA)
SRV - [2006/04/17 12:42:14 | 000,311,296 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)


========== Driver Services (SafeList) ==========

DRV - [2010/01/30 23:07:49 | 000,012,400 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2009/12/08 10:32:18 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/12/08 10:32:18 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/09/29 17:17:44 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/09/29 16:22:24 | 000,021,419 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2009/09/23 16:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2008/08/28 16:52:36 | 000,627,072 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2008/04/15 13:45:46 | 000,519,168 | ---- | M] (Atheros Technology Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WlanGZXP.SYS -- (ZG760_XP)
DRV - [2008/04/15 13:45:46 | 000,020,736 | ---- | M] (ZDC., Inc. (ZDC)) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ZDCndis5.sys -- (ZDCNDIS5)
DRV - [2008/04/15 13:45:44 | 000,020,608 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BRGSp50.sys -- (BRGSp50)
DRV - [2008/04/14 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2006/05/10 15:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/03/23 20:47:06 | 001,166,972 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/03/22 11:08:40 | 000,260,224 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://z4.invisionfree.com/Happy_Tree_Forums/index.php"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/21 16:06:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/21 16:06:58 | 000,000,000 | ---D | M]

[2009/12/08 15:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/02/26 19:23:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9khj3ef.default\extensions
[2009/12/08 16:04:09 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9khj3ef.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/08 15:45:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/02 14:47:10 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Lexmark 1200 Series] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZyXEL G-202 Wireless Adapter Utility.lnk = C:\Program Files\ZyXEL G-202\ZyXEL G-202.exe (ZyXEL Communications Corp.)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/25 12:12:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/26 18:03:38 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/02/26 18:03:37 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/02/26 18:03:37 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
[2010/02/26 18:03:37 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/02/26 18:01:28 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/02/26 18:01:12 | 000,207,280 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/02/26 18:01:12 | 000,087,784 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/02/26 18:01:02 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/02/26 18:00:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/02/26 18:00:56 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/02/26 18:00:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\PC Tools
[2010/02/26 18:00:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/02/26 18:00:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/20 00:17:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2010/02/20 00:17:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/20 00:17:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/19 23:53:02 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/02/19 23:48:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/02/02 15:41:36 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/02 14:50:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/02/02 10:17:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Old RP's
[2010/02/02 09:53:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/02 09:51:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/02 09:51:47 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/02 09:51:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/02 09:51:47 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/02 09:51:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/02 09:43:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/01/31 23:44:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Microsoft Games
[2010/01/31 23:40:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Games
[2010/01/31 23:35:14 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Games
[2009/12/16 06:01:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/09/29 17:17:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/09/29 17:07:20 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/09/29 17:07:20 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/02/27 18:53:43 | 000,010,986 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\SlfBpB8
[2010/02/27 18:53:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/27 18:52:41 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/27 18:52:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/26 19:38:37 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\User\ntuser.dat
[2010/02/26 19:38:37 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/02/26 18:53:29 | 056,305,693 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/26 18:01:05 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/02/26 17:55:13 | 000,000,330 | ---- | M] () -- C:\Documents and Settings\User\My Documents\exefix.reg
[2010/02/26 17:49:00 | 000,021,391 | ---- | M] () -- C:\Documents and Settings\User\My Documents\20. Were Leopard Pan.odt
[2010/02/26 17:45:34 | 000,186,368 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe
[2010/02/26 16:36:40 | 000,026,577 | ---- | M] () -- C:\Documents and Settings\User\My Documents\9. Feral 2.odt
[2010/02/25 20:53:54 | 000,028,562 | ---- | M] () -- C:\Documents and Settings\User\My Documents\8. Feral Level.odt
[2010/02/25 16:49:28 | 000,021,021 | ---- | M] () -- C:\Documents and Settings\User\My Documents\18. General.odt
[2010/02/23 22:49:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/23 16:36:31 | 000,018,243 | ---- | M] () -- C:\Documents and Settings\User\My Documents\19. Pet.odt
[2010/02/21 14:14:20 | 000,023,142 | ---- | M] () -- C:\Documents and Settings\User\My Documents\17. Li's Mind.odt
[2010/02/20 22:47:13 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/20 17:25:21 | 000,021,554 | ---- | M] () -- C:\Documents and Settings\User\My Documents\16. Another new.odt
[2010/02/20 00:11:22 | 000,000,528 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/20 00:11:22 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/20 00:11:22 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/19 19:52:34 | 000,022,411 | ---- | M] () -- C:\Documents and Settings\User\My Documents\15. New Character.odt
[2010/02/18 18:01:18 | 000,016,805 | ---- | M] () -- C:\Documents and Settings\User\My Documents\14. Rita Vores.odt
[2010/02/17 18:54:15 | 000,022,181 | ---- | M] () -- C:\Documents and Settings\User\My Documents\13. Li's Insanity.odt
[2010/02/16 18:11:42 | 000,023,564 | ---- | M] () -- C:\Documents and Settings\User\My Documents\12. Rita Visits.odt
[2010/02/14 17:06:06 | 000,024,972 | ---- | M] () -- C:\Documents and Settings\User\My Documents\un.odt
[2010/02/14 16:52:57 | 000,020,968 | ---- | M] () -- C:\Documents and Settings\User\My Documents\11. Weapons.odt
[2010/02/13 22:07:49 | 001,580,722 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010/02/13 19:57:47 | 000,014,967 | ---- | M] () -- C:\Documents and Settings\User\My Documents\10. Sleep Vore.odt
[2010/02/13 12:04:12 | 000,020,192 | ---- | M] () -- C:\Documents and Settings\User\My Documents\conversation.odt
[2010/02/11 16:53:38 | 000,014,128 | ---- | M] () -- C:\Documents and Settings\User\My Documents\7. Kody.odt
[2010/02/11 16:40:06 | 000,014,133 | ---- | M] () -- C:\Documents and Settings\User\My Documents\6. Li's Preg AGAIN.odt
[2010/02/10 16:36:06 | 000,017,991 | ---- | M] () -- C:\Documents and Settings\User\My Documents\5. Li and Laya Inflation.odt
[2010/02/09 21:17:35 | 000,000,129 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/02/09 16:42:32 | 000,020,462 | ---- | M] () -- C:\Documents and Settings\User\My Documents\4. Charlie & Ferals.odt
[2010/02/07 13:37:20 | 000,023,264 | ---- | M] () -- C:\Documents and Settings\User\My Documents\3. The Thing.odt
[2010/02/06 14:01:05 | 000,001,757 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Forgotten Hope.lnk
[2010/02/05 19:56:55 | 000,023,690 | ---- | M] () -- C:\Documents and Settings\User\My Documents\2. Rita School Again.odt
[2010/02/05 09:25:38 | 000,070,408 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/02/05 09:17:56 | 000,233,136 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/02/03 16:45:21 | 000,020,821 | ---- | M] () -- C:\Documents and Settings\User\My Documents\2. Rita School.odt
[2010/02/02 16:48:42 | 000,017,135 | ---- | M] () -- C:\Documents and Settings\User\My Documents\1. Pan and Jayde.odt
[2010/02/02 14:51:28 | 000,023,372 | ---- | M] () -- C:\Documents and Settings\User\My Documents\ComboFix report2.odt
[2010/02/02 14:47:10 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/02 14:40:31 | 003,843,928 | R--- | M] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe
[2010/02/02 10:57:16 | 000,014,304 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/02 10:17:06 | 000,023,747 | ---- | M] () -- C:\Documents and Settings\User\My Documents\ComboFix report.odt
[2010/01/31 23:43:49 | 000,001,726 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Zoo Tycoon 2 Endangered Species.lnk
[2010/01/30 23:07:49 | 000,012,400 | ---- | M] (Macrovision Europe Ltd) -- C:\WINDOWS\System32\drivers\secdrv.sys
[2010/01/30 19:55:15 | 000,000,297 | ---- | M] () -- C:\WINDOWS\EReg072.dat
[2010/01/30 14:14:40 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys

========== Files Created - No Company Name ==========

[2010/02/26 18:03:38 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/02/26 18:03:38 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/02/26 18:03:38 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/02/26 18:03:38 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/02/26 18:03:38 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/02/26 18:03:38 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/02/26 18:01:28 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/02/26 18:01:12 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/02/26 18:01:12 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/02/26 18:01:05 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/02/26 18:01:02 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/02/26 17:55:13 | 000,000,330 | ---- | C] () -- C:\Documents and Settings\User\My Documents\exefix.reg
[2010/02/26 17:48:59 | 000,021,391 | ---- | C] () -- C:\Documents and Settings\User\My Documents\20. Were Leopard Pan.odt
[2010/02/26 17:45:35 | 000,010,986 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\SlfBpB8
[2010/02/26 17:45:34 | 000,186,368 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe
[2010/02/23 16:36:30 | 000,018,243 | ---- | C] () -- C:\Documents and Settings\User\My Documents\19. Pet.odt
[2010/02/22 16:36:12 | 000,021,021 | ---- | C] () -- C:\Documents and Settings\User\My Documents\18. General.odt
[2010/02/21 12:18:42 | 000,023,142 | ---- | C] () -- C:\Documents and Settings\User\My Documents\17. Li's Mind.odt
[2010/02/20 11:13:25 | 000,021,554 | ---- | C] () -- C:\Documents and Settings\User\My Documents\16. Another new.odt
[2010/02/19 17:40:30 | 000,022,411 | ---- | C] () -- C:\Documents and Settings\User\My Documents\15. New Character.odt
[2010/02/18 17:17:37 | 000,016,805 | ---- | C] () -- C:\Documents and Settings\User\My Documents\14. Rita Vores.odt
[2010/02/17 16:45:04 | 000,022,181 | ---- | C] () -- C:\Documents and Settings\User\My Documents\13. Li's Insanity.odt
[2010/02/14 20:03:02 | 000,023,564 | ---- | C] () -- C:\Documents and Settings\User\My Documents\12. Rita Visits.odt
[2010/02/14 13:08:39 | 000,020,968 | ---- | C] () -- C:\Documents and Settings\User\My Documents\11. Weapons.odt
[2010/02/14 12:45:09 | 000,024,972 | ---- | C] () -- C:\Documents and Settings\User\My Documents\un.odt
[2010/02/13 19:57:46 | 000,014,967 | ---- | C] () -- C:\Documents and Settings\User\My Documents\10. Sleep Vore.odt
[2010/02/13 14:03:42 | 000,026,577 | ---- | C] () -- C:\Documents and Settings\User\My Documents\9. Feral 2.odt
[2010/02/13 10:44:47 | 000,020,192 | ---- | C] () -- C:\Documents and Settings\User\My Documents\conversation.odt
[2010/02/12 17:37:10 | 000,028,562 | ---- | C] () -- C:\Documents and Settings\User\My Documents\8. Feral Level.odt
[2010/02/11 16:53:38 | 000,014,128 | ---- | C] () -- C:\Documents and Settings\User\My Documents\7. Kody.odt
[2010/02/11 16:40:05 | 000,014,133 | ---- | C] () -- C:\Documents and Settings\User\My Documents\6. Li's Preg AGAIN.odt
[2010/02/10 16:36:05 | 000,017,991 | ---- | C] () -- C:\Documents and Settings\User\My Documents\5. Li and Laya Inflation.odt
[2010/02/09 21:17:35 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/02/08 16:54:13 | 000,020,462 | ---- | C] () -- C:\Documents and Settings\User\My Documents\4. Charlie & Ferals.odt
[2010/02/06 14:01:53 | 000,023,264 | ---- | C] () -- C:\Documents and Settings\User\My Documents\3. The Thing.odt
[2010/02/06 14:01:05 | 000,001,757 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Forgotten Hope.lnk
[2010/02/04 16:46:34 | 000,023,690 | ---- | C] () -- C:\Documents and Settings\User\My Documents\2. Rita School Again.odt
[2010/02/03 13:57:23 | 000,020,821 | ---- | C] () -- C:\Documents and Settings\User\My Documents\2. Rita School.odt
[2010/02/02 14:51:28 | 000,023,372 | ---- | C] () -- C:\Documents and Settings\User\My Documents\ComboFix report2.odt
[2010/02/02 14:37:15 | 003,843,928 | R--- | C] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe
[2010/02/02 14:34:53 | 000,017,135 | ---- | C] () -- C:\Documents and Settings\User\My Documents\1. Pan and Jayde.odt
[2010/02/02 10:17:06 | 000,023,747 | ---- | C] () -- C:\Documents and Settings\User\My Documents\ComboFix report.odt
[2010/02/02 09:53:29 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/02 09:53:23 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/02 09:51:47 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/02 09:51:47 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/02 09:51:47 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/02 09:51:47 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/02 09:51:47 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/31 23:43:49 | 000,001,726 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Zoo Tycoon 2 Endangered Species.lnk
[2010/01/30 19:55:15 | 000,000,297 | ---- | C] () -- C:\WINDOWS\EReg072.dat
[2009/12/19 12:59:06 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/08 20:20:20 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/12/05 21:10:55 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/12/05 15:33:34 | 000,000,580 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/12/03 19:01:36 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/12/03 19:01:36 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/12/03 16:04:39 | 000,000,248 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2009/12/03 16:04:36 | 000,000,076 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2007/06/19 09:59:36 | 000,070,400 | ---- | C] () -- C:\WINDOWS\System32\PhysXLoader.dll
[2007/04/20 08:57:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2006/01/30 07:42:22 | 000,000,270 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.ini
[2002/11/13 02:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Sun Feb 28, 2010 12:06 am

Extras.Txt








OTL Extras logfile created on: 2/27/2010 6:56:11 PM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 401.36 Gb Free Space | 86.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-B76099523F
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.exe [@ = secfile] -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe ()
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\ZyXEL G-202\ZyXEL G-202.exe" = C:\Program Files\ZyXEL G-202\ZyXEL G-202.exe:*:Disabled:ZyXEL G-202 Wireless Adapter Utility -- (ZyXEL Communications Corp.)
"C:\Program Files\EA GAMES\American McGee's Alice\alice.exe" = C:\Program Files\EA GAMES\American McGee's Alice\alice.exe:*:Enabled:American McGee's Alice -- (Rogue Entertainment)
"C:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe" = C:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe:*:Enabled:BF1942 -- ()
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\WINDOWS\system32\LEXPPS.EXE" = C:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE -- (Lexmark International, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{1E99F5D7-4262-4C7C-9135-F066E7485811}" = System Requirements Lab
"{25F28E39-FDBB-11DB-8314-0800200C9A66}" = Medal of Honor Airborne
"{2F29D6D2-824E-4FEF-8AED-7013F39F642A}" = OpenOffice.org 2.3
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{49F09453-8205-48CF-ADE6-29CE6B509669}" = SmartFTP Client
"{56CFA833-F44F-4199-8C58-7F8B38F2BC7B}" = Medal of Honor Pacific Assault(tm)
"{5ED9E38C-9A96-49D8-89B3-92E278003FCF}" = TRS2006
"{65F1CF63-31E0-450B-96F3-4A88BE7361A6}" = AGEIA PhysX v7.07.09
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}" = Battlefield 1942
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77B5AD60-8F14-11D4-9BC9-0050041A1090}" = American McGee's Alice(tm)
"{7E369B27-13E2-41A5-9879-358EE1C8B5AD}" = Broadcom Gigabit Integrated Controller
"{818FB39B-1A57-4F1B-A54D-391C33D6C596}" = Tropico
"{824539D7-D27E-4CC3-B36F-6404B5EB726B}" = Medal of Honor Pacific Assault(tm) Patch2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7A34FC9-DF24-4A36-00AD-D4EFE94CC116}" = SimCity 4 Deluxe
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5D78EFC-A9C1-44F3-81CB-D42C5DF8EA09}" = ZyXEL G-202 Wireless Adapter Utility
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{DE29025A-091F-4998-AD2D-24C84421190F}" = Railroad Tycoon 3
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"18 Wheels of Steel: American Long Haul" = 18 Wheels of Steel: American Long Haul
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ashampoo Burning Studio 6 FREE_is1" = Ashampoo Burning Studio 6 FREE
"AVG8Uninstall" = AVG Free 8.5
"Browser Defender_is1" = Browser Defender 2.0.6.15
"Forgotten Hope" = Forgotten Hope 0.70
"Fraps" = Fraps
"GameSpy Arcade" = GameSpy Arcade
"Half-Life" = Half-Life
"Half-Life: Blue Shift" = Half-Life: Blue Shift
"Half-Life: Opposing Force" = Half-Life: Opposing Force
"ie8" = Windows Internet Explorer 8
"Lexmark 1200 Series" = Lexmark 1200 Series
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft DirectX SDK (August 2009)" = Microsoft DirectX SDK (August 2009)
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Railroad Tycoon 2 Platinum" = Railroad Tycoon 2 Platinum
"Sierra Utilities" = Sierra Utilities
"SimCity2000CDv1" = SimCity 2000 Special Edition
"Spyware Doctor" = Spyware Doctor 7.0
"Steam(TM)" = Steam(TM)
"Tropico 3_is1" = Tropico 3
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"World War III Black Gold" = World War III Black Gold
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"Zoo Tycoon 2" = Zoo Tycoon 2 Endangered Species

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"FileZilla Client" = FileZilla Client 3.3.1
"TeamSpeak 3 Client" = TeamSpeak 3 Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/24/2010 11:50:34 AM | Computer Name = USER-B76099523F | Source = Application Hang | ID = 1001
Description = Fault bucket 10408654.

Error - 1/24/2010 11:50:34 AM | Computer Name = USER-B76099523F | Source = Application Hang | ID = 1001
Description = Fault bucket 10408654.

Error - 1/24/2010 7:12:49 PM | Computer Name = USER-B76099523F | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/24/2010 7:24:42 PM | Computer Name = USER-B76099523F | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 2/1/2010 1:40:07 PM | Computer Name = USER-B76099523F | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 10.0.0.1102, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/1/2010 2:09:40 PM | Computer Name = USER-B76099523F | Source = Application Hang | ID = 1002
Description = Hanging application SimCity 4.exe, version 1.1.610.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/3/2010 12:56:01 PM | Computer Name = USER-B76099523F | Source = Application Hang | ID = 1002
Description = Hanging application lxczaiox.exe, version 1.0.11.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/3/2010 3:49:01 PM | Computer Name = USER-B76099523F | Source = Application Error | ID = 1000
Description = Faulting application bf1942.exe, version 0.0.0.0, faulting module
msvcr70.dll, version 7.0.9466.0, fault address 0x0000133d.

Error - 2/4/2010 7:36:15 PM | Computer Name = USER-B76099523F | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/5/2010 3:44:41 PM | Computer Name = USER-B76099523F | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 10.0.0.1102, faulting
module flash10c.ocx, version 10.0.32.18, fault address 0x0023e794.

[ System Events ]
Error - 2/20/2010 12:59:38 AM | Computer Name = USER-B76099523F | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 2/20/2010 1:00:52 AM | Computer Name = USER-B76099523F | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/20/2010 1:03:20 AM | Computer Name = USER-B76099523F | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/20/2010 1:03:39 AM | Computer Name = USER-B76099523F | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/20/2010 1:06:47 AM | Computer Name = USER-B76099523F | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/20/2010 1:07:07 AM | Computer Name = USER-B76099523F | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 2/20/2010 1:07:51 AM | Computer Name = USER-B76099523F | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AvgLdx86 AvgMfx86 Fips intelppm

Error - 2/20/2010 1:08:19 AM | Computer Name = USER-B76099523F | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/20/2010 1:44:04 AM | Computer Name = USER-B76099523F | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

Error - 2/26/2010 7:24:05 PM | Computer Name = USER-B76099523F | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer Lexmark 1200 Series share name
Printer2.


< End of report >

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Sun Feb 28, 2010 1:39 am

Hello.

We may have a deeper problem than what I suspected, but we'll see.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    PRC - [2010/02/26 17:45:34 | 000,186,368 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    [2010/02/26 17:45:34 | 000,186,368 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Sun Feb 28, 2010 1:51 am

The fix log won't appear...I've tried multiple times...

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Sun Feb 28, 2010 1:52 am

Hello.
There should be a log file inside this folder:
C:\_OTL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Sun Feb 28, 2010 1:56 am

Hope this is the right one...


========== OTL ==========
Process av.exe killed successfully!
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
C:\Documents and Settings\User\Local Settings\Application Data\av.exe moved successfully.

OTL by OldTimer - Version 3.1.30.3 log created on 02272010_204809

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Sun Feb 28, 2010 1:59 am

That's the one. Right On! I want to do a check for a rootkit, but I see traces of Combofix, so I think that has fixed it.


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Sun Feb 28, 2010 2:04 am

All is get is an "open with" window and list of programs.

Then again, I didn't know how to save to desktop before extracting.

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Sun Feb 28, 2010 2:09 am

Hello.

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

It's a zip file, so you should be able to open it like a folder.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Sun Feb 28, 2010 2:11 am

exeHelper by Raktor
Build 20091220
Run at 21:10:51 on 02/27/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Sun Feb 28, 2010 2:12 am

Are you able to run TDSSKiller?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Sun Feb 28, 2010 2:19 am

Okay, I double click on TDSS in the downloads window (the one that automatically pops p when download starts), then the widow comes up with "Eula" and "TDSSKiller." I double-click on the latter, go to "extract all," set it to save them to desktop. I double click on that or try start & run, but either way, when I hit "Run," I get the "Open With?" list. ...In fact, it does this with several programs...including MSPaint, so I can't get screenshots.

On an unrelated note, my E-mail inbox shows a message from "Servimg" about my account being created...not sure it I should open, I don't remember sch a site.

EDIT: okay, now I can't even start any programs...the thing that automatically pops up that allows internet to start won't happen. I can't remember what it was, Mom is forcing me off because she says I'll do the same to this computer...

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Sun Feb 28, 2010 11:21 pm

Hello.

No biggy, we can repair this, it's not your fault, the malware has changed the file association with exe, that's why exeHelper can be run fine because it doesn't use .exe, but the rest of our tools do.

Can you see file extensions on the end of files?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Thu Mar 04, 2010 1:20 am

Had a big problem...had to send this comp in...Got it back today, but...about 3 hours after using it, it came back, albeit as "XP Internet Security." I'll try the guides...

EDIT: I apparently can't find the right guide...should I try your instruction from earlier?

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Thu Mar 04, 2010 1:24 am

Not a problem, that's what tends to happen if we don't react fast, the malware has downloaded more rubbish onto the machine.

Please try to re-run OTL, but I suspect it wont let you.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Thu Mar 04, 2010 1:36 am

One of my internet friends says it MIGHT be a thing going around on DeviantArt...and if there's one tab I have open, it's DA...


EDIT: Can't find Extras.Txt !


OTL.TXT




OTL logfile created on: 3/3/2010 8:25:40 PM - Run 2
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 401.31 Gb Free Space | 86.16% Space Free | Partition Type: NTFS
Drive D: | 412.02 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-B76099523F
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/03 20:24:54 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010/03/03 16:21:35 | 000,196,608 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe
PRC - [2010/02/21 16:06:50 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/21 18:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2009/12/11 16:17:03 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/12/11 16:16:55 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/12/08 10:32:18 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/12/08 10:32:14 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/12/08 10:32:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/13 18:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 18:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2007/09/25 01:11:35 | 000,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
PRC - [2007/08/15 02:49:26 | 000,063,040 | ---- | M] () -- C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
PRC - [2006/07/13 00:33:14 | 000,053,248 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
PRC - [2006/07/13 00:22:50 | 000,057,344 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
PRC - [2004/10/14 14:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2003/10/31 20:42:40 | 000,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe


========== Modules (SafeList) ==========

MOD - [2010/03/03 20:24:54 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/21 18:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/01/18 14:14:24 | 001,141,712 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/12/11 16:16:55 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/12/09 15:23:34 | 000,365,280 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/12/08 10:32:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/08/15 02:49:26 | 000,063,040 | ---- | M] () [Auto | Running] -- C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe -- (PnkBstrA)


========== Driver Services (SafeList) ==========

DRV - [2010/01/30 23:07:49 | 000,012,400 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2009/12/08 10:32:18 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/12/08 10:32:18 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/09/29 17:17:44 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/09/29 16:22:24 | 000,021,419 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2009/09/23 16:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2008/08/28 16:52:36 | 000,627,072 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2008/04/15 13:45:46 | 000,519,168 | ---- | M] (Atheros Technology Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WlanGZXP.SYS -- (ZG760_XP)
DRV - [2008/04/15 13:45:46 | 000,020,736 | ---- | M] (ZDC., Inc. (ZDC)) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ZDCndis5.sys -- (ZDCNDIS5)
DRV - [2008/04/15 13:45:44 | 000,020,608 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BRGSp50.sys -- (BRGSp50)
DRV - [2008/04/14 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2006/05/10 15:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/03/23 20:47:06 | 001,166,972 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/03/22 11:08:40 | 000,260,224 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://z4.invisionfree.com/Happy_Tree_Forums/index.php"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/01 20:08:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/21 16:06:58 | 000,000,000 | ---D | M]

[2009/12/08 15:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/03/03 13:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9khj3ef.default\extensions
[2010/01/04 12:30:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9khj3ef.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/08 16:04:09 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9khj3ef.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/08 15:45:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/02 14:47:10 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Lexmark 1200 Series] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZyXEL G-202 Wireless Adapter Utility.lnk = C:\Program Files\ZyXEL G-202\ZyXEL G-202.exe (ZyXEL Communications Corp.)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/25 12:12:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/04/21 18:21:13 | 000,000,162 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/03 20:24:51 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/03/01 22:54:43 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/01 22:54:40 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/01 19:18:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Threat Expert
[2010/02/27 21:35:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\tdsskiller
[2010/02/27 20:48:09 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/26 18:03:38 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/02/26 18:03:37 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/02/26 18:03:37 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
[2010/02/26 18:03:37 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/02/26 18:01:28 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/02/26 18:01:12 | 000,207,280 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/02/26 18:01:12 | 000,087,784 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/02/26 18:01:02 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/02/26 18:00:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/02/26 18:00:56 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/02/26 18:00:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\PC Tools
[2010/02/26 18:00:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/02/26 18:00:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/20 00:17:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2010/02/20 00:17:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/20 00:17:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/19 23:53:02 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/02/19 23:48:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/02/02 15:41:36 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/02 14:50:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/02/02 10:17:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Old RP's
[2010/02/02 09:53:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/02 09:51:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/02 09:51:47 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/02 09:51:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/02 09:51:47 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/02 09:51:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/02 09:43:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2009/12/16 06:01:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/09/29 17:17:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/09/29 17:07:20 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/09/29 17:07:20 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/03/03 20:24:54 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/03/03 20:16:44 | 000,010,868 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\jXP7U0T4
[2010/03/03 20:16:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/03 20:15:34 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/03 20:15:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/03 16:37:11 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\User\ntuser.dat
[2010/03/03 16:37:11 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/03/03 16:21:35 | 000,196,608 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe
[2010/03/02 08:58:03 | 056,532,882 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/03/01 20:03:28 | 001,581,096 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010/02/27 20:45:33 | 000,010,958 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\SlfBpB8
[2010/02/26 17:55:13 | 000,000,330 | ---- | M] () -- C:\Documents and Settings\User\My Documents\exefix.reg
[2010/02/26 17:49:00 | 000,021,391 | ---- | M] () -- C:\Documents and Settings\User\My Documents\20. Were Leopard Pan.odt
[2010/02/26 16:36:40 | 000,026,577 | ---- | M] () -- C:\Documents and Settings\User\My Documents\9. Feral 2.odt
[2010/02/25 20:53:54 | 000,028,562 | ---- | M] () -- C:\Documents and Settings\User\My Documents\8. Feral Level.odt
[2010/02/25 16:49:28 | 000,021,021 | ---- | M] () -- C:\Documents and Settings\User\My Documents\18. General.odt
[2010/02/23 22:49:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/23 16:36:31 | 000,018,243 | ---- | M] () -- C:\Documents and Settings\User\My Documents\19. Pet.odt
[2010/02/21 14:14:20 | 000,023,142 | ---- | M] () -- C:\Documents and Settings\User\My Documents\17. Li's Mind.odt
[2010/02/20 22:47:13 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/20 17:25:21 | 000,021,554 | ---- | M] () -- C:\Documents and Settings\User\My Documents\16. Another new.odt
[2010/02/20 00:11:22 | 000,000,528 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/20 00:11:22 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/20 00:11:22 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/19 19:52:34 | 000,022,411 | ---- | M] () -- C:\Documents and Settings\User\My Documents\15. New Character.odt
[2010/02/18 18:01:18 | 000,016,805 | ---- | M] () -- C:\Documents and Settings\User\My Documents\14. Rita Vores.odt
[2010/02/17 18:54:15 | 000,022,181 | ---- | M] () -- C:\Documents and Settings\User\My Documents\13. Li's Insanity.odt
[2010/02/16 18:11:42 | 000,023,564 | ---- | M] () -- C:\Documents and Settings\User\My Documents\12. Rita Visits.odt
[2010/02/14 17:06:06 | 000,024,972 | ---- | M] () -- C:\Documents and Settings\User\My Documents\un.odt
[2010/02/14 16:52:57 | 000,020,968 | ---- | M] () -- C:\Documents and Settings\User\My Documents\11. Weapons.odt
[2010/02/13 19:57:47 | 000,014,967 | ---- | M] () -- C:\Documents and Settings\User\My Documents\10. Sleep Vore.odt
[2010/02/13 12:04:12 | 000,020,192 | ---- | M] () -- C:\Documents and Settings\User\My Documents\conversation.odt
[2010/02/11 16:53:38 | 000,014,128 | ---- | M] () -- C:\Documents and Settings\User\My Documents\7. Kody.odt
[2010/02/11 16:40:06 | 000,014,133 | ---- | M] () -- C:\Documents and Settings\User\My Documents\6. Li's Preg AGAIN.odt
[2010/02/10 16:36:06 | 000,017,991 | ---- | M] () -- C:\Documents and Settings\User\My Documents\5. Li and Laya Inflation.odt
[2010/02/09 21:17:35 | 000,000,129 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/02/09 16:42:32 | 000,020,462 | ---- | M] () -- C:\Documents and Settings\User\My Documents\4. Charlie & Ferals.odt
[2010/02/07 13:37:20 | 000,023,264 | ---- | M] () -- C:\Documents and Settings\User\My Documents\3. The Thing.odt
[2010/02/06 14:01:05 | 000,001,757 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Forgotten Hope.lnk
[2010/02/05 19:56:55 | 000,023,690 | ---- | M] () -- C:\Documents and Settings\User\My Documents\2. Rita School Again.odt
[2010/02/05 09:25:38 | 000,070,408 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/02/05 09:17:56 | 000,233,136 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/02/03 16:45:21 | 000,020,821 | ---- | M] () -- C:\Documents and Settings\User\My Documents\2. Rita School.odt
[2010/02/02 16:48:42 | 000,017,135 | ---- | M] () -- C:\Documents and Settings\User\My Documents\1. Pan and Jayde.odt
[2010/02/02 14:51:28 | 000,023,372 | ---- | M] () -- C:\Documents and Settings\User\My Documents\ComboFix report2.odt
[2010/02/02 14:47:10 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/02 14:40:31 | 003,843,928 | R--- | M] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe
[2010/02/02 10:57:16 | 000,014,304 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/02 10:17:06 | 000,023,747 | ---- | M] () -- C:\Documents and Settings\User\My Documents\ComboFix report.odt

========== Files Created - No Company Name ==========

[2010/03/03 16:21:35 | 000,196,608 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe
[2010/03/03 16:21:35 | 000,010,868 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\jXP7U0T4
[2010/02/26 18:03:38 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/02/26 18:03:38 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/02/26 18:03:38 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/02/26 18:03:38 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/02/26 18:03:38 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/02/26 18:03:38 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/02/26 18:01:28 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/02/26 18:01:12 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/02/26 18:01:12 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/02/26 18:01:02 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/02/26 17:55:13 | 000,000,330 | ---- | C] () -- C:\Documents and Settings\User\My Documents\exefix.reg
[2010/02/26 17:48:59 | 000,021,391 | ---- | C] () -- C:\Documents and Settings\User\My Documents\20. Were Leopard Pan.odt
[2010/02/26 17:45:35 | 000,010,958 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\SlfBpB8
[2010/02/23 16:36:30 | 000,018,243 | ---- | C] () -- C:\Documents and Settings\User\My Documents\19. Pet.odt
[2010/02/22 16:36:12 | 000,021,021 | ---- | C] () -- C:\Documents and Settings\User\My Documents\18. General.odt
[2010/02/21 12:18:42 | 000,023,142 | ---- | C] () -- C:\Documents and Settings\User\My Documents\17. Li's Mind.odt
[2010/02/20 11:13:25 | 000,021,554 | ---- | C] () -- C:\Documents and Settings\User\My Documents\16. Another new.odt
[2010/02/19 17:40:30 | 000,022,411 | ---- | C] () -- C:\Documents and Settings\User\My Documents\15. New Character.odt
[2010/02/18 17:17:37 | 000,016,805 | ---- | C] () -- C:\Documents and Settings\User\My Documents\14. Rita Vores.odt
[2010/02/17 16:45:04 | 000,022,181 | ---- | C] () -- C:\Documents and Settings\User\My Documents\13. Li's Insanity.odt
[2010/02/14 20:03:02 | 000,023,564 | ---- | C] () -- C:\Documents and Settings\User\My Documents\12. Rita Visits.odt
[2010/02/14 13:08:39 | 000,020,968 | ---- | C] () -- C:\Documents and Settings\User\My Documents\11. Weapons.odt
[2010/02/14 12:45:09 | 000,024,972 | ---- | C] () -- C:\Documents and Settings\User\My Documents\un.odt
[2010/02/13 19:57:46 | 000,014,967 | ---- | C] () -- C:\Documents and Settings\User\My Documents\10. Sleep Vore.odt
[2010/02/13 14:03:42 | 000,026,577 | ---- | C] () -- C:\Documents and Settings\User\My Documents\9. Feral 2.odt
[2010/02/13 10:44:47 | 000,020,192 | ---- | C] () -- C:\Documents and Settings\User\My Documents\conversation.odt
[2010/02/12 17:37:10 | 000,028,562 | ---- | C] () -- C:\Documents and Settings\User\My Documents\8. Feral Level.odt
[2010/02/11 16:53:38 | 000,014,128 | ---- | C] () -- C:\Documents and Settings\User\My Documents\7. Kody.odt
[2010/02/11 16:40:05 | 000,014,133 | ---- | C] () -- C:\Documents and Settings\User\My Documents\6. Li's Preg AGAIN.odt
[2010/02/10 16:36:05 | 000,017,991 | ---- | C] () -- C:\Documents and Settings\User\My Documents\5. Li and Laya Inflation.odt
[2010/02/09 21:17:35 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/02/08 16:54:13 | 000,020,462 | ---- | C] () -- C:\Documents and Settings\User\My Documents\4. Charlie & Ferals.odt
[2010/02/06 14:01:53 | 000,023,264 | ---- | C] () -- C:\Documents and Settings\User\My Documents\3. The Thing.odt
[2010/02/06 14:01:05 | 000,001,757 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Forgotten Hope.lnk
[2010/02/04 16:46:34 | 000,023,690 | ---- | C] () -- C:\Documents and Settings\User\My Documents\2. Rita School Again.odt
[2010/02/03 13:57:23 | 000,020,821 | ---- | C] () -- C:\Documents and Settings\User\My Documents\2. Rita School.odt
[2010/02/02 14:51:28 | 000,023,372 | ---- | C] () -- C:\Documents and Settings\User\My Documents\ComboFix report2.odt
[2010/02/02 14:37:15 | 003,843,928 | R--- | C] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe
[2010/02/02 14:34:53 | 000,017,135 | ---- | C] () -- C:\Documents and Settings\User\My Documents\1. Pan and Jayde.odt
[2010/02/02 10:17:06 | 000,023,747 | ---- | C] () -- C:\Documents and Settings\User\My Documents\ComboFix report.odt
[2010/02/02 09:53:29 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/02 09:53:23 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/02 09:51:47 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/02 09:51:47 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/02 09:51:47 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/02 09:51:47 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/02 09:51:47 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/19 12:59:06 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/08 20:20:20 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/12/05 21:10:55 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/12/05 15:33:34 | 000,000,580 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/12/03 19:01:36 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/12/03 19:01:36 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/12/03 16:04:39 | 000,000,248 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2009/12/03 16:04:36 | 000,000,076 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2007/06/19 09:59:36 | 000,070,400 | ---- | C] () -- C:\WINDOWS\System32\PhysXLoader.dll
[2007/04/20 08:57:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2006/01/30 07:42:22 | 000,000,270 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.ini
[2002/11/13 02:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Thu Mar 04, 2010 1:48 am

Hello.

We have to kill this quickly and then seal it out, otherwise it will return again and again.

Please follow my instructions are they are written.

Please download [You must be registered and logged in to see this link.]

  • Extract it to Desktop and double click SREngLdr.EXE to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:

  • In your case, it would be .EXE
  • Close SREng now.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    PRC - [2010/02/26 17:45:34 | 000,186,368 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe
    [2010/02/26 17:45:34 | 000,186,368 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\av.exe



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Thu Mar 04, 2010 1:55 am

EDIT: At the time of editing, Pop ups are no longer appearing, and the tray icon is gone.


========== OTL ==========
Process av.exe killed successfully!
C:\Documents and Settings\User\Local Settings\Application Data\av.exe moved successfully.

OTL by OldTimer - Version 3.1.32.0 log created on 03032010_205443

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Thu Mar 04, 2010 10:46 pm

Just for the sake of it, ran Malwarebytes.



Malwarebytes' Anti-Malware 1.44
Database version: 3811
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2010 5:45:21 PM
mbam-log-2010-03-04 (17-45-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 217547
Time elapsed: 41 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Thu Mar 04, 2010 11:27 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Thu Mar 04, 2010 11:49 pm

ComboFix 10-03-04.02 - User 03/04/2010 18:41:47.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2497 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-02 03:54 . 2010-03-02 03:54 -------- d-----w- c:\documents and settings\Parents\Application Data\Malwarebytes
2010-03-02 03:54 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 03:54 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 01:08 . 2010-03-02 01:08 -------- d-----w- c:\documents and settings\Kira\Local Settings\Application Data\Mozilla
2010-03-02 00:18 . 2010-03-02 00:18 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Threat Expert
2010-03-01 19:13 . 2010-03-01 19:13 -------- d-----w- c:\documents and settings\Parents\Local Settings\Application Data\Threat Expert
2010-03-01 19:13 . 2010-03-01 19:13 -------- d-sh--w- c:\documents and settings\Parents\PrivacIE
2010-03-01 19:13 . 2010-03-01 19:13 -------- d-----w- c:\documents and settings\Parents\Local Settings\Application Data\Yahoo
2010-03-01 19:12 . 2010-03-01 19:12 -------- d-----w- c:\documents and settings\Parents\Application Data\Yahoo!
2010-02-28 01:48 . 2010-02-28 01:48 -------- d-----w- C:\_OTL
2010-02-27 15:41 . 2010-02-27 15:41 -------- d-----w- c:\documents and settings\Kira\Local Settings\Application Data\Adobe
2010-02-27 15:07 . 2010-02-27 15:07 -------- d-----w- c:\documents and settings\Kira\Local Settings\Application Data\Threat Expert
2010-02-26 23:00 . 2010-03-04 22:59 -------- d-----w- c:\program files\Spyware Doctor
2010-02-26 23:00 . 2010-03-04 22:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-20 05:17 . 2010-02-20 05:17 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-02-20 05:17 . 2010-02-20 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-20 05:17 . 2010-03-02 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 05:08 . 2010-02-20 05:08 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 23:01 . 2009-12-08 22:33 -------- d-----w- c:\documents and settings\User\Application Data\OpenOffice.org2
2010-03-04 23:00 . 2009-12-09 01:12 -------- d-----w- c:\program files\Steam
2010-03-04 22:55 . 2010-01-02 18:54 -------- d-----w- c:\program files\Tropico 3
2010-03-04 21:41 . 2009-12-08 22:33 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-03-02 13:56 . 2009-09-29 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-02 15:57 . 2009-08-28 19:32 14304 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 04:44 . 2010-02-01 04:44 -------- d-----w- c:\documents and settings\User\Application Data\Microsoft Games
2010-02-01 04:40 . 2010-02-01 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-02-01 04:35 . 2010-02-01 04:35 -------- d-----w- c:\program files\Microsoft Games
2010-01-31 21:17 . 2009-12-12 04:20 -------- d-----w- c:\program files\Maxis
2010-01-31 04:07 . 2008-04-14 12:00 12400 ----a-w- c:\windows\system32\drivers\secdrv.sys
2010-01-31 00:55 . 2010-01-31 00:55 297 ----a-w- c:\windows\EReg072.dat
2010-01-30 19:14 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-24 05:24 . 2010-01-24 05:24 -------- d-----w- c:\documents and settings\User\Application Data\TS3Client
2010-01-21 18:10 . 2010-01-03 21:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 22:58 . 2009-08-25 19:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-19 22:58 . 2009-12-03 23:44 -------- d-----w- c:\program files\EA GAMES
2010-01-11 02:03 . 2009-12-24 02:12 -------- d-----w- c:\documents and settings\User\Application Data\FileZilla
2010-01-09 21:45 . 2009-12-12 04:23 868 ----a-w- c:\windows\eReg.dat
2010-01-09 21:33 . 2009-12-03 23:44 -------- d-----w- c:\program files\GameSpy Arcade
2010-01-08 02:04 . 2010-02-20 05:07 195708 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-01-08 01:15 . 2009-12-24 02:12 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2010-01-02 21:38 . 2010-01-02 21:38 93512 ----a-w- c:\windows\dxsdkuninst.exe
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 01:35 . 2009-12-04 00:01 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-12-19 01:35 . 2009-12-04 00:01 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-12-16 18:43 . 2009-08-25 17:08 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 17:31 . 2009-12-06 02:10 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-12-11 01:14 . 2009-12-11 01:14 255127 ----a-w- c:\windows\Railroad Tycoon 2 Platinum Uninstaller.exe
2009-12-08 20:48 . 2009-12-08 20:48 0 ----a-w- c:\windows\nsreg.dat
2009-12-08 19:26 . 2008-04-14 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-04-14 00:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 15:32 . 2009-09-29 22:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-08 15:32 . 2009-09-29 22:17 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-08 15:32 . 2009-09-29 22:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 12:00 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2008-04-14 12:00 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2008-04-14 05:42 . 2009-11-27 17:11 17920 c:\windows\system32\msyuv.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 28672 c:\windows\system32\msvidc32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 11264 c:\windows\system32\msrle32.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 11264 c:\windows\system32\msrle32.dll
+ 2008-04-14 05:41 . 2009-11-27 16:07 48128 c:\windows\system32\iyuv_32.dll
+ 2009-11-27 17:11 . 2009-11-27 17:11 17920 c:\windows\system32\dllcache\msyuv.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 28672 c:\windows\system32\dllcache\msvidc32.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 11264 c:\windows\system32\dllcache\msrle32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 48128 c:\windows\system32\dllcache\iyuv_32.dll
+ 2008-04-14 12:00 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 84992 c:\windows\system32\dllcache\avifil32.dll
- 2008-04-14 12:00 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2010-02-27 15:08 . 2010-02-27 15:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-16 02:32 . 2010-02-02 14:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-16 02:32 . 2010-02-27 15:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-27 15:08 . 2010-02-27 15:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-04-14 12:00 . 2009-06-10 14:13 84992 c:\windows\system32\avifil32.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 84992 c:\windows\system32\avifil32.dll
+ 2009-12-09 01:20 . 2009-11-27 17:11 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2001-08-17 22:36 . 2009-11-27 16:07 8704 c:\windows\system32\tsbyuv.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 8704 c:\windows\system32\dllcache\tsbyuv.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 474112 c:\windows\system32\shlwapi.dll
+ 2008-04-14 12:00 . 2009-12-08 09:23 474112 c:\windows\system32\shlwapi.dll
+ 2010-02-20 05:08 . 2010-02-20 05:08 201576 c:\windows\system32\Restore\rstrlog.dat
+ 2008-04-14 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
- 2008-04-14 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2008-04-14 12:00 . 2009-12-04 18:22 455424 c:\windows\system32\drivers\mrxsmb.sys
+ 2008-04-14 12:00 . 2009-12-31 16:50 353792 c:\windows\system32\dllcache\srv.sys
+ 2008-04-14 12:00 . 2009-12-08 09:23 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-08-25 17:08 . 2009-12-16 18:43 343040 c:\windows\system32\dllcache\mspaint.exe
- 2009-08-25 17:08 . 2008-04-14 12:00 343040 c:\windows\system32\dllcache\mspaint.exe
+ 2009-09-29 21:30 . 2009-12-04 18:22 455424 c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-04-14 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-04-14 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2010-02-24 03:49 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-24 03:49 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-24 03:49 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2009-09-29 21:30 . 2009-12-04 18:22 455424 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-04-14 12:00 . 2009-11-27 17:11 1291776 c:\windows\system32\quartz.dll
+ 2008-04-14 12:00 . 2009-11-27 17:11 1291776 c:\windows\system32\dllcache\quartz.dll
- 2009-09-29 21:35 . 2009-08-05 02:44 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2009-09-29 21:35 . 2009-12-08 19:27 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
- 2009-09-29 21:35 . 2009-08-04 14:20 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-09-29 21:35 . 2009-12-08 18:43 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-02-08 00:02 . 2009-12-08 18:43 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2009-02-08 00:02 . 2009-08-04 14:20 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2009-09-29 21:35 . 2009-08-04 15:13 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2009-09-29 21:35 . 2009-12-08 19:26 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2010-02-17 21:00 . 2010-02-17 21:00 3780608 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2009-09-29 21:35 . 2009-12-08 19:27 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2009-09-29 21:35 . 2009-08-05 02:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2009-09-29 21:35 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-09-29 21:35 . 2009-12-08 18:43 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-08 00:02 . 2009-12-08 18:43 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2009-02-08 00:02 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-09-29 21:35 . 2009-12-08 19:26 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2009-09-29 21:35 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-09-29 21:56 . 2010-02-01 19:26 30364104 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Steam"="c:\program files\Steam\Steam.exe" [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ZyXEL G-202 Wireless Adapter Utility.lnk - c:\program files\ZyXEL G-202\ZyXEL G-202.exe [2009-12-8 10801152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-08 15:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ZyXEL G-202\\ZyXEL G-202.exe"=
"c:\\Program Files\\EA GAMES\\American McGee's Alice\\alice.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/29/2009 5:17 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/29/2009 5:17 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/29/2009 5:17 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/29/2009 5:17 PM 297752]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [12/8/2009 11:26 AM 20736]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [12/8/2009 11:26 AM 519168]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [12/8/2009 11:26 AM 20608]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [9/29/2009 4:22 PM 627072]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\p9khj3ef.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-04 18:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(1740)
c:\windows\system32\WININET.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-04 18:48:18
ComboFix-quarantined-files.txt 2010-03-04 23:48
ComboFix2.txt 2010-02-02 19:50
ComboFix3.txt 2010-02-02 15:07

Pre-Run: 444,267,098,112 bytes free
Post-Run: 444,385,280,000 bytes free

- - End Of File - - 37756BCE745F1ECD6DA3DAB5A30A0CD8

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Fri Mar 05, 2010 1:41 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Fri Mar 05, 2010 2:11 am

I forgot AVG was running a scan, but it said it was successfully uninstalled. Seems to be running fine, but now I can't help from closing the tab each time I see it doing something in bottom left of firefox's window. (Where "done" is.) But that's probably just paranoia...

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Fri Mar 05, 2010 8:25 pm

Please run TDSSKiller:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Fri Mar 05, 2010 8:43 pm

It did not find anything infected.

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Fri Mar 05, 2010 8:46 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Fri Mar 05, 2010 8:47 pm

Said that windows could not find combofix. I think it worked the 1st time.

EDIT: Forgot the TDSS log!


15:41:55:656 1416 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
15:41:55:656 1416 ================================================================================
15:41:55:656 1416 SystemInfo:

15:41:55:656 1416 OS Version: 5.1.2600 ServicePack: 3.0
15:41:55:656 1416 Product type: Workstation
15:41:55:656 1416 ComputerName: USER-B76099523F
15:41:55:656 1416 UserName: User
15:41:55:656 1416 Windows directory: C:\WINDOWS
15:41:55:656 1416 Processor architecture: Intel x86
15:41:55:656 1416 Number of processors: 1
15:41:55:656 1416 Page size: 0x1000
15:41:55:671 1416 Boot type: Normal boot
15:41:55:671 1416 ================================================================================
15:41:55:671 1416 UnloadDriverW: NtUnloadDriver error 2
15:41:55:671 1416 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:41:55:812 1416 Initialize success
15:41:55:812 1416
15:41:55:828 1416 Scanning Services ...
15:41:55:828 1416 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:41:55:828 1416 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:41:55:843 1416 wfopen_ex: Trying to KLMD file open
15:41:55:843 1416 wfopen_ex: File opened ok (Flags 2)
15:41:55:843 1416 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:41:55:859 1416 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:41:55:859 1416 wfopen_ex: Trying to KLMD file open
15:41:55:859 1416 wfopen_ex: File opened ok (Flags 2)
15:41:56:968 1416 GetAdvancedServicesInfo: Raw services enum returned 329 services
15:41:56:968 1416 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:41:56:968 1416 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:41:56:968 1416
15:41:56:968 1416 Scanning Kernel memory ...
15:41:56:968 1416 Devices to scan: 2
15:41:56:968 1416
15:41:56:968 1416 Driver Name: Disk
15:41:56:968 1416 IRP_MJ_CREATE : BA8EEBB0
15:41:56:968 1416 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:41:56:968 1416 IRP_MJ_CLOSE : BA8EEBB0
15:41:56:968 1416 IRP_MJ_READ : BA8E8D1F
15:41:56:968 1416 IRP_MJ_WRITE : BA8E8D1F
15:41:56:968 1416 IRP_MJ_QUERY_INFORMATION : 804F4562
15:41:56:968 1416 IRP_MJ_SET_INFORMATION : 804F4562
15:41:56:968 1416 IRP_MJ_QUERY_EA : 804F4562
15:41:56:968 1416 IRP_MJ_SET_EA : 804F4562
15:41:56:968 1416 IRP_MJ_FLUSH_BUFFERS : BA8E92E2
15:41:56:968 1416 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:41:56:968 1416 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:41:56:968 1416 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:41:56:968 1416 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:41:56:968 1416 IRP_MJ_DEVICE_CONTROL : BA8E93BB
15:41:56:968 1416 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA8ECF28
15:41:56:968 1416 IRP_MJ_SHUTDOWN : BA8E92E2
15:41:56:968 1416 IRP_MJ_LOCK_CONTROL : 804F4562
15:41:56:968 1416 IRP_MJ_CLEANUP : 804F4562
15:41:56:968 1416 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:41:56:968 1416 IRP_MJ_QUERY_SECURITY : 804F4562
15:41:56:968 1416 IRP_MJ_SET_SECURITY : 804F4562
15:41:56:968 1416 IRP_MJ_POWER : BA8EAC82
15:41:56:968 1416 IRP_MJ_SYSTEM_CONTROL : BA8EF99E
15:41:56:968 1416 IRP_MJ_DEVICE_CHANGE : 804F4562
15:41:56:968 1416 IRP_MJ_QUERY_QUOTA : 804F4562
15:41:56:968 1416 IRP_MJ_SET_QUOTA : 804F4562
15:41:56:968 1416 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:41:56:968 1416 sion
15:41:57:000 1416 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:41:57:000 1416
15:41:57:000 1416 Driver Name: atapi
15:41:57:000 1416 IRP_MJ_CREATE : BA7156F2
15:41:57:000 1416 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:41:57:000 1416 IRP_MJ_CLOSE : BA7156F2
15:41:57:000 1416 IRP_MJ_READ : 804F4562
15:41:57:000 1416 IRP_MJ_WRITE : 804F4562
15:41:57:000 1416 IRP_MJ_QUERY_INFORMATION : 804F4562
15:41:57:000 1416 IRP_MJ_SET_INFORMATION : 804F4562
15:41:57:000 1416 IRP_MJ_QUERY_EA : 804F4562
15:41:57:000 1416 IRP_MJ_SET_EA : 804F4562
15:41:57:000 1416 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:41:57:000 1416 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:41:57:000 1416 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:41:57:000 1416 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:41:57:000 1416 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:41:57:000 1416 IRP_MJ_DEVICE_CONTROL : BA715712
15:41:57:000 1416 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA711852
15:41:57:000 1416 IRP_MJ_SHUTDOWN : 804F4562
15:41:57:000 1416 IRP_MJ_LOCK_CONTROL : 804F4562
15:41:57:000 1416 IRP_MJ_CLEANUP : 804F4562
15:41:57:000 1416 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:41:57:000 1416 IRP_MJ_QUERY_SECURITY : 804F4562
15:41:57:000 1416 IRP_MJ_SET_SECURITY : 804F4562
15:41:57:031 1416 IRP_MJ_POWER : BA71573C
15:41:57:031 1416 IRP_MJ_SYSTEM_CONTROL : BA71C336
15:41:57:031 1416 IRP_MJ_DEVICE_CHANGE : 804F4562
15:41:57:031 1416 IRP_MJ_QUERY_QUOTA : 804F4562
15:41:57:031 1416 IRP_MJ_SET_QUOTA : 804F4562
15:41:57:031 1416 siohd: 0
15:41:57:062 1416 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
15:41:57:062 1416
15:41:57:062 1416 Completed
15:41:57:062 1416
15:41:57:062 1416 Results:
15:41:57:062 1416 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
15:41:57:062 1416 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:41:57:062 1416 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:41:57:062 1416
15:41:57:062 1416 KLMD(ARK) unloaded successfully

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Fri Mar 05, 2010 11:07 pm

Ah, well in any case, how's the machine running at the moment?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Fri Mar 05, 2010 11:08 pm

Seems fine. Except AVG's scans really slow it. Would once a week be a good time for scheduled scans?

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Fri Mar 05, 2010 11:17 pm

Yes. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Fri Mar 05, 2010 11:19 pm

Thanks, it had it set to once a day. -_-'

I guess it's gone...but now I've gotten paranoid that any moment I'll get another...

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by Belahzur on Fri Mar 05, 2010 11:20 pm

Turn AVG's guard back on, keep it updated, and be careful what sites you surf.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "XP Antivirus Pro 2010" infection...No success in deleting at all!

Post by PanzerschreckLeopard on Fri Mar 05, 2010 11:25 pm

Okay. We plan on getting Norton. Big Grin

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25587
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

Post new topic   Reply to topic
 
Permissions in this forum:
You cannot reply to topics in this forum