Trojan Cryptic.LK

View previous topic View next topic Go down

Trojan Cryptic.LK

Post by Descartes on Sun May 09, 2010 2:48 pm

AVG picked up and quarantined Trojan Cryptic.LK. BUt I still appear to have some sort of infection. Google search results are often redirected and new Internet Explorer windows open randomly always showing some sort of flaky advertising site.
I've run AVG, Malwarebytes Anti-Malware, CCleaner, RegCure and maybe a couple of others, all to no avail.
Any ideas?

I've included the OTL.txt file below.

Descartes.


OTL logfile created on: 5/9/2010 1:06:33 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Adriane\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 179.00 Mb Available Physical Memory | 19.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 56.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 217.91 Gb Total Space | 122.49 Gb Free Space | 56.21% Space Free | Partition Type: NTFS
Drive D: | 14.98 Gb Total Space | 12.23 Gb Free Space | 81.70% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 1.86 Gb Total Space | 1.85 Gb Free Space | 99.67% Space Free | Partition Type: FAT
I: Drive not present or media not loaded

Computer Name: HOME-305ED5D1B3
Current User Name: Adriane
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/08 16:17:41 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adriane\Desktop\OTL.exe
PRC - [2010/05/07 17:15:58 | 000,834,248 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/05/07 17:15:57 | 001,285,864 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/05/06 14:22:29 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
PRC - [2010/04/29 13:43:44 | 012,776,728 | ---- | M] () -- C:\Program Files\RegCure\RegCure.exe
PRC - [2010/04/23 08:52:20 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Adriane\Start Menu\Programs\Startup\avgtray .exe
PRC - [2010/04/23 08:52:06 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/02 08:48:48 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/03/13 09:07:28 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/13 09:07:22 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/13 09:06:45 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/03/13 09:06:45 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/10/26 20:42:42 | 000,718,232 | ---- | M] (Pelmorex Media Inc.) -- C:\Documents and Settings\Adriane\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
PRC - [2009/05/26 21:06:32 | 004,351,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/30 15:16:42 | 000,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2008/06/10 04:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/04/04 18:58:30 | 003,502,080 | ---- | M] () -- C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
PRC - [2005/04/04 18:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe


========== Modules (SafeList) ==========

MOD - [2010/05/08 16:17:41 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adriane\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/05/07 17:15:57 | 001,285,864 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/03/13 09:07:22 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/13 09:06:45 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/04/04 18:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)
SRV - [2000/05/24 15:20:36 | 000,015,360 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\WINDOWS\system32\ATMsrvc.exe -- (ATMsrvc)


========== Driver Services (SafeList) ==========

DRV - [2010/04/23 08:52:07 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/03/13 09:07:28 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/13 09:06:45 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/02/04 10:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/09/04 20:47:44 | 000,685,816 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2007/09/01 18:06:35 | 000,014,656 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2007/01/30 05:57:50 | 004,474,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/11/27 16:33:54 | 000,019,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/11/27 16:33:50 | 000,058,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/10/31 01:35:00 | 003,964,256 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/10/18 16:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/06/18 23:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}:6.0.18
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.783
FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="


FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/04/23 09:03:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/03/30 13:37:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/13 10:05:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/05/08 16:02:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/16 00:25:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/08 16:14:14 | 000,000,000 | ---D | M]

[2008/06/16 12:22:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adriane\Application Data\Mozilla\Extensions
[2008/06/16 12:22:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Adriane\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/03/30 13:27:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adriane\Application Data\Mozilla\Firefox\Profiles\gj4kin6n.default\extensions
[2009/12/03 00:35:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Adriane\Application Data\Mozilla\Firefox\Profiles\gj4kin6n.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/30 18:25:08 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Adriane\Application Data\Mozilla\Firefox\Profiles\gj4kin6n.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/05/08 16:02:44 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/16 12:22:35 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/08/20 08:00:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008/12/01 09:29:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
[2009/03/22 14:28:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/06/01 17:16:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/08/27 18:34:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2010/05/08 16:02:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2008/05/29 15:09:12 | 000,023,040 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2008/05/29 15:09:13 | 000,134,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2008/06/17 16:12:42 | 000,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2004/11/12 22:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
[2010/05/08 16:02:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2008/05/29 15:09:14 | 000,065,536 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2009/12/21 18:34:06 | 000,103,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2010/03/13 10:05:35 | 000,140,864 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
[2010/04/16 00:25:31 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2010/04/16 00:25:31 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2010/04/16 00:25:31 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2010/04/16 00:25:31 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2010/04/16 00:25:32 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2010/04/16 00:25:32 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2010/04/16 00:25:32 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2010/03/13 10:05:57 | 000,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
[2010/03/13 10:05:29 | 000,098,304 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
[2010/03/29 08:52:24 | 000,032,576 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
[2008/05/29 09:24:14 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2008/05/29 09:24:14 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/03/30 13:27:54 | 000,001,346 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2008/05/29 09:24:14 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2008/05/29 09:24:14 | 000,002,642 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2008/05/29 09:24:14 | 000,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2008/05/29 09:24:14 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2008/05/29 09:24:14 | 000,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/05/07 14:56:13 | 000,393,037 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 13575 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [WeatherEye] C:\Documents and Settings\Adriane\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe (Pelmorex Media Inc.)
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] File not found
O4 - Startup: C:\Documents and Settings\Adriane\Start Menu\Programs\Startup\AVG Free User Interface.lnk = C:\Program Files\AVG\AVG9\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - Startup: C:\Documents and Settings\Adriane\Start Menu\Programs\Startup\avgtray .exe (AVG Technologies CZ, s.r.o.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} [You must be registered and logged in to see this link.] (MSN Games Matchmaking)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} [You must be registered and logged in to see this link.] (CPlayFirstTriJinxControl Object)
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} [You must be registered and logged in to see this link.] (MSN Games Buddy Invite)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} [You must be registered and logged in to see this link.] (MSN Games Game Chat)
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} [You must be registered and logged in to see this link.] (AtlAtomadersCtlAttrib Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} [You must be registered and logged in to see this link.] (MJLauncherCtrl Class)
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} [You must be registered and logged in to see this link.] (ZPA_DMNO Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} [You must be registered and logged in to see this link.] (ZoneAxRcMgr Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} [You must be registered and logged in to see this link.] (MSN Games - Installer)
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} [You must be registered and logged in to see this link.] (CPlayFirstddfotgControl Object)
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} [You must be registered and logged in to see this link.] (Bridge Installer)
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} [You must be registered and logged in to see this link.] (AstoundLauncher Control)
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} [You must be registered and logged in to see this link.] (MSN Games Game Communicator)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} [You must be registered and logged in to see this link.] (PopCapLoader Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (get_atlcom Class)
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} [You must be registered and logged in to see this link.] (CPlayFirstSweetopiaControl Object)
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} [You must be registered and logged in to see this link.] (MSN Games Backgammon)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.176.13 64.59.176.15 64.59.177.226
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

continued in next post....

Descartes
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-08
OS OS : Windows XP
Points Points : 24133
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Cryptic.LK

Post by Descartes on Sun May 09, 2010 2:51 pm

OTL.txt file continued
===============

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/01 18:02:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/08 16:17:40 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Adriane\Desktop\OTL.exe
[2010/05/08 16:12:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/05/08 16:12:14 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/05/08 16:12:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/05/08 16:02:42 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/08 16:02:42 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/08 16:02:41 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/08 16:02:41 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/08 13:32:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Adriane\Recent
[2010/05/07 17:16:32 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/05/07 17:16:25 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/07 17:14:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/05/07 17:13:30 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/05/07 17:13:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/05/07 14:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Adriane\Application Data\Malwarebytes
[2010/05/07 14:31:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/07 14:31:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/07 14:31:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/07 14:31:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/07 14:18:58 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/07 14:18:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/07 10:35:59 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/06 20:42:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2010/05/06 04:13:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2010/05/06 04:01:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/06 02:29:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/05/06 02:05:06 | 000,000,000 | ---D | C] -- C:\Program Files\RegCure
[2010/05/06 02:05:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RegCure
[2010/05/06 01:53:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/05/06 01:53:39 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/05/06 01:46:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Adriane\Application Data\Uniblue
[2010/05/06 01:46:35 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2010/05/05 23:40:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/05 22:34:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/05/05 19:38:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/05 18:47:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Adriane\Local Settings\Application Data\mkprhtlhg
[2010/05/05 17:38:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MythPeople
[2010/05/05 17:38:44 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/05/05 17:38:41 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar
[2010/05/05 17:37:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Oberon Media
[2010/05/05 17:37:39 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar Installer
[2010/05/05 15:27:26 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/04/23 08:52:20 | 002,064,736 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Adriane\Start Menu\Programs\Startup\avgtray .exe
[2010/04/16 00:25:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/09 01:02:22 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1647877149-725345543-1004.job
[2010/05/09 01:02:22 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1647877149-725345543-1004.job
[2010/05/09 01:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/05/09 00:49:11 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/09 00:02:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/05/08 23:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/05/08 22:49:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/08 22:05:11 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C227070E-26BC-48E2-B1D3-0488D965F4CA}.job
[2010/05/08 22:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/05/08 21:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/05/08 20:01:28 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/08 20:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/05/08 19:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/05/08 18:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/05/08 17:00:01 | 000,000,394 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2010/05/08 17:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/05/08 16:45:46 | 059,752,088 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/08 16:17:41 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adriane\Desktop\OTL.exe
[2010/05/08 16:14:15 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/08 16:13:14 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/05/08 16:02:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/08 16:02:19 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/08 16:02:19 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/08 16:02:19 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/08 16:02:19 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/08 16:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/05/08 15:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/05/08 14:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/05/08 13:28:13 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/05/08 13:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/05/08 12:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/05/08 11:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/05/08 10:00:01 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/05/08 09:13:33 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/08 09:09:57 | 000,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/08 09:09:52 | 000,002,359 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/05/08 09:09:31 | 000,000,368 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Startup.job
[2010/05/08 09:09:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/08 09:09:19 | 000,012,696 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/08 09:09:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/08 01:14:43 | 011,272,192 | ---- | M] () -- C:\Documents and Settings\Adriane\ntuser.dat
[2010/05/08 01:14:43 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Adriane\ntuser.ini
[2010/05/07 17:34:48 | 000,000,158 | ---- | M] () -- C:\Documents and Settings\Adriane\default.pls
[2010/05/07 17:34:26 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/07 17:16:21 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/07 17:16:20 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/05/07 17:14:22 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/05/07 14:56:13 | 000,393,037 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/07 14:32:00 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/07 14:19:15 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Adriane\Desktop\Spybot - Search & Destroy.lnk
[2010/05/07 11:26:06 | 001,741,472 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/07 10:36:01 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Adriane\Desktop\CCleaner.lnk
[2010/05/07 09:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/05/07 08:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/05/07 07:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/05/07 06:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/05/07 05:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/05/07 04:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/05/07 03:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/05/07 02:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/05/06 22:45:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/06 08:53:21 | 000,000,553 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/06 08:53:21 | 000,000,236 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/06 04:41:09 | 000,000,376 | ---- | M] () -- C:\WINDOWS\tasks\RegCure.job
[2010/05/06 02:56:48 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[2010/05/06 02:51:31 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Adriane\Application Data\dm.ini
[2010/05/06 02:05:07 | 000,000,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2010/05/06 01:46:39 | 000,000,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SpeedUpMyPC.lnk
[2010/05/05 23:34:25 | 000,001,269 | ---- | M] () -- C:\Documents and Settings\Adriane\Desktop\WeatherEye.lnk
[2010/05/05 23:21:07 | 000,012,696 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/05/05 17:37:54 | 000,001,648 | ---- | M] () -- C:\Documents and Settings\Adriane\Desktop\Azkend.lnk
[2010/05/05 17:37:54 | 000,001,140 | ---- | M] () -- C:\Documents and Settings\Adriane\Desktop\MSN Games.lnk
[2010/05/03 08:51:43 | 000,019,679 | ---- | M] () -- C:\Documents and Settings\Adriane\Desktop\Time Sheet and billing.ods
[2010/05/01 13:20:39 | 000,002,071 | ---- | M] () -- C:\WINDOWS\panose.bin
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/25 09:07:17 | 002,109,896 | -H-- | M] () -- C:\Documents and Settings\Adriane\Local Settings\Application Data\IconCache.db
[2010/04/23 08:52:20 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Adriane\Start Menu\Programs\Startup\avgtray .exe
[2010/04/23 08:52:07 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/04/21 17:25:53 | 000,104,040 | ---- | M] () -- C:\Documents and Settings\Adriane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/17 15:08:02 | 000,071,168 | ---- | M] () -- C:\Documents and Settings\Adriane\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/16 00:25:23 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/13 03:51:48 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/08 16:14:15 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/08 16:13:14 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/05/07 19:42:15 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/05/07 17:25:44 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/07 17:14:22 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/05/07 14:32:00 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/07 14:19:15 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Adriane\Desktop\Spybot - Search & Destroy.lnk
[2010/05/07 11:29:17 | 000,000,178 | ---- | C] () -- C:\Documents and Settings\Adriane\avgrep.txt
[2010/05/07 10:36:01 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\Adriane\Desktop\CCleaner.lnk
[2010/05/06 20:42:43 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/06 02:43:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Adriane\Application Data\dm.ini
[2010/05/06 02:43:29 | 000,000,871 | ---- | C] () -- C:\Documents and Settings\Adriane\Application Data\AdobeDLM.log
[2010/05/06 02:05:13 | 000,000,394 | ---- | C] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2010/05/06 02:05:13 | 000,000,368 | ---- | C] () -- C:\WINDOWS\tasks\RegCure Startup.job
[2010/05/06 02:05:12 | 000,000,376 | ---- | C] () -- C:\WINDOWS\tasks\RegCure.job
[2010/05/06 02:05:07 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2010/05/06 01:46:39 | 000,000,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SpeedUpMyPC.lnk

Continued in next post again....

Descartes
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-08
OS OS : Windows XP
Points Points : 24133
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Cryptic.LK

Post by Descartes on Sun May 09, 2010 2:52 pm

OTL.txt file continued
===============

[2010/05/05 23:31:28 | 000,001,519 | ---- | C] () -- C:\Documents and Settings\Adriane\Start Menu\Programs\Startup\AVG Free User Interface.lnk
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/05/05 18:47:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/05/05 18:47:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/05/05 18:47:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/05/05 18:47:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/05/05 17:37:54 | 000,001,648 | ---- | C] () -- C:\Documents and Settings\Adriane\Desktop\Azkend.lnk
[2010/05/05 08:28:42 | 011,272,192 | ---- | C] () -- C:\Documents and Settings\Adriane\ntuser.dat
[2010/04/16 00:25:23 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/13 03:51:48 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/03/25 18:32:42 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/05/20 16:53:00 | 000,000,321 | ---- | C] () -- C:\WINDOWS\SoftWriting.ini
[2007/11/21 02:06:29 | 000,016,987 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2007/11/13 17:16:42 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/09/23 21:52:17 | 000,000,022 | ---- | C] () -- C:\WINDOWS\iexplore.ini
[2007/09/09 23:40:04 | 000,000,077 | ---- | C] () -- C:\WINDOWS\WINCHESS.INI
[2007/09/04 23:48:29 | 000,000,156 | ---- | C] () -- C:\WINDOWS\Kpcms.ini
[2007/09/04 23:48:20 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2007/09/04 20:47:43 | 000,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/09/02 16:51:24 | 000,000,168 | ---- | C] () -- C:\WINDOWS\CWE.INI
[2007/09/02 13:19:12 | 000,000,053 | ---- | C] () -- C:\WINDOWS\ADAM.INI
[2007/09/02 13:19:12 | 000,000,048 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2007/09/02 13:19:12 | 000,000,016 | ---- | C] () -- C:\WINDOWS\cap_pi.ini
[2007/09/02 00:19:39 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/02/01 01:03:00 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpgt2300.dll
[2006/10/31 01:35:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/31 01:35:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/31 01:35:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/31 01:35:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/31 01:35:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/31 01:35:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/31 01:35:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/06/11 11:47:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\fpprintmon.dll
[2000/04/12 16:24:10 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[1997/09/30 15:30:02 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2007/09/04 20:47:44 | 000,685,816 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

< %systemroot%\System32\config\*.sav >
[2007/09/01 12:52:19 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/09/01 12:52:19 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/09/01 12:52:19 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2006/02/28 07:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2006/02/28 07:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2006/02/28 07:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2006/02/28 07:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2006/02/28 07:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2006/02/28 07:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2006/02/28 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2006/02/28 07:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2006/02/28 07:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2006/02/28 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2006/02/28 07:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2006/02/28 07:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2006/02/28 07:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2006/02/28 07:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2006/02/28 07:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/13 13:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/08/14 08:21:25 | 001,850,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 19:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 19:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 19:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 19:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 19:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 19:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 19:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 19:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 19:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 19:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 19:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 19:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 19:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 19:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 19:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2010/05/08 09:09:05 | 000,000,220 | ---- | M] () -- C:\aaw7boot.log
[2007/09/01 18:02:51 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/05/06 02:56:48 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[2007/09/01 18:02:51 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/09/01 18:02:51 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/09 01:03:55 | 000,000,657 | ---- | M] () -- C:\JavaRa.log
[2007/09/01 18:02:51 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2002/01/05 03:38:38 | 000,054,784 | ---- | M] (Microsoft Corporation) -- C:\msvci70.dll
[2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/08/27 15:06:48 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/08 09:09:05 | 1509,949,440 | -HS- | M] () -- C:\pagefile.sys
[2007/12/22 23:07:41 | 000,163,557 | ---- | M] () -- C:\playground.log
[2008/07/09 23:15:06 | 000,000,960 | ---- | M] () -- C:\WS_FTP.LOG
[2008/06/23 13:21:23 | 000,097,110 | ---- | M] () -- C:\YServer.txt

Continued in next post (hopefully one last time).....

Descartes
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-08
OS OS : Windows XP
Points Points : 24133
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Cryptic.LK

Post by Descartes on Sun May 09, 2010 3:02 pm

< %appdata%\*.* >
[2010/05/06 02:51:31 | 000,000,871 | ---- | M] () -- C:\Documents and Settings\Adriane\Application Data\AdobeDLM.log
[2007/09/01 12:55:21 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Adriane\Application Data\desktop.ini
[2010/05/06 02:51:31 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Adriane\Application Data\dm.ini


< MD5 for: AGP440.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/27 15:04:34 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/27 15:04:34 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/27 15:04:34 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/27 15:04:34 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/02/28 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/02/28 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/08/27 15:04:34 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/08/27 15:04:34 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2006/02/28 07:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys


Continued yet again....

Descartes
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-08
OS OS : Windows XP
Points Points : 24133
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Cryptic.LK

Post by Descartes on Sun May 09, 2010 3:19 pm

OTL.txt continued...
==============

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/28 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/28 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/10/18 16:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: SCECLI.DLL >
[2006/02/28 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2008/08/27 15:04:34 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/08/27 15:04:34 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2004/08/03 23:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

Continued....

Descartes
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-08
OS OS : Windows XP
Points Points : 24133
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Cryptic.LK

Post by Descartes on Sun May 09, 2010 3:38 pm

OTL.txt file continued
===============

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows Update\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows Update\Auto Update\Results\Install\\LastSuccessTime: 2010-04-15 15:28:42

========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF2C26D2
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:288A91F8
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:91CF76E3
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:063AF3ED
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F880DE59
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:82C50600
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:45E9EFF4
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:18DB21EC
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2CFBE2D1
< End of report >

Descartes
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-08
OS OS : Windows XP
Points Points : 24133
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Cryptic.LK

Post by Belahzur on Sun May 09, 2010 4:22 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Cryptic.LK

Post by Descartes on Sun May 09, 2010 6:39 pm

Results of ComboFix.txt

=====================================


ComboFix 10-05-08.03 - Adriane 05/09/2010 13:21:13.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.335 [GMT -5:00]
Running from: c:\documents and settings\Adriane\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Adriane\Start Menu\Programs\Startup\avgtray .exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-08 21:13 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Adriane\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-05-08 21:12 . 2010-05-08 21:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-08 21:12 . 2010-05-08 21:12 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-08 21:12 . 2010-05-09 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-08 21:02 . 2010-05-08 21:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-07 22:16 . 2010-05-07 22:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-07 22:13 . 2010-05-09 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-07 19:32 . 2010-05-07 19:32 -------- d-----w- c:\documents and settings\Adriane\Application Data\Malwarebytes
2010-05-07 19:31 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 19:31 . 2010-05-07 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-07 19:31 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 19:31 . 2010-05-07 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 19:18 . 2010-05-08 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-07 19:18 . 2010-05-07 19:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-07 15:35 . 2010-05-07 15:36 -------- d-----w- c:\program files\CCleaner
2010-05-07 01:42 . 2010-05-09 10:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-06 19:20 . 2010-05-06 19:20 483328 ----a-w- c:\documents and settings\Adriane\Application Data\Qualcomm\Eudora\attach\acrotray.exe
2010-05-06 09:01 . 2010-05-06 09:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-06 07:05 . 2010-05-06 07:24 -------- d-----w- c:\program files\RegCure
2010-05-06 07:05 . 2010-05-06 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-05-06 06:53 . 2010-05-06 06:53 1422 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_166A73803CEF3B8478C6197E3D02849A.dll
2010-05-06 06:53 . 2010-05-06 06:53 4355 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_136715193F9AC7B44B28340E60F85DA5.dll
2010-05-06 06:53 . 2010-05-06 06:53 316 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0D756077321A70C3E844C138CE981581.dll
2010-05-06 06:53 . 2010-05-06 06:53 128 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_104C2FB8EC20D424CB62C6F4F94B646B.dll
2010-05-06 06:53 . 2010-05-06 06:53 108 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
2010-05-06 06:53 . 2010-05-06 06:53 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0F78997E43E0CC248BFFC668A0EE2BA6.dll
2010-05-06 06:53 . 2010-05-06 06:53 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DC1503A46F231838AD88BCDDC8E8F7C.dll
2010-05-06 06:53 . 2010-05-06 06:53 1357 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_08E8456490400000E7A85400F0580510.dll
2010-05-06 06:53 . 2010-05-06 06:53 769 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_01E4D47B488600000000000000001030.dll
2010-05-06 06:53 . 2010-05-06 06:53 423 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109020090400000000000F01FEC.dll
2010-05-06 06:53 . 2010-05-06 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-05-06 06:53 . 2010-05-06 06:53 -------- d-----w- c:\program files\Security Task Manager
2010-05-06 06:46 . 2010-05-06 06:46 -------- d-----w- c:\documents and settings\Adriane\Application Data\Uniblue
2010-05-06 06:46 . 2010-05-06 06:46 -------- d-----w- c:\program files\Uniblue
2010-05-06 04:16 . 2010-05-06 04:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-06 00:00 . 2010-05-06 00:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-05 23:47 . 2010-05-07 09:29 -------- d-----w- c:\documents and settings\Adriane\Local Settings\Application Data\mkprhtlhg
2010-05-05 22:38 . 2010-05-05 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
2010-05-05 22:38 . 2010-05-05 22:38 -------- d-----w- c:\program files\Microsoft
2010-05-05 22:38 . 2010-05-05 22:38 -------- d-----w- c:\program files\MSN Toolbar
2010-05-05 22:37 . 2010-05-05 22:37 -------- d-----w- c:\program files\Common Files\Oberon Media
2010-05-05 22:37 . 2010-05-05 22:39 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-05-05 05:21 . 2010-05-05 05:21 862872 ----a-w- c:\documents and settings\Adriane\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-04-16 05:25 . 2010-04-16 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 18:19 . 2009-01-25 20:07 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-05-09 17:27 . 2007-09-01 23:06 104040 ----a-w- c:\documents and settings\Adriane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 15:12 . 2009-03-09 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-09 06:02 . 2007-09-02 01:22 -------- d-----w- c:\program files\Java
2010-05-08 21:14 . 2007-09-02 01:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-08 21:03 . 2007-09-02 01:22 -------- d-----w- c:\program files\Common Files\Java
2010-05-07 16:14 . 2007-09-04 18:01 -------- d-----w- c:\documents and settings\Adriane\Application Data\Azureus
2010-05-07 09:01 . 2007-09-02 01:17 -------- d-----w- c:\program files\Windows Defender
2010-05-07 09:00 . 2007-09-05 01:51 -------- d-----w- c:\program files\DAEMON Tools
2010-05-07 04:45 . 2007-09-02 01:26 -------- d-----w- c:\program files\QuickTime
2010-05-06 20:40 . 2008-12-23 07:27 1 ----a-w- c:\documents and settings\Adriane\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-06 20:17 . 2010-02-23 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-05 23:38 . 2007-11-12 17:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-05 22:37 . 2008-11-27 01:41 -------- d-----w- c:\program files\Oberon Media
2010-05-05 22:37 . 2007-11-12 17:40 -------- d-----w- c:\program files\MSN Games
2010-05-04 13:52 . 2008-09-21 20:23 -------- d-----w- c:\documents and settings\Adriane\Application Data\Skype
2010-05-04 13:52 . 2008-09-21 20:26 -------- d-----w- c:\documents and settings\Adriane\Application Data\skypePM
2010-05-01 18:20 . 2007-09-05 04:10 2071 ----a-w- c:\windows\panose.bin
2010-04-23 13:52 . 2008-05-08 15:19 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-13 08:51 . 2009-03-09 22:14 -------- d-----w- c:\program files\Google
2010-03-25 08:45 . 2007-09-02 01:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 15:05 . 2010-03-13 15:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-13 15:05 . 2010-03-13 15:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-13 15:05 . 2010-03-13 15:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-13 15:05 . 2010-03-13 15:05 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-13 15:05 . 2010-03-13 15:05 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-13 15:05 . 2010-03-13 15:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-13 15:05 . 2010-03-13 15:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-13 15:05 . 2010-03-13 15:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-13 15:05 . 2009-03-25 23:28 -------- d-----w- c:\program files\Common Files\Real
2010-03-13 15:05 . 2009-06-30 17:12 -------- d-----w- c:\program files\Real
2010-03-13 14:07 . 2010-03-13 14:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 14:07 . 2007-09-02 01:15 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 14:06 . 2008-05-08 15:19 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 05:12 . 2010-03-11 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2010-03-11 05:12 . 2010-03-11 05:12 -------- d-----w- c:\documents and settings\Adriane\Application Data\Merscom
2010-03-10 21:30 . 2010-03-10 21:30 -------- d-----w- c:\program files\Digital Photo Software
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-10 20:38 . 2010-02-10 20:38 402952 ----a-w- c:\documents and settings\Adriane\Application Data\Real\RealPlayer\setup\AU_setup11.exe
2008-09-18 13:13 . 2008-09-03 03:05 1131 ----a-w- c:\program files\WS_FTP.LOG
.
Code:
<pre>
c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\versioncuecs2tray .exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\acdaemon .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\DAEMON Tools\daemon .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\defmgr .exe
c:\program files\MSN Toolbar\Platform\4.0.0360.0\mswinext .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Windows Defender\msascui .exe
c:\program files\Yahoo!\Search Protection\searchprotection .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\nerocheck .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"WeatherEye"="c:\documents and settings\Adriane\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC\launcher.exe" [2010-04-28 46448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2010-05-06 483328]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Adriane\Start Menu\Programs\Startup\
AVG Free User Interface.lnk - c:\program files\AVG\AVG9\avgui.exe [2010-4-23 4094304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-9-4 25214]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-1 113664]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-1 113664]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 14:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-31 06:35 1622016 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-01-30 10:54 16116224 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedUpMyPC]
2010-04-28 16:25 46448 ----a-w- c:\program files\Uniblue\SpeedUpMyPC\Launcher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\NetIntellGames\\Net Spades 4\\spades.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1863:TCP"= 1863:TCP:Windows Live Messenger
"6891:TCP"= 6891:TCP:Windows Live Messenger Transfer Features
"6900:TCP"= 6900:TCP:Windows Live Messenger Transfer Features

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/8/2008 10:19 AM 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/8/2008 10:19 AM 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/13/2010 9:06 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 9:07 AM 308064]
S2 gupdate1c9a105c6302644;Google Update Service (gupdate1c9a105c6302644);c:\program files\Google\Update\GoogleUpdate.exe [3/9/2009 5:24 PM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/4/2007 8:47 PM 685816]
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-09 13:29]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 22:23]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 22:23]

2010-05-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1647877149-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-05-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1647877149-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-05-08 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-04-29 18:43]

2010-05-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-04-29 18:43]

2010-05-09 c:\windows\Tasks\User_Feed_Synchronization-{C227070E-26BC-48E2-B1D3-0488D965F4CA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - c:\documents and settings\Adriane\Application Data\Mozilla\Firefox\Profiles\gj4kin6n.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
.
------- File Associations -------
.
.reg=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-09 13:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-09 13:34:01
ComboFix-quarantined-files.txt 2010-05-09 18:33

Pre-Run: 132,012,621,824 bytes free
Post-Run: 132,090,101,760 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - E48B6B91B1DE394966454C52F0A24463

Descartes
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-08
OS OS : Windows XP
Points Points : 24133
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Cryptic.LK

Post by Belahzur on Tue May 11, 2010 7:50 pm


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Renv::
    c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\versioncuecs2tray .exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\acdaemon .exe
    c:\program files\Common Files\Real\Update_OB\realsched .exe
    c:\program files\DAEMON Tools\daemon .exe
    c:\program files\Microsoft\Search Enhancement Pack\Default Manager\defmgr .exe
    c:\program files\MSN Toolbar\Platform\4.0.0360.0\mswinext .exe
    c:\program files\QuickTime\qttask .exe
    c:\program files\Skype\Phone\skype .exe
    c:\program files\Windows Defender\msascui .exe
    c:\program files\Yahoo!\Search Protection\searchprotection .exe
    c:\windows\system32\ctfmon .exe
    c:\windows\system32\nerocheck .exe

    DDS::
    uStart Page = about:blank
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum