win32:Alureon-FR

View previous topic View next topic Go down

win32:Alureon-FR

Post by Namski on 29th March 2010, 10:20 pm

I did a scan on my pc with Avast and it showed me this virus.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:28 PM, on 3/29/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PASSPORT\Passport.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\wic program\My Documents\Downloads\winlogon(3).scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

[You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

[You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

[You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

[You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

[You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

[You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

[You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and

Settings\LocalService\bdq.exe \s
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java

Update\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - [You must be registered and logged in to see this link.] Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

[You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} -

[You must be registered and logged in to see this link.] (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program

Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{012E145E-6D14-43E8-8DB4-8E3AEE9E3D76}: NameServer =

93.188.164.64,93.188.166.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E9491A-D5BD-4A9E-AEA1-E0FE69C241D7}: NameServer =

93.188.164.64,93.188.166.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.64,93.188.166.90
O17 - HKLM\System\CS1\Services\Tcpip\..\{012E145E-6D14-43E8-8DB4-8E3AEE9E3D76}: NameServer =

93.188.164.64,93.188.166.90
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.164.64,93.188.166.90
O17 - HKLM\System\CS3\Services\Tcpip\..\{012E145E-6D14-43E8-8DB4-8E3AEE9E3D76}: NameServer =

93.188.164.64,93.188.166.90
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 93.188.164.64,93.188.166.90
O17 - HKLM\System\CS4\Services\Tcpip\..\{012E145E-6D14-43E8-8DB4-8E3AEE9E3D76}: NameServer =

93.188.164.64,93.188.166.90
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.64,93.188.166.90
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil

Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil

Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil

Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program

files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates

Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8374 bytes


Stimulus Overload.


.

Namski
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2010-01-05
Gender Gender : Male
OS OS : Windows XP
Points Points : 26228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Belahzur on 30th March 2010, 12:48 am

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Namski on 30th March 2010, 4:13 pm

I tried to dl OTL using internet explorer and firefox, both said unable to connect. Is there anything else I can do?


Stimulus Overload.


.

Namski
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2010-01-05
Gender Gender : Male
OS OS : Windows XP
Points Points : 26228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Belahzur on 30th March 2010, 10:38 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Namski on 31st March 2010, 12:11 am

OTL finally worked. Here are the logs:

OTL Extras logfile created on: 3/30/2010 4:50:27 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\wic program\Desktop\OTL
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 64.00 Mb Available Physical Memory | 13.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.97 Gb Total Space | 58.40 Gb Free Space | 82.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D17B4R51
Current User Name: wic program
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"F:\CACHE-49038502\core.sys" = F:\CACHE-49038502\core.sys:*:Microsoft Enabled -- File not found
"E:\CACHE-49038502\core.sys" = E:\CACHE-49038502\core.sys:*:Microsoft Enabled -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel(R) PROSet for Wired Connections
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{45EBDA59-D33B-433A-956E-B2F236468B56}" = MUSICMATCH® Jukebox
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{66563AD8-637B-407F-BCA7-0233A16891AB}" = Business Contact Manager for Outlook 2003
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{8EA0DF58-68D6-44A0-ADBC-922BAB00EAC1}" = Microsoft Office Live Meeting 2005
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9B2CFE3B-7F55-4786-A20D-BB244914F6D8}" = EarthLink Setup Files
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{D2464E10-4895-441F-8CC3-0A898D2E8F01}" = Microsoft IntelliPoint 6.11
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{F2AB2488-A0BF-4A9B-98A9-A88CF20FD2FF}" = Meeting Manager for Internet Explorer
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast5" = avast! Free Antivirus
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Digital Editions" = Adobe Digital Editions
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"Mcafee SecurityCenter" = McAfee SecurityCenter
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer Basic
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"VirusScan Online" = McAfee VirusScan
"WildTangent CDA" = WildTangent Web Driver
"Windows XP Service Pack" = Windows XP Service Pack 2
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/30/2010 7:36:01 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:01 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:12 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:38 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:46:23 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

[ Application Events ]
Error - 3/30/2010 7:36:01 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:01 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:12 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:38 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:36:44 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 3/30/2010 7:46:23 PM | Computer Name = D17B4R51 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

[ System Events ]
Error - 7/16/2009 11:23:18 AM | Computer Name = D17B4R51 | Source = NetBT | ID = 4307
Description = Initialization failed because the transport refused to open initial
Addresses.

Error - 7/20/2009 2:52:50 PM | Computer Name = D17B4R51 | Source = NetBT | ID = 4307
Description = Initialization failed because the transport refused to open initial
Addresses.

Error - 7/22/2009 11:16:23 AM | Computer Name = D17B4R51 | Source = NetBT | ID = 4307
Description = Initialization failed because the transport refused to open initial
Addresses.

Error - 7/27/2009 11:32:30 AM | Computer Name = D17B4R51 | Source = NetBT | ID = 4307
Description = Initialization failed because the transport refused to open initial
Addresses.

Error - 7/27/2009 11:38:36 AM | Computer Name = D17B4R51 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.10.86.50 for the Network Card with network
address 00111125E548 has been denied by the DHCP server 10.10.86.1 (The DHCP Server
sent a DHCPNACK message).

Error - 7/28/2009 11:29:59 AM | Computer Name = D17B4R51 | Source = NetBT | ID = 4307
Description = Initialization failed because the transport refused to open initial
Addresses.

Error - 7/29/2009 11:31:52 AM | Computer Name = D17B4R51 | Source = NetBT | ID = 4307
Description = Initialization failed because the transport refused to open initial
Addresses.

Error - 7/30/2009 11:31:52 AM | Computer Name = D17B4R51 | Source = NetBT | ID = 4307
Description = Initialization failed because the transport refused to open initial
Addresses.

Error - 7/30/2009 11:39:43 AM | Computer Name = D17B4R51 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.10.86.57 for the Network Card with network
address 00111125E548 has been denied by the DHCP server 10.10.86.1 (The DHCP Server
sent a DHCPNACK message).

Error - 7/30/2009 11:52:12 AM | Computer Name = D17B4R51 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.10.86.54 for the Network Card with network
address 00111125E548 has been denied by the DHCP server 10.10.86.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >









OTL logfile created on: 3/30/2010 4:50:27 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\wic program\Desktop\OTL
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 64.00 Mb Available Physical Memory | 13.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.97 Gb Total Space | 58.40 Gb Free Space | 82.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D17B4R51
Current User Name: wic program
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/30 16:50:01 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\wic program\Desktop\OTL\OTL.exe
PRC - [2010/03/09 09:54:52 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/09 03:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 14:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2005/10/13 20:56:16 | 000,126,976 | ---- | M] (McAfee, Inc) -- c:\Program Files\McAfee.com\Agent\Mcdetect.exe
PRC - [2005/08/24 17:01:04 | 000,122,368 | ---- | M] (McAfee, Inc) -- c:\Program Files\McAfee.com\Agent\McTskshd.exe
PRC - [2004/09/28 10:04:06 | 000,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2003/10/29 00:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/03/30 16:50:01 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\wic program\Desktop\OTL\OTL.exe
MOD - [2006/08/25 08:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/10/13 20:56:16 | 000,126,976 | ---- | M] (McAfee, Inc) [Auto | Running] -- c:\Program Files\McAfee.com\Agent\Mcdetect.exe -- (McDetect.exe)
SRV - [2005/08/24 17:01:04 | 000,122,368 | ---- | M] (McAfee, Inc) [Auto | Running] -- c:\Program Files\McAfee.com\Agent\McTskshd.exe -- (McTskshd.exe)
SRV - [2005/07/01 20:22:50 | 000,245,760 | ---- | M] (McAfee, Inc) [On_Demand | Stopped] -- C:\Program Files\McAfee.com\Agent\mcupdmgr.exe -- (mcupdmgr.exe)
SRV - [2003/08/08 16:04:38 | 000,106,496 | ---- | M] (Networks Associates Technology, Inc) [Auto | Stopped] -- c:\Program Files\McAfee.com\VSO\mcvsrte.exe -- (MCVSRte)
SRV - [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTBCM)
SRV - [2002/03/13 06:50:34 | 000,225,375 | ---- | M] () [On_Demand | Stopped] -- c:\Program Files\McAfee.com\VSO\McShield.exe -- (McShield)


========== Driver Services (SafeList) ==========

DRV - [2010/03/09 03:12:54 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys -- (aswTdi)
DRV - [2010/03/09 03:12:33 | 000,162,640 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys -- (aswSP)
DRV - [2010/03/09 03:09:08 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys -- (aswRdr)
DRV - [2010/03/09 03:08:41 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys -- (aswMon2)
DRV - [2010/03/09 03:08:30 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/03/09 03:08:15 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys -- (Aavmker4)
DRV - [2010/02/03 09:21:46 | 000,050,944 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ndisvvan.sys -- (Passthru)
DRV - [2009/10/26 08:30:25 | 000,040,128 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\ikzhrxxy.sys -- (ikzhrxxy)
DRV - [2005/07/26 17:19:22 | 000,051,392 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ATNT40K.SYS -- (ATNT40K)
DRV - [2004/09/28 10:15:27 | 000,028,352 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys -- (MxlW2k)
DRV - [2004/09/28 10:04:09 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\asctrm.sys -- (ASCTRM)
DRV - [2004/08/04 00:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 00:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/03/14 23:04:00 | 000,100,597 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/03/14 23:04:00 | 000,098,580 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/03/14 23:04:00 | 000,085,972 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/03/14 23:04:00 | 000,034,837 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/03/14 23:04:00 | 000,025,685 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/03/14 23:04:00 | 000,014,229 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/03/14 23:04:00 | 000,006,357 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/03/14 23:04:00 | 000,004,117 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/03/14 23:04:00 | 000,002,233 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/02/27 00:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)
DRV - [2004/02/13 01:21:00 | 000,086,160 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/02/11 12:27:38 | 000,019,456 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\iqvw32.sys -- (NAL)
DRV - [2004/01/14 17:18:16 | 000,005,621 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/01/14 17:18:04 | 000,023,219 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)
DRV - [2003/11/17 13:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 13:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 13:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2002/05/16 17:41:16 | 000,054,083 | ---- | M] (The Linksys Group, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WMP11NDS.sys -- (WMP11)
DRV - [2002/03/13 06:50:36 | 000,023,296 | ---- | M] () [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NaiFiltr.sys -- (NaiFiltr)
DRV - [2001/08/17 12:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 12:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 12:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 12:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 12:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 11:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 11:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 11:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 11:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 11:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 11:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 11:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 11:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 11:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 11:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/29 10:52:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/29 10:52:22 | 000,000,000 | ---D | M]

[2009/10/21 16:26:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wic program\Application Data\Mozilla\Extensions
[2009/10/21 16:26:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wic program\Application Data\Mozilla\Firefox\Profiles\xkbxii3x.default\extensions
[2010/03/29 11:27:45 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/25 15:44:09 | 000,011,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 msnfix.changelog.fr
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 virusinfo.prevx.com
O1 - Hosts: 127.0.0.1 download.bleepingcomputer.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 foro.noticias3d.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 lurker.clamav.net
O1 - Hosts: 127.0.0.1 lexikon.ikarus.at
O1 - Hosts: 127.0.0.1 research.sunbelt-software.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 ntfaq.co.kr
O1 - Hosts: 127.0.0.1 v.dreamwiz.com
O1 - Hosts: 127.0.0.1 cit.kookmin.ac.kr
O1 - Hosts: 127.0.0.1 forums.whatthetech.com
O1 - Hosts: 127.0.0.1 forum.hijackthis.de
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 forum.malekal.com
O1 - Hosts: 127.0.0.1 tech.pantip.com
O1 - Hosts: 127.0.0.1 sapcupgrades.com
O1 - Hosts: 355 more lines...
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O3 - HKLM\..\Toolbar: (McAfee VirusScan) - {BA52B914-B692-46c4-B683-905236F6F655} - c:\Program Files\McAfee.com\VSO\mcvsshl.dll (Networks Associates Technology, Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AIM Search) - {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [MCAgentExe] c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc)
O4 - HKLM..\Run: [McRegWiz] c:\Program Files\McAfee.com\Agent\mcregwiz.exe ()
O4 - HKLM..\Run: [MCUpdateExe] C:\Program Files\McAfee.com\Agent\mcupdate.exe (McAfee, Inc)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [VirusScan Online] c:\Program Files\McAfee.com\VSO\mcvsshld.exe (Networks Associates Technology, Inc)
O4 - HKLM..\Run: [VSOCheckTask] c:\Program Files\McAfee.com\VSO\mcmnhdlr.exe (Networks Associates Technology, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.10.81.2 68.94.156.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.64,93.188.166.90
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\bdq.exe \s) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\wic program\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\wic program\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/17 14:23:13 | 000,000,000 | ---D | M] - C:\AUTODATE -- [ NTFS ]
O32 - AutoRun File - [2004/03/20 10:58:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{84687593-169f-11df-acf0-00111125e548}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\cmd.exe -- [2004/08/04 01:56:50 | 000,388,608 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{84687593-169f-11df-acf0-00111125e548}\Shell\explore\command - "" = C:\WINDOWS\System32\cmd.exe -- [2004/08/04 01:56:50 | 000,388,608 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{84687593-169f-11df-acf0-00111125e548}\Shell\open\command - "" = C:\WINDOWS\System32\cmd.exe -- [2004/08/04 01:56:50 | 000,388,608 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{d7c13aa8-eb4d-11da-aa4a-00111125e548}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\cmd.exe -- [2004/08/04 01:56:50 | 000,388,608 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{d7c13aa8-eb4d-11da-aa4a-00111125e548}\Shell\explore\command - "" = C:\WINDOWS\System32\cmd.exe -- [2004/08/04 01:56:50 | 000,388,608 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{d7c13aa8-eb4d-11da-aa4a-00111125e548}\Shell\open\command - "" = C:\WINDOWS\System32\cmd.exe -- [2004/08/04 01:56:50 | 000,388,608 | ---- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/30 16:50:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wic program\Desktop\OTL
[2010/03/30 14:38:25 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/03/30 14:38:25 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/03/30 14:38:25 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/03/30 14:38:25 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/03/30 14:38:24 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/03/30 14:38:24 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/03/30 14:38:24 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/03/30 14:37:08 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/03/30 14:37:08 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/03/25 16:35:23 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/03/25 16:35:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/03/24 12:26:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/03/24 12:26:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/23 10:08:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/22 09:49:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/17 13:50:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/17 13:47:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/03/17 13:47:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/17 13:47:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/03/17 13:46:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/08 10:31:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wic program\My Documents\Downloads
[2007/12/03 12:37:37 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/05/20 15:43:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004/09/28 09:29:42 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/30 16:53:44 | 000,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2010/03/30 16:49:04 | 000,549,766 | ---- | M] () -- C:\Documents and Settings\wic program\Desktop\OTL.zip
[2010/03/30 16:03:12 | 000,001,417 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ISIS.zws
[2010/03/30 16:03:12 | 000,000,269 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ISIS.zcc
[2010/03/30 14:41:54 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/03/30 14:41:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/30 14:41:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/03/30 14:41:02 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/30 14:40:03 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\wic program\NTUSER.DAT
[2010/03/30 14:40:03 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\wic program\NTUSER.INI
[2010/03/30 14:38:24 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/03/30 14:09:36 | 000,000,722 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2010/03/30 11:40:10 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\wic program\Desktop\~$C-Training-CivilRights-LessonPlanForTrainers.doc
[2010/03/30 11:40:05 | 000,550,400 | ---- | M] () -- C:\Documents and Settings\wic program\Desktop\WIC-Training-CivilRights-LessonPlanForTrainers.doc
[2010/03/30 11:04:29 | 000,000,049 | ---- | M] () -- C:\WINDOWS\webica.ini
[2010/03/29 12:35:17 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/25 15:44:14 | 000,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/03/25 15:41:03 | 000,143,360 | ---- | M] () -- C:\e-5.exe
[2010/03/24 12:27:06 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/23 20:12:17 | 000,001,920 | ---- | M] () -- C:\e4.exe
[2010/03/17 08:37:01 | 000,071,680 | -H-- | M] () -- C:\WINDOWS\System32\ntuser.init
[2010/03/17 08:37:01 | 000,071,680 | -H-- | M] () -- C:\Documents and Settings\wic program\ntuser.init
[2010/03/15 08:30:16 | 000,402,426 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/03/15 08:30:15 | 000,472,050 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/15 08:30:15 | 000,061,930 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/03/09 03:24:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/03/09 03:24:05 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/03/09 03:12:54 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/03/09 03:12:33 | 000,162,640 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/03/09 03:09:08 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/03/09 03:08:41 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/03/09 03:08:38 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/03/09 03:08:30 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/03/09 03:08:15 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/30 16:48:56 | 000,549,766 | ---- | C] () -- C:\Documents and Settings\wic program\Desktop\OTL.zip
[2010/03/30 11:40:10 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\wic program\Desktop\~$C-Training-CivilRights-LessonPlanForTrainers.doc
[2010/03/30 11:40:02 | 000,550,400 | ---- | C] () -- C:\Documents and Settings\wic program\Desktop\WIC-Training-CivilRights-LessonPlanForTrainers.doc
[2010/03/25 15:44:14 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/03/25 08:34:24 | 000,143,360 | ---- | C] () -- C:\e-5.exe
[2010/03/24 12:27:06 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/24 12:27:06 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/23 08:10:33 | 000,001,920 | ---- | C] () -- C:\e4.exe
[2010/02/08 17:53:19 | 000,071,680 | -H-- | C] () -- C:\WINDOWS\System32\ntuser.init
[2009/10/12 08:23:35 | 000,040,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\ikzhrxxy.sys
[2009/10/12 08:22:50 | 000,050,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\ndisvvan.sys
[2006/02/28 16:56:09 | 000,114,688 | R--- | C] () -- C:\WINDOWS\System32\VSHP2600.DLL
[2006/02/28 16:56:05 | 011,194,368 | R--- | C] () -- C:\WINDOWS\System32\ZHHP_RES.DLL
[2006/02/28 16:56:04 | 000,749,568 | R--- | C] () -- C:\WINDOWS\System32\AGISSI.DLL
[2005/09/06 13:15:02 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\wic program\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/26 17:19:22 | 000,051,392 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2005/07/11 08:36:32 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\wic program\Local Settings\Application Data\fusioncache.dat
[2005/05/13 16:24:29 | 000,000,049 | ---- | C] () -- C:\WINDOWS\webica.ini
[2004/12/22 19:48:32 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/09/28 10:18:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/09/28 10:13:56 | 000,023,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\NaiFiltr.sys
[2004/09/28 10:07:45 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/09/28 10:03:14 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/09/28 09:49:18 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/09/28 09:31:56 | 000,000,549 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/03/26 14:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/03/20 11:21:34 | 000,000,791 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/03/19 15:37:28 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2003/01/07 13:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/31 11:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1979/12/31 22:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 584620 bytes -> C:\WINDOWS\Temp:temp
@Alternate Data Stream - 13901 bytes -> C:\WINDOWS\Help:help
< End of report >


Stimulus Overload.


.

Namski
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2010-01-05
Gender Gender : Male
OS OS : Windows XP
Points Points : 26228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Belahzur on 31st March 2010, 12:39 am

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.64,93.188.166.90
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\bdq.exe \s) - File not found
    [2010/03/25 15:41:03 | 000,143,360 | ---- | M] () -- C:\e-5.exe
    [2010/03/23 20:12:17 | 000,001,920 | ---- | M] () -- C:\e4.exe
    [2009/10/12 08:23:35 | 000,040,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\ikzhrxxy.sys
    [2009/10/12 08:22:50 | 000,050,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\ndisvvan.sys

    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "userinit"="C:\WINDOWS\system32\userinit.exe,"

    :commands
    [resethosts]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Namski on 31st March 2010, 4:12 pm

Thanks. I had to reboot. This is what showed up afterwards:


========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\LocalService\bdq.exe \s deleted successfully.
C:\e-5.exe moved successfully.
C:\e4.exe moved successfully.
File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\ikzhrxxy.sys scheduled to be moved on reboot.
File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\ndisvvan.sys scheduled to be moved on reboot.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\"userinit"|"C:\WINDOWS\system32\userinit.exe," /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.1.37.3 log created on 03312010_085517

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\ikzhrxxy.sys scheduled to be moved on reboot.
File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\ndisvvan.sys scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Stimulus Overload.


.

Namski
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2010-01-05
Gender Gender : Male
OS OS : Windows XP
Points Points : 26228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Belahzur on 31st March 2010, 9:50 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Namski on 1st April 2010, 1:08 am

ComboFix 10-03-29.04 - wic program 03/31/2010 17:06:00.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.166 [GMT -7:00]
Running from: c:\documents and settings\wic program\My Documents\Downloads\Combo-Fix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\wic program\Local Settings\Temporary Internet Files\Pre1E.tmp
c:\progra~1\AWS\WEATHE~1\MINIbu~1.dll
c:\program files\AWS\WEATHE~1\MINIBU~1.DLL
c:\documents and settings\LocalService\secupdat.dat . . . . failed to delete
c:\windows\system32\drivers\ndisvvan.sys . . . . failed to delete
c:\windows\system32\secupdat.dat . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
.

2010-03-31 22:18 . 2010-03-31 22:18 -------- d-----w- c:\windows\LastGood
2010-03-31 22:18 . 2010-03-31 22:18 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-31 15:55 . 2010-03-31 15:55 -------- d-----w- C:\_OTL
2010-03-30 21:38 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-30 21:38 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-30 21:38 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-30 21:38 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-30 21:38 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-30 21:38 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-30 21:38 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-30 21:37 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-30 21:37 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-25 23:35 . 2010-03-25 23:35 -------- d-----w- c:\program files\Alwil Software
2010-03-25 23:35 . 2010-03-25 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-24 19:27 . 2010-03-31 22:38 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-24 19:27 . 2010-03-24 19:27 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-24 19:26 . 2010-03-24 19:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-17 20:50 . 2010-03-17 20:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-17 20:47 . 2010-03-17 20:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 22:18 . 2010-03-31 22:18 95360 ----a-w- c:\windows\system32\drivers\OLD2B2.tmp
2010-03-31 15:36 . 2008-09-10 23:25 -------- d-----w- c:\documents and settings\wic program\Application Data\U3
2010-02-03 16:21 . 2009-10-26 15:28 72704 ---h--w- c:\windows\system32\secupdat.dat
2010-02-03 16:21 . 2009-10-12 15:22 50944 ----a-w- c:\windows\system32\drivers\ndisvvan.sys
2010-02-02 21:56 . 2004-09-28 16:58 -------- d-----w- c:\program files\Common Files\Java
2010-02-02 21:55 . 2010-02-02 21:55 503808 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-659e8c81-n\msvcp71.dll
2010-02-02 21:55 . 2010-02-02 21:55 499712 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-659e8c81-n\jmc.dll
2010-02-02 21:55 . 2010-02-02 21:55 348160 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-659e8c81-n\msvcr71.dll
2010-02-02 21:55 . 2010-02-02 21:55 61440 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-22c48680-n\decora-sse.dll
2010-02-02 21:55 . 2010-02-02 21:55 12800 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-22c48680-n\decora-d3d.dll
2010-02-02 21:54 . 2010-02-02 21:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-02 21:54 . 2004-09-28 16:58 -------- d-----w- c:\program files\Java
2010-01-31 23:57 . 2009-10-12 15:22 72704 ---h--w- c:\documents and settings\LocalService\secupdat.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-09-28 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 122880]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2003-08-18 163840]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-05-18 849288]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-9-28 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ikzhrxxy.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

R0 ikzhrxxy;ikzhrxxy;c:\windows\SYSTEM32\DRIVERS\ikzhrxxy.sys [10/12/2009 8:23 AM 40128]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/30/2010 2:38 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/30/2010 2:38 PM 19024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:03 AM 24652]
R3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [9/28/2004 10:13 AM 23296]
R3 WMP11;Instant Wireless PCI Card Driver;c:\windows\SYSTEM32\DRIVERS\WMP11NDS.sys [5/16/2002 5:41 PM 54083]
S3 minisv32;MiniPort Service;\??\c:\windows\system32\drivers\minisv32.sys --> c:\windows\system32\drivers\minisv32.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\wic program\Application Data\Mozilla\Firefox\Profiles\xkbxii3x.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\wic program\My Documents\Downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-31 17:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1244)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2010-03-31 17:32:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-01 00:32

Pre-Run: 62,477,979,648 bytes free
Post-Run: 63,297,462,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 840D8AD9BCAB54F7047102FBF3EBF4CE


Stimulus Overload.


.

Namski
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2010-01-05
Gender Gender : Male
OS OS : Windows XP
Points Points : 26228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Belahzur on 1st April 2010, 11:28 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KILLALL::

    Driver::
    ikzhrxxy

    File::
    c:\windows\SYSTEM32\DRIVERS\ikzhrxxy.sys
    c:\documents and settings\LocalService\secupdat.dat
    c:\windows\system32\drivers\ndisvvan.sys
    c:\windows\system32\secupdat.dat
    c:\windows\system32\drivers\OLD2B2.tmp

    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ikzhrxxy.sys]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Namski on 3rd April 2010, 1:27 am

ComboFix 10-03-29.04 - wic program 04/02/2010 18:07:26.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.232 [GMT -7:00]
Running from: c:\documents and settings\wic program\My Documents\Fremont Move\New Folder\Combo-Fix.exe
Command switches used :: F:\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point

FILE ::
"c:\documents and settings\LocalService\secupdat.dat"
"c:\windows\SYSTEM32\DRIVERS\ikzhrxxy.sys"
"c:\windows\system32\drivers\ndisvvan.sys"
"c:\windows\system32\drivers\OLD2B2.tmp"
"c:\windows\system32\secupdat.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\secupdat.dat
c:\windows\SYSTEM32\DRIVERS\ikzhrxxy.sys
c:\windows\system32\drivers\ndisvvan.sys
c:\windows\system32\drivers\OLD2B2.tmp
c:\windows\system32\secupdat.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IKZHRXXY
-------\Service_ikzhrxxy
-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
.

2010-03-31 22:18 . 2010-03-31 22:18 95360 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-31 15:55 . 2010-03-31 15:55 -------- d-----w- C:\_OTL
2010-03-30 21:38 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-30 21:38 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-30 21:38 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-30 21:38 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-30 21:38 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-30 21:38 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-30 21:38 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-30 21:37 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-30 21:37 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-25 23:35 . 2010-03-25 23:35 -------- d-----w- c:\program files\Alwil Software
2010-03-25 23:35 . 2010-03-25 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-24 19:27 . 2010-03-31 22:38 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-24 19:27 . 2010-03-24 19:27 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-24 19:26 . 2010-03-24 19:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-17 20:50 . 2010-03-17 20:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-17 20:47 . 2010-03-17 20:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 15:36 . 2008-09-10 23:25 -------- d-----w- c:\documents and settings\wic program\Application Data\U3
2010-02-02 21:56 . 2004-09-28 16:58 -------- d-----w- c:\program files\Common Files\Java
2010-02-02 21:55 . 2010-02-02 21:55 503808 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-659e8c81-n\msvcp71.dll
2010-02-02 21:55 . 2010-02-02 21:55 499712 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-659e8c81-n\jmc.dll
2010-02-02 21:55 . 2010-02-02 21:55 348160 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-659e8c81-n\msvcr71.dll
2010-02-02 21:55 . 2010-02-02 21:55 61440 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-22c48680-n\decora-sse.dll
2010-02-02 21:55 . 2010-02-02 21:55 12800 -c--a-w- c:\documents and settings\wic program\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-22c48680-n\decora-d3d.dll
2010-02-02 21:54 . 2010-02-02 21:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-02 21:54 . 2004-09-28 16:58 -------- d-----w- c:\program files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-09-28 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 122880]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2003-08-18 163840]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-05-18 849288]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-9-28 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/30/2010 2:38 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/30/2010 2:38 PM 19024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:03 AM 24652]
R3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [9/28/2004 10:13 AM 23296]
R3 WMP11;Instant Wireless PCI Card Driver;c:\windows\SYSTEM32\DRIVERS\WMP11NDS.sys [5/16/2002 5:41 PM 54083]
S3 minisv32;MiniPort Service;\??\c:\windows\system32\drivers\minisv32.sys --> c:\windows\system32\drivers\minisv32.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\wic program\Application Data\Mozilla\Firefox\Profiles\xkbxii3x.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-02 18:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4092)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2010-04-02 18:22:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-03 01:22
ComboFix2.txt 2010-04-01 00:32

Pre-Run: 63,289,966,592 bytes free
Post-Run: 63,245,328,384 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,5,6,7
- - End Of File - - 23601747A714F809ABBD9EBF7C7EA661


Stimulus Overload.


.

Namski
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2010-01-05
Gender Gender : Male
OS OS : Windows XP
Points Points : 26228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Namski on 3rd April 2010, 1:53 am

I also wanted to add- my internet is no longer working. How can I get it back up again? Thanks.


Stimulus Overload.


.

Namski
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2010-01-05
Gender Gender : Male
OS OS : Windows XP
Points Points : 26228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Belahzur on 3rd April 2010, 9:50 pm

Hello.

You are running two antivirus', I see from the uninstall list you have Avast installed, along with Mcafee. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Mcafee to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 9
    Java(TM) 6 Update 18
    Java 2 Runtime Environment, SE v1.4.2_03
    McAfee VirusScan
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Namski on 4th April 2010, 3:40 am

Thanks. It seems to be working fine now but I still can't connect to the internet. Any help with that? I really appreciate all your help.


Stimulus Overload.


.

Namski
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2010-01-05
Gender Gender : Male
OS OS : Windows XP
Points Points : 26228
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Belahzur on 5th April 2010, 12:09 am

Please download Winsock XP Fix from here:
[You must be registered and logged in to see this link.]

Download and run it.
Hit the "Fix" button.

Once completed, reboot the machine.
Do you have a connection now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:Alureon-FR

Post by Namski on 6th April 2010, 5:24 pm

I have connection and did a scan, no viruses! All of your help is much appreciated. Thanks.


Stimulus Overload.


.

Namski
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2010-01-05
Gender Gender : Male
OS OS : Windows XP
Points Points : 26228
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum