Trojan Horse Agent r.xj - Very Bad Infection

View previous topic View next topic Go down

Trojan Horse Agent r.xj - Very Bad Infection

Post by rdurden on Sat 22 Jan 2011, 11:33 am

Hi All,

I'm hoping that someone will help me with a major virus which has been infecting my computer. I was downloading some books online and I think that one of them loaded the Trojan Horse Agent r.xj onto my computer. Then again, there have been SEVERAL things going wrong with my computer since that download including a version of "Antimalware" and "Palladium" blocking the access to my desktop and start menu. I do have some computer knowledge and was luckily able to navigate around these and I think I got rid of those two. AVG is still popping up with 5 warnings of this Trojan Agent r.xj, and Malwarebytes Antimalware finds infected files randomly when I scan. The files which AVG cannot access are in .exe memory files, but that goes beyond my computer knowledge. The TDSS Killer which I read might help hasn't seemed to do a thing. Also... my touchpad has stopped working. Here are the OTL and Extras!

OTL logfile created on: 1/21/2011 5:19:46 PM - Run 1
OTL by OldTimer - Version 3.2.20.3 Folder = C:\Documents and Settings\student\Desktop
Windows XP Professional Edition Service Pack 3, v.5973 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 606.00 Mb Available Physical Memory | 59.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 45.69 Gb Free Space | 81.76% Space Free | Partition Type: NTFS

Computer Name: TOSHIBA04 | User Name: student | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/21 17:16:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\student\Desktop\OTL.exe
PRC - [2010/11/30 16:42:25 | 002,069,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/11/30 16:42:09 | 000,725,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/11/04 06:07:06 | 000,985,488 | ---- | M] (Discordia, LTD) -- C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe
PRC - [2010/09/28 12:49:41 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/09/28 12:49:40 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/09/28 12:49:36 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/09/28 12:49:10 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/09/28 12:49:05 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/01/15 05:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/03/10 21:18:14 | 000,934,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
PRC - [2008/02/12 07:59:34 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/01/21 17:16:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\student\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Spooler)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/10/06 10:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/09/28 12:49:36 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/09/28 12:49:10 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/01/15 05:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)


========== Driver Services (SafeList) ==========

DRV - [2011/01/20 11:50:43 | 000,000,000 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\frwgco.sys -- (frwgco)
DRV - [2010/09/28 12:49:43 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/09/28 12:49:40 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/09/28 12:49:09 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2007/08/28 10:11:26 | 002,210,048 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2005/07/20 07:35:00 | 000,240,384 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/04/04 15:25:36 | 000,160,768 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2004/12/06 21:53:44 | 001,270,572 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/11/30 21:12:30 | 000,873,984 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2001/08/17 05:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..browser.startup.homepage: "[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: avg@igeared:6.010.006.004
FF - prefs.js..extensions.enabledItems: {1FD91A9C-410C-4090-BBCC-55D3450EF433}:2.0
FF - prefs.js..keyword.URL: "http://www.searchqu.com/web?src=ffb&systemid=402&q="

FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/10/26 10:28:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{2BFE84BF-A911-484F-A1FA-318674F6D8FF}: C:\Documents and Settings\student\Local Settings\Application Data\{2BFE84BF-A911-484F-A1FA-318674F6D8FF} [2011/01/20 10:46:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/09 16:56:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/09 16:56:28 | 000,000,000 | ---D | M]

[2010/09/09 09:12:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\student\Application Data\Mozilla\Extensions
[2011/01/20 11:26:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\duhrfjgj.default\extensions
[2011/01/21 12:47:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/26 10:28:53 | 000,000,000 | ---D | M] ("urn:mozilla:install-manifest" em:id="avg@igeared" em:name="AVG Security Toolbar" em:version="6.010.006.004" em:displayname="AVG Security Toolbar" em:iconURL="chrome://tavgp/skin/logo.ico" em:creator="AVG Technologies" em:description="AVG Security Toolbar" em:homepageURL="http://www.avg.com" >) -- C:\PROGRAM FILES\AVG\AVG9\TOOLBAR\FIREFOX\AVG@IGEARED
[2010/08/04 10:38:16 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/01/21 11:05:48 | 000,000,000 | ---D | M] (DataMngr) -- C:\PROGRAM FILES\WINDOWS SEARCHQU TOOLBAR\DATAMNGR\FIREFOXEXTENSION

O1 HOSTS File: ([2011/01/21 12:51:00 | 000,001,003 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 whysohardx.com
O1 - Hosts: 127.0.0.1 protectyourpc-11.com
O1 - Hosts: 127.0.0.1 checkserverstatux.com
O1 - Hosts: 127.0.0.1 xinmin.cn
O1 - Hosts: 127.0.0.1 xy95.cn
O1 - Hosts: 127.0.0.1 koralda.com
O1 - Hosts: 127.0.0.1 weirden.com
O1 - Hosts: 127.0.0.1 nanocloudcontroller.com
O1 - Hosts: 127.0.0.1 coo0lnet.net
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Searchqu Toolbar) - {7FF99715-3016-4381-84CE-E4E4C9673020} - C:\Program Files\Windows Searchqu Toolbar\ToolBar\SearchquDx.dll ()
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {7FF99715-3016-4381-84CE-E4E4C9673020} - C:\Program Files\Windows Searchqu Toolbar\ToolBar\SearchquDx.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe (Discordia, LTD)
O4 - HKLM..\Run: [Vjoselewiz] File not found
O4 - HKCU..\Run: [gsrvmdctrl.exe] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (c:\progra~1\window~4\datamngr\datamngr.dll) - c:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngr.dll (Discordia, LTD)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/08/04 10:20:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b64b3a88-1a71-11e0-9ed4-0012f046d2d4}\Shell\AutoRun\command - "" = lhh3v.exe
O33 - MountPoints2\{b64b3a88-1a71-11e0-9ed4-0012f046d2d4}\Shell\open\Command - "" = lhh3v.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/21 17:15:59 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\student\Desktop\OTL.exe
[2011/01/21 12:53:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\student\Application Data\searchqutb
[2011/01/21 11:33:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/01/21 11:06:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\searchqutb
[2011/01/21 11:06:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla
[2011/01/21 11:05:39 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Searchqu Toolbar
[2011/01/21 10:01:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/01/21 10:01:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/01/21 10:01:48 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/01/21 10:01:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/01/20 10:46:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Conduit
[2011/01/20 10:46:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\BitTorrentBar
[2011/01/20 10:46:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ConduitEngine
[2011/01/20 10:46:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\student\Local Settings\Application Data\{2BFE84BF-A911-484F-A1FA-318674F6D8FF}
[2011/01/20 10:45:26 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/01/20 10:35:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\student\Local Settings\Application Data\Temp
[2011/01/20 10:35:42 | 000,000,000 | ---D | C] -- C:\Program Files\BitTorrent
[2011/01/20 10:35:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\student\Application Data\BitTorrent
[2011/01/20 10:25:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2011/01/19 09:58:19 | 000,000,000 | ---D | C] -- C:\Program Files\CDisplay
[2011/01/19 09:58:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CDisplay
[2011/01/07 09:22:08 | 000,577,536 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
[2011/01/07 09:22:07 | 018,804,736 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\alsndmgr.cpl
[2011/01/07 09:22:07 | 010,528,768 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\RTLCPL.exe
[2011/01/07 09:21:58 | 004,122,368 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\alcxwdm.sys
[2011/01/07 09:21:43 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek AC97
[2011/01/07 09:21:40 | 000,315,392 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\alcupd.exe
[2011/01/07 09:21:40 | 000,217,088 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\Alcrmv.exe
[2011/01/06 16:28:43 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\student\PrivacIE
[2011/01/06 13:28:37 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\student\IETldCache
[2011/01/06 09:28:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\student\Application Data\vlc
[2011/01/06 09:21:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\YouTube Downloader
[2011/01/06 09:21:20 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader
[2011/01/06 09:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2011/01/06 09:01:35 | 011,080,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2011/01/06 09:01:35 | 001,991,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2011/01/06 09:01:35 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2011/01/06 09:01:35 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2011/01/06 09:01:35 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2011/01/06 09:01:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2011/01/06 09:00:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/21 17:19:46 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/21 17:19:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/21 17:16:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\student\Desktop\OTL.exe
[2011/01/21 16:48:06 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2011/01/21 16:48:05 | 000,011,034 | ---- | M] () -- C:\WINDOWS\System32\345.js
[2011/01/21 15:50:23 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2011/01/21 15:50:23 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2011/01/21 15:48:06 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2011/01/21 14:11:49 | 000,012,451 | ---- | M] () -- C:\Documents and Settings\student\My Documents\What Would a Leader Do.docx
[2011/01/21 12:48:05 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2011/01/21 11:33:05 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/21 10:58:33 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2011/01/21 10:01:42 | 070,391,712 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/01/21 09:57:34 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Msepexilah.dat
[2011/01/21 09:57:11 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Pxizihawag.bin
[2011/01/20 11:50:43 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\frwgco.sys
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2011/01/20 10:48:20 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2011/01/20 10:48:18 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2011/01/20 10:48:18 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/01/20 10:41:51 | 000,011,520 | ---- | M] () -- C:\Documents and Settings\student\Desktop\The Observer.docx
[2011/01/19 13:15:10 | 000,011,446 | ---- | M] () -- C:\Documents and Settings\student\My Documents\LeadershipStory.docx
[2011/01/19 09:58:19 | 000,000,642 | ---- | M] () -- C:\Documents and Settings\student\Desktop\CDisplay.lnk
[2011/01/18 11:58:27 | 000,013,094 | ---- | M] () -- C:\Documents and Settings\student\Desktop\Community_Letter_Number_3.docx
[2011/01/08 09:55:31 | 000,003,690 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/01/07 08:48:22 | 000,000,354 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
[2011/01/06 13:28:40 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\student\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/01/05 08:15:19 | 000,299,640 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/21 13:22:59 | 000,012,451 | ---- | C] () -- C:\Documents and Settings\student\My Documents\What Would a Leader Do.docx
[2011/01/21 12:48:04 | 000,011,034 | ---- | C] () -- C:\WINDOWS\System32\345.js
[2011/01/20 10:48:20 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2011/01/20 10:48:19 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2011/01/20 10:48:18 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2011/01/20 10:48:18 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2011/01/20 10:48:18 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2011/01/20 10:48:18 | 000,000,406 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2011/01/20 10:46:31 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Msepexilah.dat
[2011/01/20 10:46:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Pxizihawag.bin
[2011/01/20 10:46:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\frwgco.sys
[2011/01/19 20:59:31 | 000,011,520 | ---- | C] () -- C:\Documents and Settings\student\Desktop\The Observer.docx
[2011/01/19 13:15:09 | 000,011,446 | ---- | C] () -- C:\Documents and Settings\student\My Documents\LeadershipStory.docx
[2011/01/19 09:58:19 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\student\Desktop\CDisplay.lnk
[2011/01/17 16:29:30 | 000,013,094 | ---- | C] () -- C:\Documents and Settings\student\Desktop\Community_Letter_Number_3.docx
[2011/01/07 09:22:08 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2011/01/07 09:22:07 | 000,141,016 | ---- | C] () -- C:\WINDOWS\System32\alsndmgr.wav
[2011/01/07 09:21:40 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2011/01/07 08:48:22 | 000,000,354 | ---- | C] () -- C:\WINDOWS\tasks\Driver Robot.job
[2010/10/26 10:23:06 | 000,017,017 | ---- | C] () -- C:\WINDOWS\hplj24x0.ini
[2010/10/26 10:22:51 | 000,002,085 | ---- | C] () -- C:\WINDOWS\mariner.ini
[2010/09/28 12:41:52 | 000,002,528 | ---- | C] () -- C:\WINDOWS\FCIC.INI
[2010/09/09 08:23:25 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2010/09/09 08:23:25 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2010/08/04 03:07:15 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/02/24 22:49:56 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

< End of report >

OTL Extras logfile created on: 1/21/2011 5:19:46 PM - Run 1
OTL by OldTimer - Version 3.2.20.3 Folder = C:\Documents and Settings\student\Desktop
Windows XP Professional Edition Service Pack 3, v.5973 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 606.00 Mb Available Physical Memory | 59.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 45.69 Gb Free Space | 81.76% Space Free | Partition Type: NTFS

Computer Name: TOSHIBA04 | User Name: student | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\BitTorrent\BitTorrent.exe" = C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.6.5
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{5B35C417-2649-11D6-83D1-0050FC01225C}" = FirstClass® Client
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{EACCC991-8E8C-4397-8854-349506741FC9}" = FileMaker Pro 11
"{EACCC991-8E8C-4397-8854-349506741FC9}_FileMaker" = FileMaker Pro 11
"{F47B2DF8-35EC-4B51-B5F2-0E03EF5F51DA}" = TIxx21/x515
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AVG9Uninstall" = AVG Free 9.0
"BitTorrent" = BitTorrent
"CDisplay_is1" = CDisplay 1.8
"ie8" = Windows Internet Explorer 8
"InstallShield_{F47B2DF8-35EC-4B51-B5F2-0E03EF5F51DA}" = Texas Instruments PCIxx21/x515 drivers.
"Keyman Keyboard Wm_dkey5" = Keyman Keyboard - WinMac Dene Key
"Keyman Keyboard Wm_vfd5" = Keyman Keyboard - WinMac Vowel First Dene
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan Plus
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"PROPLUS" = Microsoft Office Professional Plus 2007
"Searchqu MediaBar" = Windows Searchqu Toolbar
"Super Phonics" = Super Phonics
"Tavultesoft Keyman" = Tavultesoft Keyman
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"VLC media player" = VLC media player 1.0.3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/21/2011 3:49:53 PM | Computer Name = TOSHIBA04 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 1/21/2011 3:49:55 PM | Computer Name = TOSHIBA04 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 1/21/2011 3:53:47 PM | Computer Name = TOSHIBA04 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 1/21/2011 3:53:47 PM | Computer Name = TOSHIBA04 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 1/21/2011 6:53:25 PM | Computer Name = TOSHIBA04 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 1/21/2011 6:53:27 PM | Computer Name = TOSHIBA04 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 1/21/2011 7:01:10 PM | Computer Name = TOSHIBA04 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 1/21/2011 7:01:13 PM | Computer Name = TOSHIBA04 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 1/21/2011 7:06:10 PM | Computer Name = TOSHIBA04 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.3311, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

Error - 1/21/2011 7:06:22 PM | Computer Name = TOSHIBA04 | Source = Application Error | ID = 1001
Description = Fault bucket 2024857387.

[ System Events ]
Error - 1/21/2011 12:46:58 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 1/21/2011 12:48:58 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 1/21/2011 12:53:02 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 1/21/2011 12:53:03 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 1/21/2011 12:53:03 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 1/21/2011 12:53:14 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 1/21/2011 12:54:05 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

Error - 1/21/2011 12:54:53 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/21/2011 12:56:53 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 1/21/2011 12:56:56 PM | Computer Name = TOSHIBA04 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.


< End of report >


Thank you, thank you, thank you!!! - RD

rdurden

Unborn
Unborn

Posts : 4
Joined : 2011-01-22
Operating System : Windows XP Professional 2002

View user profile

Back to top Go down

Re: Trojan Horse Agent r.xj - Very Bad Infection

Post by Belahzur on Sat 22 Jan 2011, 12:08 pm

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O4 - HKLM..\Run: [Vjoselewiz] File not found
    O4 - HKCU..\Run: [gsrvmdctrl.exe] File not found
    O33 - MountPoints2\{b64b3a88-1a71-11e0-9ed4-0012f046d2d4}\Shell\AutoRun\command - "" = lhh3v.exe
    O33 - MountPoints2\{b64b3a88-1a71-11e0-9ed4-0012f046d2d4}\Shell\open\Command - "" = lhh3v.exe
    [2011/01/21 16:48:05 | 000,011,034 | ---- | M] () -- C:\WINDOWS\System32\345.js
    [2011/01/21 09:57:34 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Msepexilah.dat
    [2011/01/21 09:57:11 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Pxizihawag.bin
    [2011/01/20 11:50:43 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\frwgco.sys

    :files
    C:\WINDOWS\tasks\At*.job


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan Horse Agent r.xj - Very Bad Infection

Post by rdurden on Sat 22 Jan 2011, 12:14 pm

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Vjoselewiz deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\gsrvmdctrl.exe deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b64b3a88-1a71-11e0-9ed4-0012f046d2d4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b64b3a88-1a71-11e0-9ed4-0012f046d2d4}\ not found.
File lhh3v.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b64b3a88-1a71-11e0-9ed4-0012f046d2d4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b64b3a88-1a71-11e0-9ed4-0012f046d2d4}\ not found.
File lhh3v.exe not found.
C:\WINDOWS\system32\345.js moved successfully.
C:\WINDOWS\Msepexilah.dat moved successfully.
C:\WINDOWS\Pxizihawag.bin moved successfully.
C:\WINDOWS\system32\drivers\frwgco.sys moved successfully.
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.

OTL by OldTimer - Version 3.2.20.3 log created on 01212011_181403

rdurden

Unborn
Unborn

Posts : 4
Joined : 2011-01-22
Operating System : Windows XP Professional 2002

View user profile

Back to top Go down

Re: Trojan Horse Agent r.xj - Very Bad Infection

Post by Belahzur on Sun 23 Jan 2011, 1:10 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan Horse Agent r.xj - Very Bad Infection

Post by rdurden on Sun 23 Jan 2011, 1:31 pm

Thanks Belahzur! My computer seems to be working again!

rdurden

Unborn
Unborn

Posts : 4
Joined : 2011-01-22
Operating System : Windows XP Professional 2002

View user profile

Back to top Go down

Re: Trojan Horse Agent r.xj - Very Bad Infection

Post by Belahzur on Mon 24 Jan 2011, 12:07 pm

I doubt that fully fixed it, please post the MBAM log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan Horse Agent r.xj - Very Bad Infection

Post by rdurden on Thu 27 Jan 2011, 3:15 am

The Mbam log didn't seem to find anything at all. There are still a few warnings popping up now and again, but the virus isn't shutting down my computer. It must be buried in some hidden file...


************************************************************
Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 5565

Windows 5.1.2600 Service Pack 3, v.5973
Internet Explorer 8.0.6001.18702

1/26/2011 9:06:07 AM
mbam-log-2011-01-26 (09-06-07).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 176014
Time elapsed: 19 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

rdurden

Unborn
Unborn

Posts : 4
Joined : 2011-01-22
Operating System : Windows XP Professional 2002

View user profile

Back to top Go down

Re: Trojan Horse Agent r.xj - Very Bad Infection

Post by Belahzur on Thu 27 Jan 2011, 11:51 am

Hello.

  • Download combofix from here
    Link 1

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan Horse Agent r.xj - Very Bad Infection

Post by Sponsored content Today at 11:01 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum