Multiple iexplorer.exe instances amid other exe's + java script redirects

View previous topic View next topic Go down

Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Fri Aug 06, 2010 5:07 pm

I have been fighting a nasty bug on my home network - all Win XP Pro SP3 systems seemed to be infected with something which redirects all installed browsers randomly. Google Analytics seems to be indicated as part of or related to the problem - it my be that the systems were affected by a java exploit planted by a pdf embedded exe or dll. I suspect it is a java virtual machine spawning malicious processes. Here is the bottom line - All systems were initially protected by ESET NOD32 4 - useless! Since uninstalled. I have run Microsoft Security Essentials, Anti-Malware Bytes, AVG, Avira, and Stinger. All have found nothing but tracking cookies, if that.

If I run Microsoft update, I see multiple iexplorer.exe's running - and it takes 5 or so minutes for it to report that there are no updates. I have noticed other apps running with duplicates at times - notably Fix-it Utilities process MXTask2.exe - at times runs with duplicates - right down to twin tray icons... I suspect that whatever bug I have is spoofing other valid applications credentials to run undetected.

This is the hardest bug I have come across!

Trouble started about the time Firefox 3.6.7 and 3.6.8 (mid July) were released. I have uninstalled and reinstalled all java and sun microsystems components (or tried to). Also removed all .jvs files dated July 2010. Reinstalled Firefox, and other related applications. Fix it was added after the fact as it notifies me of any setup.exe launches, and was not part of the problem. I read the microsoft security bulletin posted on 8/2/2010 at Mcaffe threat center and downloaded the updates from MS but no affect. If the exploit got in that way - then the damage is already done and I am unable to detect it.

Any help would be appreciated - otherwise I will have to wipe all my systems and reinstall.

Currently have Avira running. AntiMalware was reinstalled - running database version 4052 but cannot update: MBAM_ERROR_UPDATING (12007,0, WinHttoSendRequest) is reported and shutting off Avira, and firewall has no effect.

Any HELP would be most appreciated!

I ran ComboFix - here is the log:

ComboFix 10-08-05.07 - K E V i N 08/06/2010 8:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.219 [GMT -7:00]
Running from: c:\documents and settings\K E V i N\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.

((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-08-06 13:10 . 2010-08-06 13:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avanquest
2010-08-06 04:38 . 2010-08-06 04:38 -------- d-----w- c:\documents and settings\K E V i N\Application Data\Avanquest
2010-08-05 17:52 . 2010-08-06 14:36 -------- d-----w- c:\windows\system32\NtmsData
2010-08-05 16:11 . 2010-08-05 16:11 -------- d-----w- c:\documents and settings\Z O E\Application Data\Avira
2010-08-05 14:25 . 2010-08-05 14:25 -------- d-----w- c:\documents and settings\K E V i N\Application Data\Avira
2010-08-05 13:37 . 2010-08-05 13:33 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-05 13:37 . 2010-08-05 13:33 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-05 13:37 . 2010-08-05 13:33 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-05 13:37 . 2010-08-05 13:33 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
2010-08-05 13:37 . 2010-08-05 13:33 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-05 13:37 . 2010-08-05 13:33 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
2010-08-05 13:37 . 2010-08-05 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-05 13:37 . 2010-08-05 13:37 -------- d-----w- c:\program files\Avira
2010-08-04 16:24 . 2010-08-04 16:26 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-03 16:52 . 2010-01-28 22:12 35000 ----a-w- c:\windows\system32\mxntdfg.exe
2010-08-03 16:52 . 2010-08-03 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Avanquest
2010-08-03 16:51 . 2010-08-03 16:51 -------- d-----r- C:\_Backup.RC
2010-08-03 16:51 . 2010-08-06 14:41 -------- d-----w- C:\_Backup
2010-08-03 16:49 . 2010-08-03 16:49 -------- d-----w- c:\documents and settings\Z O E\Application Data\Avanquest
2010-08-03 16:49 . 2010-08-03 16:49 -------- d-----w- c:\program files\Avanquest
2010-08-03 15:24 . 2010-08-03 15:24 -------- d-----w- c:\program files\AVG
2010-08-03 15:23 . 2010-08-05 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-03 02:13 . 2010-08-03 02:13 -------- d-----w- c:\program files\Common Files\Java
2010-08-03 02:12 . 2010-08-03 02:12 503808 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\msvcp71.dll
2010-08-03 02:12 . 2010-08-03 02:12 499712 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\jmc.dll
2010-08-03 02:12 . 2010-08-03 02:12 348160 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\msvcr71.dll
2010-08-03 02:12 . 2010-08-03 02:12 12800 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4328d9c9-n\decora-d3d.dll
2010-08-03 02:12 . 2010-08-03 02:12 61440 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4328d9c9-n\decora-sse.dll
2010-08-03 02:12 . 2010-08-03 02:12 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 02:12 . 2010-08-03 02:12 -------- d-----w- c:\program files\Java
2010-07-31 23:43 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-31 15:50 . 2010-07-31 15:50 -------- d-sh--w- c:\documents and settings\Z O E\IECompatCache
2010-07-31 15:49 . 2010-07-31 15:49 -------- d-sh--w- c:\documents and settings\Z O E\PrivacIE
2010-07-31 15:35 . 2010-07-31 15:36 -------- d-----w- c:\program files\QuickTime
2010-07-31 15:35 . 2010-07-31 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-26 13:33 . 2010-07-26 13:33 -------- d-----w- c:\documents and settings\Z O E\Application Data\Malwarebytes
2010-07-21 19:58 . 2010-07-21 20:05 -------- d-----w- c:\documents and settings\S A r A\Application Data\U3
2010-07-16 14:36 . 2010-07-16 14:36 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 14:36 . 2010-07-16 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-14 13:47 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 21:30 . 2010-07-11 21:30 -------- d-----w- c:\documents and settings\Z O E\Local Settings\Application Data\Identities
2010-07-09 15:03 . 2010-07-09 15:03 -------- d-----w- c:\program files\Harmonic Vision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 13:31 . 2009-09-25 21:53 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-03 16:47 . 2009-09-25 20:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 15:44 . 2009-09-26 19:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-09 15:03 . 2009-08-25 23:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-07 04:01 . 2009-11-23 04:46 -------- d-----w- c:\documents and settings\L I Z Z O\Application Data\U3
2010-06-24 23:57 . 2010-06-24 23:57 -------- d-----w- c:\documents and settings\L I Z Z O\Application Data\Apple Computer
2010-06-24 23:57 . 2009-09-25 23:17 29576 ----a-w- c:\documents and settings\L I Z Z O\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2009-08-25 23:07 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-05 282792]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dialog Helper.lnk - c:\program files\VCOM\PowerDesk\pddlghlp.exe [2005-9-8 40960]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Z O E^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Z O E\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
2001-10-08 19:59 45632 ----a-w- c:\windows\system32\TaskSwitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-05-25 15:43 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 20:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [8/5/2010 6:37 AM 102856]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [8/5/2010 6:37 AM 536232]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [8/5/2010 6:37 AM 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/5/2010 6:37 AM 135336]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/5/2010 6:37 AM 405672]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [8/5/2010 6:37 AM 79432]
S2 Fix-It Utilities 10 Essentials Task Manager;Fix-It Utilities 10 Essentials Task Manager;c:\progra~1\AVANQU~1\Fix-It\mxtask.exe -Service --> c:\progra~1\AVANQU~1\Fix-It\mxtask.exe -Service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\K E V i N\Application Data\Mozilla\Firefox\Profiles\v1i0k5ta.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-06 08:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1336)
c:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-06 08:43:31
ComboFix-quarantined-files.txt 2010-08-06 15:43

Pre-Run: 20,064,157,696 bytes free
Post-Run: 20,029,243,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 81C251BA3362E3DEFFB09A3675ACB685

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Fri Aug 06, 2010 6:28 pm

Update - I ran OTL with your custom script and here is the results from the Extras.txt file

OTL Extras logfile created on: 8/6/2010 11:12:57 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\K E V i N\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 122.00 Mb Available Physical Memory | 24.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 1024 2048

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 18.66 Gb Free Space | 50.09% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZOE
Current User Name: K E V i N
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [File Finder...] -- C:\Program Files\VCOM\PowerDesk\pdfind.exe /PATH:%1 (Avanquest Publishing USA, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{106339BC-A54D-4EE3-9688-A2BEBF8D49CC}" = Music Ace Deluxe
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{2405665A-16C9-4D3A-B70E-F006220E1472}" = Overland
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 21
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2BBC9458-07CA-4843-848B-5C8146E5EFA8}" = CreativeProjects
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3AE681E0-4E8D-453F-950A-48534D3C0724}" = Copy
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}" = Unload
"{457791C5-D702-4143-A7B2-2744BE9573F2}" = HP Software Update
"{45FC15ED-1713-4394-ACDF-866E23F46F46}" = 1300_Help
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E03E0F0-9530-4D74-A6EE-0FF134EBA6F0}" = 1300Trb
"{5158974E-2D28-4018-9335-7694C2974746}" = Fix-It Utilities 10 Essentials
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{597D73A8-5FDB-4bc1-9893-40B54459F1BC}" = ProductContext
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C31E111-96BB-4ADC-9C81-E6D3EEDDD8D3}" = Powertoys For Windows XP
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{981FB376-8418-4EA8-BBED-9DE5AA63E7D5}" = SkinsHP1
"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A1DCC235-DACC-4E1F-8D11-D630634B4AEF}" = PhotoGallery
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{B24F8C38-099E-4C29-A5B2-F012B5E22CAB}" = 1300Tour
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
"{B3D5D4E0-E965-41C4-ABFD-A7B1AD0663C2}" = Director
"{B45D9FEE-1AF4-46F3-9A83-2545F81547F5}" = CreativeProjectsTemplates
"{B56D5B09-C4FB-4EA0-8EAD-7BC3E2715A2D}" = DocumentViewer
"{B93251B5-9209-4DAB-867C-AA98D91584CD}" = PowerDesk 6
"{BA9A0063-68B5-47B3-91EA-214AD5B79EFB}" = 1300
"{BCC992E5-5C81-4066-9B55-03DC10B24D21}" = InstantShare
"{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}" = TrayApp
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}" = BufferChm
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F4F47155-5B4D-42AA-97F8-490BC52EA7F3}" = Destinations
"{F65787F3-B356-45EC-8DD0-0E6758EDBCEE}" = WebReg
"{FF26F7EA-BCEE-478C-9A1B-6B4F88717D73}" = CueTour
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Avira AntiVir Desktop" = Avira Premium Security Suite
"Celestia_is1" = Celestia 1.6.0
"HP Photo & Imaging" = HP Image Zone 4.2
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NeroVision!UninstallKey" = NeroVision Express 2 SE
"NMPUninstallKey" = Nero Media Player
"PROSet" = Intel(R) PRO Network Connections Drivers
"Winamp" = Winamp
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/3/2010 5:49:01 PM | Computer Name = ZOE | Source = ESENT | ID = 470
Description = Catalog Database (1640) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
is partially attached. Attachment stage: 3. Error: -1032.

Error - 8/4/2010 11:53:07 AM | Computer Name = ZOE | Source = ESENT | ID = 490
Description = svchost (1636) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 8/4/2010 11:53:07 AM | Computer Name = ZOE | Source = ESENT | ID = 470
Description = Catalog Database (1636) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
is partially attached. Attachment stage: 3. Error: -1032.

Error - 8/4/2010 12:17:22 PM | Computer Name = ZOE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This operation returned because the timeout period expired.

Error - 8/5/2010 9:37:54 AM | Computer Name = ZOE | Source = ESENT | ID = 490
Description = svchost (1636) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 8/5/2010 9:37:54 AM | Computer Name = ZOE | Source = ESENT | ID = 470
Description = Catalog Database (1636) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
is partially attached. Attachment stage: 3. Error: -1032.

Error - 8/5/2010 9:52:28 AM | Computer Name = ZOE | Source = Application Error | ID = 1000
Description = Faulting application avgnt.exe, version 10.0.13.17, faulting module
unknown, version 0.0.0.0, fault address 0xffffffff.

Error - 8/5/2010 10:01:54 AM | Computer Name = ZOE | Source = ESENT | ID = 490
Description = svchost (1208) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 8/5/2010 10:09:29 AM | Computer Name = ZOE | Source = ESENT | ID = 490
Description = svchost (1208) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 8/5/2010 10:09:29 AM | Computer Name = ZOE | Source = ESENT | ID = 470
Description = Catalog Database (1208) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
is partially attached. Attachment stage: 3. Error: -1032.

[ System Events ]
Error - 8/6/2010 9:39:06 AM | Computer Name = ZOE | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/6/2010 9:39:13 AM | Computer Name = ZOE | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/6/2010 9:39:34 AM | Computer Name = ZOE | Source = Service Control Manager | ID = 7034
Description = The Fix-It Utilities 10 Essentials Task Manager service terminated
unexpectedly. It has done this 1 time(s).

Error - 8/6/2010 10:42:32 AM | Computer Name = ZOE | Source = Service Control Manager | ID = 7034
Description = The Volume Shadow Copy service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/6/2010 12:20:07 PM | Computer Name = ZOE | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/6/2010 12:20:39 PM | Computer Name = ZOE | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/6/2010 12:20:43 PM | Computer Name = ZOE | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/6/2010 12:20:57 PM | Computer Name = ZOE | Source = Service Control Manager | ID = 7034
Description = The Fix-It Utilities 10 Essentials Task Manager service terminated
unexpectedly. It has done this 1 time(s).

Error - 8/6/2010 12:21:54 PM | Computer Name = ZOE | Source = Service Control Manager | ID = 7034
Description = The InteractiveLogon service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/6/2010 12:41:54 PM | Computer Name = ZOE | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126


< End of report >

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Fri Aug 06, 2010 6:28 pm

Here is the OTL.txt log

OTL logfile created on: 8/6/2010 11:19:29 AM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\K E V i N\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 83.00 Mb Available Physical Memory | 16.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 1024 2048

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 18.63 Gb Free Space | 50.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZOE
Current User Name: K E V i N
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/06 11:06:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\K E V i N\My Documents\Downloads\OTL.exe
PRC - [2010/08/05 06:33:11 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/08/05 06:32:24 | 000,405,672 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
PRC - [2010/08/05 06:32:23 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2010/08/05 06:32:19 | 000,337,064 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
PRC - [2010/08/05 06:32:17 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/08/05 06:32:15 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/08/05 06:32:14 | 000,536,232 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
PRC - [2010/07/22 19:07:03 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/22 19:06:53 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/28 15:12:00 | 000,050,456 | ---- | M] (Avanquest Software) -- C:\Program Files\Avanquest\Fix-It\MXTask2.exe
PRC - [2010/01/28 15:11:58 | 000,529,688 | ---- | M] (Avanquest Software) -- C:\Program Files\Avanquest\Fix-It\mxtask.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/14 10:26:58 | 002,146,304 | ---- | M] (Avanquest Publishing USA, Inc.) -- C:\Program Files\VCOM\PowerDesk\PDExplo.exe
PRC - [2001/10/08 12:59:36 | 000,049,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Fast.exe


========== Modules (SafeList) ==========

MOD - [2010/08/06 11:06:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\K E V i N\My Documents\Downloads\OTL.exe
MOD - [2010/01/28 15:03:36 | 000,028,672 | ---- | M] (Avanquest Software) -- C:\Program Files\Avanquest\Fix-It\WinHook.dll
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/08/05 06:33:11 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/08/05 06:32:24 | 000,405,672 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE -- (AntiVirWebService)
SRV - [2010/08/05 06:32:19 | 000,337,064 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService)
SRV - [2010/08/05 06:32:17 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/08/05 06:32:14 | 000,536,232 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe -- (AntiVirFirewallService)
SRV - [2010/01/28 15:11:58 | 000,529,688 | ---- | M] (Avanquest Software) [Auto | Running] -- C:\Program Files\Avanquest\Fix-It\mxtask.exe -- (Fix-It Utilities 10 Essentials Task Manager)
SRV - [2004/03/18 16:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2001/10/08 12:59:36 | 000,049,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\Fast.exe -- (InteractiveLogon)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\omci.sys -- (omci)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\KEVIN~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/08/05 06:33:41 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/08/05 06:33:40 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/08/05 06:33:39 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/08/05 06:33:38 | 000,102,856 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avfwot.sys -- (avfwot)
DRV - [2010/08/05 06:33:38 | 000,079,432 | ---- | M] (Avira GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avfwim.sys -- (avfwim)
DRV - [2010/08/05 06:32:14 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2001/08/24 00:00:00 | 000,098,176 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\NBF.SYS -- (Nbf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 66 E5 8C 01 54 32 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://odb.org/"
FF - prefs.js..extensions.enabledItems: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}:0.6.7
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2.0.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.6.20100719

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/02 18:51:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/02 19:12:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/07/31 08:36:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/08/02 18:49:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\K E V i N\Application Data\Mozilla\Extensions
[2010/08/06 07:12:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\K E V i N\Application Data\Mozilla\Firefox\Profiles\v1i0k5ta.default\extensions
[2010/03/12 16:18:28 | 000,000,000 | ---D | M] (Ad blocker) -- C:\Documents and Settings\K E V i N\Application Data\Mozilla\Firefox\Profiles\v1i0k5ta.default\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
[2010/05/21 09:59:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\K E V i N\Application Data\Mozilla\Firefox\Profiles\v1i0k5ta.default\extensions\anttoolbar@ant.com
[2010/07/22 07:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\K E V i N\Application Data\Mozilla\Firefox\Profiles\v1i0k5ta.default\extensions\nasanightlaunch@example.com
[2010/08/06 07:12:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/02 19:12:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/08/02 19:12:15 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2004/08/04 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} [You must be registered and logged in to see this link.] (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.65.44 213.109.75.130 1.1.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\K E V i N\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\K E V i N\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/25 16:10:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "Adobe LM Service"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe - ()
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE - (Microsoft Corporation)
MsConfig - StartUpFolder: C:^Documents and Settings^Z O E^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe - File not found
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: CoolSwitch - hkey= - key= - File not found
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: HotKeysCmds - hkey= - key= - File not found
MsConfig - StartUpReg: HP Component Manager - hkey= - key= - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {133CB499-C303-A6B3-1BE9-841A271A8112} - Windows Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {843DFF97-E77E-2A54-32E1-A20534C0F3C0} - NetShow
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/06 09:28:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/06 09:28:25 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/06 09:28:24 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/06 09:10:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/08/06 09:00:46 | 000,000,000 | ---D | C] -- C:\Commy
[2010/08/06 08:34:17 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/06 08:32:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/06 08:32:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/06 08:32:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/06 08:32:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/06 08:32:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/06 08:31:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/06 06:10:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Avanquest
[2010/08/05 21:38:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\K E V i N\Application Data\Avanquest
[2010/08/05 11:14:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/05 10:52:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/08/05 07:25:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\K E V i N\Application Data\Avira
[2010/08/05 06:37:31 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/08/05 06:37:29 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/08/05 06:37:29 | 000,102,856 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avfwot.sys
[2010/08/05 06:37:29 | 000,079,432 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avfwim.sys
[2010/08/05 06:37:29 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/08/05 06:37:29 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/08/05 06:37:29 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/08/05 06:37:19 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/08/05 06:37:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/08/04 09:24:36 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/08/03 09:52:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\BVRP Software
[2010/08/03 09:52:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avanquest
[2010/08/03 09:51:26 | 000,000,000 | RHSD | C] -- C:\_Backup.RC
[2010/08/03 09:51:20 | 000,000,000 | ---D | C] -- C:\_Backup
[2010/08/03 09:49:05 | 000,000,000 | ---D | C] -- C:\Program Files\Avanquest
[2010/08/03 08:24:12 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/08/03 08:23:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/08/02 19:13:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/08/02 19:13:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/08/02 19:12:43 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/02 19:12:43 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/02 19:12:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/02 19:12:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/02 19:12:43 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/02 19:12:07 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/08/02 18:54:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\K E V i N\Application Data\Sun
[2010/07/31 16:43:08 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/07/31 16:39:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/07/31 08:35:36 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/07/31 08:35:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/07/16 07:36:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/07/14 06:47:49 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/09 08:04:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Harmonic Vision
[2010/07/09 08:03:16 | 000,000,000 | ---D | C] -- C:\Program Files\Harmonic Vision
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/06 09:42:43 | 000,001,194 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/06 09:42:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/06 09:40:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/06 09:40:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/06 09:39:19 | 002,359,296 | ---- | M] () -- C:\Documents and Settings\K E V i N\NTUSER.DAT
[2010/08/06 09:39:19 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\K E V i N\ntuser.ini
[2010/08/06 09:28:32 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/06 09:27:39 | 000,869,051 | ---- | M] () -- C:\Documents and Settings\K E V i N\Desktop\SecurityCheck.exe
[2010/08/06 09:07:50 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/06 08:34:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/06 08:27:25 | 003,816,416 | R--- | M] () -- C:\Documents and Settings\K E V i N\Desktop\Commy.exe
[2010/08/05 06:39:25 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/08/05 06:33:41 | 000,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/08/05 06:33:40 | 000,124,784 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/08/05 06:33:40 | 000,022,360 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/08/05 06:33:39 | 000,060,936 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/08/05 06:33:38 | 000,102,856 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avfwot.sys
[2010/08/05 06:33:38 | 000,079,432 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avfwim.sys
[2010/08/05 06:33:38 | 000,045,416 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/08/03 09:44:19 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/02 19:12:13 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/02 19:12:13 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/02 19:12:13 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/02 19:12:13 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/02 19:12:12 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/02 16:40:20 | 000,438,518 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/02 16:40:20 | 000,380,350 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/02 16:40:20 | 000,052,764 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/02 14:56:10 | 000,004,507 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/02 14:38:24 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/31 08:36:06 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/07/26 23:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/06 09:28:32 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/06 09:27:38 | 000,869,051 | ---- | C] () -- C:\Documents and Settings\K E V i N\Desktop\SecurityCheck.exe
[2010/08/06 09:23:39 | 000,036,352 | ---- | C] () -- C:\Documents and Settings\K E V i N\Desktop\Cheetah.exe
[2010/08/06 09:15:34 | 000,000,297 | ---- | C] () -- C:\Documents and Settings\K E V i N\cheetah.txt
[2010/08/06 08:34:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/06 08:34:19 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/06 08:32:30 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/06 08:32:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/06 08:32:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/06 08:32:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/06 08:32:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/06 08:27:17 | 003,816,416 | R--- | C] () -- C:\Documents and Settings\K E V i N\Desktop\Commy.exe
[2010/08/05 06:39:25 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/08/03 09:52:10 | 000,035,000 | ---- | C] () -- C:\WINDOWS\System32\mxntdfg.exe
[2010/08/02 14:38:24 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/31 08:36:06 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/09/26 13:03:12 | 000,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/09/26 08:51:39 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/26 08:51:39 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2009/09/26 08:51:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2006/11/09 14:07:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2001/10/08 13:24:26 | 000,148,544 | ---- | C] () -- C:\WINDOWS\System32\msvdm.dll
[2001/10/08 12:59:46 | 000,016,960 | ---- | C] () -- C:\WINDOWS\System32\mag.dll
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/08/25 08:55:23 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/25 08:55:22 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/25 08:55:22 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004/08/04 03:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2004/08/04 03:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2004/08/04 03:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2004/08/04 03:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004/08/04 03:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2004/08/04 03:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2004/08/04 03:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2004/08/04 03:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2004/08/04 03:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2004/08/04 03:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/04 03:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/04 03:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/04 03:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/04 03:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/04 03:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/13 11:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/05/01 22:22:50 | 001,851,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 17:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 17:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 17:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 17:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 17:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 17:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 17:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 17:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 17:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 17:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 17:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 17:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 17:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 17:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 17:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2009/08/25 16:10:31 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/08/03 09:44:19 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/06 08:34:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/08/06 09:10:08 | 000,017,366 | ---- | M] () -- C:\ComboFix.txt
[2009/08/25 16:10:31 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2003/12/08 13:15:56 | 000,028,672 | R--- | M] ( ) -- C:\hpqimgrc.resources.dll
[2009/08/25 16:10:31 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/08/25 16:10:31 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 03:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/09/25 14:34:46 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/06 09:40:36 | 1073,741,824 | -HS- | M] () -- C:\pagefile.sys
[2010/05/24 10:34:53 | 661,933,406 | ---- | M] () -- C:\Speak German - Disk01.gi
[2010/05/24 10:28:42 | 607,319,966 | ---- | M] () -- C:\Speak German - Disk02.gi
[2010/05/24 10:23:09 | 601,795,118 | ---- | M] () -- C:\Speak German - Disk03.gi
[2010/05/24 10:44:35 | 599,306,702 | ---- | M] () -- C:\Speak German - Disk04.gi
[2010/05/24 10:17:40 | 596,924,126 | ---- | M] () -- C:\Speak German - Disk05.gi
[2010/05/24 10:12:17 | 608,648,846 | ---- | M] () -- C:\Speak German - Disk06.gi
[2010/05/24 10:06:48 | 616,349,186 | ---- | M] () -- C:\Speak German - Disk07.gi
[2010/05/24 09:50:48 | 636,731,726 | ---- | M] () -- C:\Speak German - Disk08.gi
[2010/05/24 09:34:18 | 566,791,868 | ---- | M] () -- C:\Speak German - Disk09.gi
[2010/05/24 09:28:41 | 434,270,672 | ---- | M] () -- C:\Speak German - Disk10.gi

< %PROGRAMFILES%\*. >
[2010/07/31 08:42:55 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/09/26 12:57:09 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2009/08/25 16:23:10 | 000,000,000 | ---D | M] -- C:\Program Files\Analog Devices
[2009/10/09 09:02:20 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/08/03 09:49:05 | 000,000,000 | ---D | M] -- C:\Program Files\Avanquest
[2010/08/03 08:24:12 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/08/05 06:37:19 | 000,000,000 | ---D | M] -- C:\Program Files\Avira
[2009/09/27 19:29:56 | 000,000,000 | ---D | M] -- C:\Program Files\Celestia
[2010/08/06 09:04:25 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009/08/25 16:07:02 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/09/26 12:58:32 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2009/08/25 16:17:08 | 000,000,000 | ---D | M] -- C:\Program Files\Dell
[2010/07/09 08:03:16 | 000,000,000 | ---D | M] -- C:\Program Files\Harmonic Vision
[2009/09/25 15:33:38 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009/09/25 15:36:38 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2010/07/09 08:03:12 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/06/09 07:46:41 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/08/02 19:12:07 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/08/06 09:28:34 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/09 20:04:16 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2009/09/26 08:42:34 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/10/08 21:40:12 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/06/03 13:39:41 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2009/09/26 08:49:20 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2010/03/10 15:56:41 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/08/02 18:49:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/08/06 06:31:16 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Thunderbird
[2009/10/08 21:39:55 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2009/08/25 16:06:05 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2009/08/25 16:06:38 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/09/25 16:40:55 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/09/25 14:38:14 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/08/02 16:40:13 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/08/02 16:33:07 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/07/31 08:36:18 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/09/26 08:45:29 | 000,000,000 | ---D | M] -- C:\Program Files\Snapshot Viewer
[2009/08/25 16:15:33 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/09/25 13:45:54 | 000,000,000 | ---D | M] -- C:\Program Files\VCOM
[2009/09/26 13:22:37 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp
[2010/08/04 09:26:54 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live Safety Center
[2009/09/30 06:21:54 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/09/30 06:21:52 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/09/25 14:38:08 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2009/08/25 16:09:00 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/08/25 16:11:11 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< %appdata%\*.* >
[2009/08/25 08:58:03 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\K E V i N\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/09/25 14:29:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/09/25 14:29:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/09/25 14:29:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/09/25 14:29:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 03:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2009/09/25 14:29:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2009/09/25 14:29:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 03:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/07/12 14:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/10/18 15:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\nvata.sys

< MD5 for: NVATABUS.SYS >
[2006/10/18 14:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2007/02/09 20:06:00 | 000,100,096 | ---- | M] (LSI Logic) MD5=A42F863305943869BA00A613C8EE8C7E -- C:\WINDOWS\dell\symmpi\symmpi.sys

< MD5 for: USBSTOR.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2009/09/25 14:29:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2009/09/25 14:29:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2004/08/03 23:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008/04/13 11:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 11:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-14 14:02:55
< End of report >

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Fri Aug 06, 2010 7:56 pm

Hello.
Since running Combofix, are you having the same problem?

Download [You must be registered and logged in to see this link.] to your desktop.
  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Fri Aug 06, 2010 10:15 pm

Thanks for your help, here is the mbrchecklog:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF8A53000 \WINDOWS\system32\KDCOM.DLL
0xF8963000 \WINDOWS\system32\BOOTVID.dll
0xF8504000 ACPI.sys
0xF8A55000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF84F3000 pci.sys
0xF8553000 isapnp.sys
0xF8B1B000 PCIIde.sys
0xF87D3000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF8A57000 intelide.sys
0xF8563000 MountMgr.sys
0xF84D4000 ftdisk.sys
0xF8A59000 dmload.sys
0xF84AE000 dmio.sys
0xF87DB000 PartMgr.sys
0xF8573000 VolSnap.sys
0xF8496000 atapi.sys
0xF87E3000 cercsr6.sys
0xF847E000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF8583000 disk.sys
0xF8593000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF845E000 fltmgr.sys
0xF844C000 sr.sys
0xF85A3000 PxHelp20.sys
0xF8435000 KSecDD.sys
0xF83A8000 Ntfs.sys
0xF837B000 NDIS.sys
0xF8361000 Mup.sys
0xF8753000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF8242000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF822E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8883000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF820A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF888B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF81E2000 \SystemRoot\system32\DRIVERS\e1000325.sys
0xF8893000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF8763000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF889B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8773000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8A0F000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF81CE000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8783000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8793000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF87A3000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF81AB000 \SystemRoot\system32\DRIVERS\ks.sys
0xF8125000 \SystemRoot\system32\drivers\smwdm.sys
0xF8101000 \SystemRoot\system32\drivers\portcls.sys
0xF87B3000 \SystemRoot\system32\drivers\drmk.sys
0xF8A69000 \SystemRoot\system32\drivers\aeaudio.sys
0xF80EE000 \SystemRoot\system32\DRIVERS\avfwim.sys
0xF8C57000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF87C3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8A1F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF80D7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF85C3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF85D3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF88A3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF80C6000 \SystemRoot\system32\DRIVERS\psched.sys
0xF85E3000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF88AB000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF88B3000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF8096000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF85F3000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF88BB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8A6D000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF8010000 \SystemRoot\system32\DRIVERS\update.sys
0xF8A3B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF8603000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8623000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8A6F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF88C3000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8A71000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8BA6000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A73000 \SystemRoot\System32\Drivers\Beep.SYS
0xF88D3000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF88DB000 \SystemRoot\System32\drivers\vga.sys
0xF8A75000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A77000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF88E3000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF88EB000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8310000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB26E5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB268C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB2664000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB263E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB2626000 \SystemRoot\system32\DRIVERS\avfwot.sys
0xF8643000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF89F3000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB25DC000 \SystemRoot\System32\drivers\afd.sys
0xF8653000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF88F3000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xB25B1000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB2541000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF8663000 \SystemRoot\System32\Drivers\Fips.SYS
0xF88FB000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF89FF000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF8903000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF890B000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF8913000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB251F000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF8A7F000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF8A1B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF8683000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF8693000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF8092000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF808E000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF86E3000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB2507000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8A85000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB2750000 \SystemRoot\System32\drivers\Dxapi.sys
0xF892B000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B86000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF06B000 \SystemRoot\System32\ialmdd5.DLL
0xB22EA000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xB20F2000 \SystemRoot\system32\DRIVERS\nbf.sys
0xB2282000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB1F5D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF8ADF000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB1CFE000 \SystemRoot\system32\DRIVERS\srv.sys
0xB1648000 \SystemRoot\system32\drivers\wdmaud.sys
0xB173D000 \SystemRoot\system32\drivers\sysaudio.sys
0xB126F000 \SystemRoot\System32\Drivers\HTTP.sys
0xB10B4000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 34):
0 System Idle Process
4 System
1172 C:\WINDOWS\system32\smss.exe
1260 csrss.exe
1284 C:\WINDOWS\system32\winlogon.exe
1328 C:\WINDOWS\system32\services.exe
1340 C:\WINDOWS\system32\lsass.exe
1528 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1652 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1856 C:\WINDOWS\system32\svchost.exe
200 svchost.exe
332 C:\WINDOWS\system32\svchost.exe
428 svchost.exe
1040 svchost.exe
1884 C:\WINDOWS\system32\spoolsv.exe
2008 C:\Program Files\Avira\AntiVir Desktop\sched.exe
412 svchost.exe
852 C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
876 C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
900 C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
936 C:\Program Files\Avanquest\Fix-It\mxtask.exe
1212 C:\Program Files\Java\jre6\bin\jqs.exe
1408 C:\WINDOWS\system32\svchost.exe
2028 C:\WINDOWS\system32\Fast.exe
608 C:\Program Files\Avanquest\Fix-It\MXTask2.exe
728 C:\WINDOWS\system32\wuauclt.exe
2096 alg.exe
2696 C:\WINDOWS\explorer.exe
3700 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2476 C:\Program Files\Mozilla Firefox\firefox.exe
2192 C:\Program Files\VCOM\PowerDesk\PDExplo.exe
3068 C:\Program Files\Internet Explorer\iexplore.exe
2720 C:\Program Files\Internet Explorer\iexplore.exe
1480 C:\Documents and Settings\K E V i N\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST340014A, Rev: 8.16

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Sat Aug 07, 2010 12:20 am

Looks good, no bootkit. How is the machine running?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sat Aug 07, 2010 1:02 am

It runs like shit to be honest. I am about to give up and wipe it. It takes 10 minutes just to get booted into windows and get firefox loaded.

I just ran the uninstall for fix-it utilities and that was interesting. As I watched in taskmanager - it spawned 4 msiexec.exe processes, and indented under the last one was the following entries - wowexec.exe and mxthk16.exe - that looked weird to say nothing of the multiple processes - so i googled mxthk16.exe and got mixed reports about it being suspected as a malware component. Other sites said it was part of fix-it. Ok maybe it was but after the uninstall completed the last msiexec.exe process stayed up and so did both the sub processes - I tried to end process all of them - no joy - no response - I did a search and msthk16.exe did not exist on the harddrive - yet it was running and would not shut down.

Just now as I tried to get back into the system after a reboot - i had 2 firefox processes for a bit. Also reason I removed the fix-it was it was running 2 processes with different memory footprints - complete with double tray icons - but not on every reboot - only sometimes.

I also just downloaded and ran ad-aware - it found a number of files but they all turned out to be the tools I had downloaded from your site to my desktop - so I assume they were false positives. In any event it didn't help.

Any other ideas? I am stumped.

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sat Aug 07, 2010 1:03 am

Here is the ad-aware log:

Logfile created: 8/6/2010 16:11:14
Ad-Aware version: 8.3.0
Extended engine: 3
Extended engine version: 3.1.2770
User performing scan: K E V i N

*********************** Definitions database information ***********************
Lavasoft definition file: 150.42
Genotype definition file version: 2010/08/03 14:27:34
Extended engine definition file: 6694.0

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 51111
Objects detected: 14


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 2
Folders.........: 0
LSPs............: 0
Cookies.........: 12
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *advertis* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409017 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *fastclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408869 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *specificclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408807 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0
Description: zedo* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408736 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0

Quarantined items:
Description: c:\documents and settings\k e v i n\desktop\cheetah.exe Family Name: CoreGuardAntivirus2009.FakeCog (fs) Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: b7cdf0c4a99463be1d4c83c60578bafa
Description: c:\documents and settings\k e v i n\desktop\securitycheck.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 2 Family ID: 0 MD5: cef1f784173bb6c43c1dbe791a9bf097

Scan and cleaning complete: Finished correctly after 3218 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: folderstoscan, enabled:1, value: C:\
ID: useantivirus, enabled:1, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: N/A

Scheduled scan settings:


Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:1, value: Daily 1
ID: time, enabled:1, value: Fri Aug 06 16:03:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily2, enabled:1, value: Daily 2
ID: time, enabled:1, value: Fri Aug 06 22:03:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily3, enabled:1, value: Daily 3
ID: time, enabled:1, value: Fri Aug 06 04:03:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily4, enabled:1, value: Daily 4
ID: time, enabled:1, value: Fri Aug 06 10:03:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Fri Aug 06 16:03:00 2010
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: true
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:1, value: true
ID: guimode, enabled:1, value: mode_simple, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: layers, enabled:1
ID: useantivirus, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: onaccessprotection, enabled:1, value: false
ID: registryprotection, enabled:1, value: true
ID: networkprotection, enabled:1, value: true


****************************** System information ******************************
Computer name: ZOE
Processor name: Intel(R) Pentium(R) 4 CPU 2.80GHz
Processor identifier: x86 Family 15 Model 3 Stepping 4
Processor speed: ~2793MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 772, number of processors 2, processor features: [MMX,SSE,SSE2]
Physical memory available: 111063040 bytes
Physical memory total: 534753280 bytes
Virtual memory available: 1888616448 bytes
Virtual memory total: 2147352576 bytes
Memory load: 79%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 1172 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1260 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1284 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1328 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1340 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1516 name: C:\Program Files\Avira\AntiVir Desktop\avguard.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1620 name: C:\Program Files\Avira\AntiVir Desktop\avshadow.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1844 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1992 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 212 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 308 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1044 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1568 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 280 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 360 name: C:\Program Files\Avira\AntiVir Desktop\sched.exe owner: SYSTEM domain: NT AUTHORITY
PID: 656 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1144 name: C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1192 name: C:\Program Files\Avira\AntiVir Desktop\avmailc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1224 name: C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 1412 name: C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe owner: SYSTEM domain: NT AUTHORITY
PID: 140 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 428 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 816 name: C:\WINDOWS\system32\Fast.exe owner: SYSTEM domain: NT AUTHORITY
PID: 904 name: C:\PROGRA~1\AVANQU~1\Fix-It\mxtask2.exe owner: SYSTEM domain: NT AUTHORITY
PID: 716 name: C:\WINDOWS\system32\wuauclt.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2136 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2140 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2228 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3728 name: C:\WINDOWS\Explorer.EXE owner: K E V i N domain: ZOE
PID: 3784 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 3896 name: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe owner: K E V i N domain: ZOE
PID: 3920 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: K E V i N domain: ZOE
PID: 3992 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: K E V i N domain: ZOE

Startup items:
Name: avgnt
imagepath: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: AntiVirFirewallService
displayname: Avira FireWall
Name: AntiVirMailService
displayname: Avira AntiVir MailGuard
Name: AntiVirSchedulerService
displayname: Avira AntiVir Scheduler
Name: AntiVirService
displayname: Avira AntiVir Guard
Name: AntiVirWebService
displayname: Avira AntiVir WebGuard
Name: AudioSrv
displayname: Windows Audio
Name: Browser
displayname: Computer Browser
Name: CryptSvc
displayname: CryptSvc
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: dmserver
displayname: Logical Disk Manager
Name: Dnscache
displayname: DNS Client
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: FastUserSwitchingCompatibility
displayname: Fast User Switching Compatibility
Name: Fix-It Utilities 10 Essentials Task Manager
displayname: Fix-It Utilities 10 Essentials Task Manager
Name: helpsvc
displayname: Help and Support
Name: InteractiveLogon
displayname: InteractiveLogon
Name: JavaQuickStarterService
displayname: Java Quick Starter
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: W32Time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: wuauserv
displayname: Automatic Updates
Name: WZCSVC
displayname: Wireless Zero Configuration


cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Sat Aug 07, 2010 2:48 pm

Hello.
The removed items are false positives.

Please download TDSSKiller from [You must be registered and logged in to see this link.] and save it to your Desktop.

  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sat Aug 07, 2010 5:55 pm

Well the first run yielded about 20 seconds of scanning then it appeared to be complete - which surprised me - I was about to hit report when it BSOD'd itself with the following stop error:

Stop: 0x00000024 (0x001902FE, 0xf898a38c, 0xf898a088, 0x00000000)

After rebooting here is the report run... which looks incomplete

I will re-run it again to see what happens - I am assuming it will BSOD again.

2010/08/07 10:50:47.0453 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/07 10:50:47.0453 ================================================================================
2010/08/07 10:50:47.0453 SystemInfo:
2010/08/07 10:50:47.0453
2010/08/07 10:50:47.0453 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/07 10:50:47.0453 Product type: Workstation
2010/08/07 10:50:47.0453 ComputerName: ZOE
2010/08/07 10:50:47.0453 UserName: K E V i N
2010/08/07 10:50:47.0453 Windows directory: C:\WINDOWS
2010/08/07 10:50:47.0453 System windows directory: C:\WINDOWS
2010/08/07 10:50:47.0453 Processor architecture: Intel x86
2010/08/07 10:50:47.0453 Number of processors: 2
2010/08/07 10:50:47.0453 Page size: 0x1000
2010/08/07 10:50:47.0453 Boot type: Normal boot
2010/08/07 10:50:47.0453 ================================================================================
2010/08/07 10:50:48.0281 Initialize success

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sat Aug 07, 2010 5:57 pm

here is the report after the second run:

OK so far no BSOD.

2010/08/07 10:50:47.0453 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/07 10:50:47.0453 ================================================================================
2010/08/07 10:50:47.0453 SystemInfo:
2010/08/07 10:50:47.0453
2010/08/07 10:50:47.0453 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/07 10:50:47.0453 Product type: Workstation
2010/08/07 10:50:47.0453 ComputerName: ZOE
2010/08/07 10:50:47.0453 UserName: K E V i N
2010/08/07 10:50:47.0453 Windows directory: C:\WINDOWS
2010/08/07 10:50:47.0453 System windows directory: C:\WINDOWS
2010/08/07 10:50:47.0453 Processor architecture: Intel x86
2010/08/07 10:50:47.0453 Number of processors: 2
2010/08/07 10:50:47.0453 Page size: 0x1000
2010/08/07 10:50:47.0453 Boot type: Normal boot
2010/08/07 10:50:47.0453 ================================================================================
2010/08/07 10:50:48.0281 Initialize success
2010/08/07 10:55:46.0281 ================================================================================
2010/08/07 10:55:46.0281 Scan started
2010/08/07 10:55:46.0296 Mode: Manual;
2010/08/07 10:55:46.0296 ================================================================================
2010/08/07 10:55:46.0828 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/07 10:55:46.0921 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/07 10:55:47.0109 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/08/07 10:55:47.0234 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/07 10:55:47.0375 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/07 10:55:47.0890 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/07 10:55:47.0984 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/07 10:55:48.0109 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/07 10:55:48.0250 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/07 10:55:48.0343 avfwim (1aad99ec3679bd773cb8320a3148987d) C:\WINDOWS\system32\DRIVERS\avfwim.sys
2010/08/07 10:55:48.0468 avfwot (30801654a9b220c48ebf003c25f00345) C:\WINDOWS\system32\DRIVERS\avfwot.sys
2010/08/07 10:55:48.0562 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/08/07 10:55:48.0671 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/08/07 10:55:48.0765 avipbb (5e3c710987aa8f7f8dde964429d533e5) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/08/07 10:55:48.0875 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/07 10:55:48.0968 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/07 10:55:49.0093 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/07 10:55:49.0187 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/07 10:55:49.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/07 10:55:49.0406 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/08/07 10:55:49.0734 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/07 10:55:49.0890 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/07 10:55:50.0046 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/07 10:55:50.0156 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/07 10:55:50.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/07 10:55:50.0453 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/07 10:55:50.0531 E1000 (d94437e7ee086677b266099f695cdea1) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2010/08/07 10:55:50.0687 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/07 10:55:50.0812 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/07 10:55:50.0875 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/07 10:55:50.0968 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/07 10:55:51.0062 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/07 10:55:51.0187 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/07 10:55:51.0296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/07 10:55:51.0421 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/07 10:55:51.0515 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/07 10:55:51.0734 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/08/07 10:55:51.0843 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/08/07 10:55:51.0953 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/08/07 10:55:52.0062 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/07 10:55:52.0234 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/07 10:55:52.0359 ialm (3ca41cdb9c912aed354b0c7abe4a4654) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/08/07 10:55:52.0531 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/07 10:55:52.0671 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/08/07 10:55:52.0765 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/07 10:55:52.0906 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/07 10:55:53.0031 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/07 10:55:53.0140 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/07 10:55:53.0234 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/07 10:55:53.0296 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/07 10:55:53.0390 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/07 10:55:53.0468 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/07 10:55:53.0562 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/07 10:55:53.0656 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/07 10:55:53.0750 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/07 10:55:53.0859 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/07 10:55:53.0984 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/08/07 10:55:54.0125 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/07 10:55:54.0250 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/07 10:55:54.0343 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/07 10:55:54.0453 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/07 10:55:54.0546 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/07 10:55:54.0687 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/07 10:55:54.0796 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/07 10:55:54.0953 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/07 10:55:55.0015 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/07 10:55:55.0109 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/07 10:55:55.0203 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/07 10:55:55.0296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/07 10:55:55.0359 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/07 10:55:55.0515 Nbf (c087dd7fa47c4a43683df764fbfa30a7) C:\WINDOWS\system32\DRIVERS\nbf.sys
2010/08/07 10:55:55.0640 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/07 10:55:55.0750 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/07 10:55:55.0859 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/07 10:55:55.0937 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/07 10:55:56.0031 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/07 10:55:56.0125 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/07 10:55:56.0218 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/07 10:55:56.0343 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/07 10:55:56.0437 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/07 10:55:56.0609 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/07 10:55:56.0687 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/07 10:55:56.0796 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/07 10:55:56.0953 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/07 10:55:57.0046 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/07 10:55:57.0140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/07 10:55:57.0265 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/07 10:55:57.0468 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/08/07 10:55:57.0562 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/07 10:55:57.0843 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/07 10:55:57.0937 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/07 10:55:58.0031 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/07 10:55:58.0125 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/07 10:55:58.0328 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/07 10:55:58.0453 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/07 10:55:58.0593 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/07 10:55:58.0750 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/07 10:55:58.0859 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/07 10:55:58.0968 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/07 10:55:59.0093 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/07 10:55:59.0218 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/07 10:55:59.0312 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/07 10:55:59.0453 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/07 10:55:59.0562 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/07 10:55:59.0656 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/07 10:55:59.0765 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/07 10:55:59.0875 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
2010/08/07 10:56:00.0046 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/07 10:56:00.0156 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/07 10:56:00.0281 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/07 10:56:00.0453 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/08/07 10:56:00.0578 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/07 10:56:00.0703 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/07 10:56:00.0953 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/07 10:56:01.0078 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/07 10:56:01.0171 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/07 10:56:01.0265 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/07 10:56:01.0375 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/07 10:56:01.0531 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/07 10:56:01.0718 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/07 10:56:01.0875 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/07 10:56:01.0984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/07 10:56:02.0093 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/07 10:56:02.0203 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/07 10:56:02.0312 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/07 10:56:02.0375 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/07 10:56:02.0468 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/07 10:56:02.0593 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/07 10:56:02.0703 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/07 10:56:02.0828 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/07 10:56:02.0953 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/07 10:56:03.0125 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/08/07 10:56:03.0218 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/07 10:56:03.0312 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/07 10:56:03.0375 ================================================================================
2010/08/07 10:56:03.0375 Scan finished
2010/08/07 10:56:03.0375 ================================================================================

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sat Aug 07, 2010 6:15 pm

Well after posting that - I closed tdsskiller and it immediately pulled the exact same BSOD. On reboot and allowing the error report to ms to go through I got a bounce back from MicroSoft as follows:

Corrupted error report

Unfortunately, the error report you submitted is corrupted and can't be analyzed. Corrupted error reports are rare. They can be caused by hardware or software problems, and usually indicate a serious problem with your computer.

To troubleshoot this problem, follow these steps:

Scenario 1: Click here if this is the first corrupted error report for this computer

*

Note any programs you have recently added your computer. To check for recently added programs:
1.

Click Start, click Control Panel, and then click Add or Remove Programs.
2.

In the Sort by drop-down box, select Date Last Used, and then select Show updates.
3.

The Last Used On date typically shows when you installed a program. If you installed an update to a program, you will see an Installed on date.
*

Note any hardware you have recently added to your computer, including random access memory (RAM), video cards, sound cards, or hard drives.
*

Make sure that you have a good backup copy of your files. To make a backup of your files, you can use Backup or Restore Wizard.

To start Backup or Restore Wizard:

1.

Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

2.

Follow the wizard to back up your files.

Scenario 2: Click here if the corrupted error reports are persistent on this computer

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sat Aug 07, 2010 6:17 pm

Do you feel that we are getting anywhere with this?

In other words, is it worth pursuing?

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sun Aug 08, 2010 5:22 am

I just tried to go to my link to this site and got a redirect to one of the sites commonly coming up:

[You must be registered and logged in to see this link.]

Maybe this is a clue.

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sun Aug 08, 2010 2:16 pm

Here is another common page that I am redirected to:

[You must be registered and logged in to see this link.]

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Sun Aug 08, 2010 7:29 pm

Hello.
Are you/your ISP from Russia?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sun Aug 08, 2010 7:39 pm

My IP address is 68.2.55.156 and I'm in Chandler Arizona..

I had avira antivirus running on a Win7 machine I had just loaded the other day and it reported that its NIC was probed by an IP address which I traced to Russia.

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sun Aug 08, 2010 7:41 pm

What gives you that idea anyway?

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Sun Aug 08, 2010 7:46 pm

A setting in your registry shows me a custom set DNS, I traced the IP, it traced back to Russia. Guessing it's a DNS Hijack, so we'll fix that now.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sun Aug 08, 2010 8:41 pm

Here is the log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:40:52 PM, on 8/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira FireWall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5894 bytes

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sun Aug 08, 2010 8:43 pm

Just for my knowledge where in the registry did you see the DNS Redirect?

Thanks for sticking with me on this by the way.

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Sun Aug 08, 2010 9:36 pm

This log:
[You must be registered and logged in to see this link.]

The O17 item, shows that IP adress. Run a trace, it goes back to Russia. Hmm, did you OTL after you ran Combofix at the start?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sun Aug 08, 2010 10:25 pm

Is there a command button in OTL that I should have hit? All I did was to run your script and dump the log file to you.


cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Sun Aug 08, 2010 10:30 pm

No, lets check your registry for that IP.

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :regfind
    *213.109.65.44*
    *213.109.75.130*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sun Aug 08, 2010 10:42 pm

The registry key lists them as follows

HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.65.44 213.109.75.130 1.1.1.1

But SystemLook log comes up empty on the search:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:37 on 08/08/2010 by K E V i N (Administrator - Elevation successful)

========== regfind ==========

Searching for "*213.109.65.44*"
No data found.

Searching for "*213.109.75.130*"
No data found.

-=End Of File=-



cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sun Aug 08, 2010 11:51 pm

Well I found out something useful on my end.

They hacked my router - reset the DNS via the default password.

I have reset to factory defaults and configured a strong password. I have also changed the existing key above to the correct DNS for cox.net on my system.

Checking has revealed all systems on my network have the above listed russian dns address in the registry.

Now I want to know how it got in and what else to kill/change/delete.

I found a thread in parallel with same problem:
[You must be registered and logged in to see this link.]

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Mon Aug 09, 2010 1:37 am

So I was hit with whatever this is mid to late July.

With the MS security advisory:
[You must be registered and logged in to see this link.]
and the patch released on 8/2/2010

Coupled with the PDF issue in Acrobat products:
[You must be registered and logged in to see this link.]

I unchecked the default Acrobat setting "allow opening of non-pdf file attachments with external applications" to address what I can.

This was after the fact of whatever attach I was hit by.

Plus at the same time - google-analytics related java issues...
[You must be registered and logged in to see this link.]

&

[You must be registered and logged in to see this link.]

Java Update
jre-6u21-windows-i586-iftw-rv.exe was released on 7/17/2010

All of the above has muddied the water + the release of Firefox 3.6.7 + 3.6.8 durring the same period has made this a moving target which very well may have used several if not all of the above listed vulnerabilities to gain access and obviously it is not stopped by adding the patches after the fact. And once in it is undetected by anything!

This seems to me like a big deal cybersecurity wise - esp with Russia involved. Call me alarmist but this is not good.

Any thoughts?





cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Mon Aug 09, 2010 3:52 am

Additional note - after correcting the dns mapping I am now able to update AntiMalware no problem. Performing a full scan. Zero results so far - not even seeing any tracking cookies. I almost wonder if its the real tool.

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Mon Aug 09, 2010 11:56 pm

Hello.
How is the machine running now then? no more re-direct issues?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Tue Aug 10, 2010 1:50 am

I ran adaware on 2 of my systems - this one (wifes) and mine - both were infected with

Trojan.Win32.Generic!BT - in a system volume info file in each case

CoreGaurdAntivi\09.FakeCog(fs) was also removed from this (wifes) system

Overall it is much faster - but still a bit slow on the start up. So maybe we are out to the clear.

I ran across an article warning about this DNS hack on techrepublic.com
here is a link

[You must be registered and logged in to see this link.]

This explains how they got in - much as I suspected.

It still bugs me that AntiMalwareBytes won't detect anything.

What protection suite do you recommend? I need something and I am not impressed with the performance of the these I have tried.

Even Stinger was updated a few days ago and saw nothing wrong.

That article mentions an add-on for firefox and I have its called "noscript" - it will block DNS hack attempts and forces you to give permission for Java to run on each page. Seems to work well.

So far I have not had any pupups or redirects.

Thanks for all your help - I never would have seen that.

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Tue Aug 10, 2010 11:52 pm

Hello.
System Volume Information is just System Restore, we can flush that, it's not a big issue.

Other than that, no complaints? Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Wed Aug 11, 2010 3:28 pm

So far repeated scans show nothing but presumed false positives on the downloads we have done.

The system is not what I would call 'normal' but is much better.

I had turned off (I assumed early on that the restore points were infected) system restore but it is now turned back on - I assume due to the fact that several of the packages I have run said they were creating restore points.

Overall it is just sluggish still.

Any thoughts?

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Thu Aug 12, 2010 2:17 am

I have downloaded and installed all the Tuesday midnight Microsoft updates. It still launches double instances of IE and takes at least a full minute just to open the screen and show me the page for windows update.

About five minutes to check for updates.

Don't know what it is but this system was never that slow.

cybernazi
Intermediate
Intermediate

Status :
Online
Offline

Posts Posts : 69
Joined Joined : 2010-08-06
Gender Gender : Male
OS : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Thu Aug 12, 2010 11:46 pm

One thing that may help is your RAM. Your current log shows me you only have 500mb of RAM, when nowadays you need at the very least 1gb if not more for this day and age machines to be able to run smoothly.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum