Win 32 Alureon... rootkit?

Viruses and worms
1

I’m visiting my mom and she is freaking out about the computer. I have been relentlessly trying to find out the problem… last night Avast! detected this win32- alureon trojan and whenever I moved it into the chest, it only pops back up recreating itself I think. I’m no computer expert, I don’t want to mess up the computer… I would really appreciate some help on how to remove this thing, it’s just awful! I ran an OTL scan and here are the log files… I read another thread where this was suggested as well as downloading Avenger, which I already did. Hopefully I’m a little ahead of the game here? Help me out please?! I would be so thankful. :slight_smile:

OTL logfile created on: 12/22/2009 9:00:40 AM - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\Compaq_Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 378.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.08 Gb Total Space | 114.41 Gb Free Space | 80.53% Space Free | Partition Type: NTFS
Drive D: | 6.96 Gb Total Space | 1.20 Gb Free Space | 17.18% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPAQ
Current User Name: Compaq_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/22 08:59:07 | 00,513,536 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
PRC - [2009/11/24 18:51:40 | 00,081,000 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 00,138,680 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:51:21 | 00,254,040 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 18:48:48 | 00,352,920 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 18:43:56 | 00,018,752 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/05 21:14:44 | 01,794,848 | ---- | M] (Apple Inc.) – C:\Program Files\Safari\Safari.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) – C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) – C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/19 12:25:52 | 01,589,208 | ---- | M] () – C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
PRC - [2009/06/17 12:49:44 | 00,616,408 | ---- | M] () – C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) – C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) – C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/24 13:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) – C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 13:25:22 | 00,202,560 | ---- | M] (SupportSoft, Inc.) – C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) – C:\WINDOWS\explorer.exe
PRC - [2008/03/18 15:27:12 | 00,013,312 | ---- | M] (Agere Systems) – C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2005/10/23 08:46:44 | 00,069,632 | ---- | M] (Hewlett-Packard Company) – C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2005/08/27 04:14:44 | 00,241,775 | ---- | M] (Sun Microsystems, Inc.) – C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
PRC - [2005/08/27 04:14:44 | 00,036,975 | ---- | M] (Sun Microsystems, Inc.) – C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
PRC - [2005/08/14 07:05:00 | 00,344,064 | ---- | M] (ATI Technologies, Inc.) – C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2005/08/14 00:29:40 | 00,376,832 | ---- | M] (ATI Technologies Inc.) – C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/02/02 18:44:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) – C:\hp\KBD\kbd.exe
PRC - [2004/09/07 15:47:52 | 00,057,344 | ---- | M] (Realtek Semiconductor Corp.) – C:\WINDOWS\ALCXMNTR.EXE
PRC - [1998/05/07 11:04:38 | 00,052,736 | ---- | M] (Hewlett-Packard Company) – c:\WINDOWS\system\hpsysdrv.exe

========== Modules (SafeList) ==========

MOD - [2009/12/22 08:59:07 | 00,513,536 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
MOD - [2008/04/13 19:12:01 | 00,413,696 | ---- | M] (Microsoft Corporation) – C:\WINDOWS\system32\msvcp60.dll
MOD - [2007/04/19 14:21:40 | 00,116,264 | ---- | M] (SupportSoft, Inc.) – C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] – – (0037131260316836mcinstcleanup) McAfee Application Installer Cleanup (0037131260316836)
SRV - [2009/11/24 18:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] – C:\Program Files\Alwil Software\Avast4\ashServ.exe – (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe – (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe – (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe – (aswUpdSv)
SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] – C:\Program Files\iPod\bin\iPodService.exe – (iPod Service)
SRV - [2009/06/17 12:49:44 | 00,616,408 | ---- | M] () [Auto | Running] – C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe – (AntiSpywareService)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] – C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe – (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] – C:\Program Files\Bonjour\mDNSResponder.exe – (Bonjour Service)
SRV - [2008/04/24 13:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] – C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe – (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2008/03/18 15:27:12 | 00,013,312 | ---- | M] (Agere Systems) [Auto | Running] – C:\WINDOWS\system32\agrsmsvc.exe – (AgereModemAudio)
SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] – C:\Program Files\Windows Live\installer\WLSetupSvc.exe – (WLSetupSvc)
SRV - [2005/10/23 08:46:44 | 00,069,632 | ---- | M] (Hewlett-Packard Company) [Auto | Running] – C:\Program Files\Common Files\LightScribe\LSSrvc.exe – (LightScribeService)
SRV - [2005/08/14 00:29:40 | 00,376,832 | ---- | M] (ATI Technologies Inc.) [Auto | Running] – C:\WINDOWS\system32\ati2evxx.exe – (Ati HotKey Poller)
SRV - [2004/10/22 13:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] – C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe – (IDriverT)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net?cid=NET_mmhpset
IE - HKCU..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” = *.local

2

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (Comcast Toolbar) - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll ()
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM..\Toolbar: (Comcast Toolbar) - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll ()
O3 - HKLM..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM…\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM…\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM…\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM…\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM…\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM…\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM…\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU…\Run: [ComcastAntispyClient] C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe ()
O4 - HKCU…\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Add To Compaq Organize… - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html ()
O9 - Extra ‘Tools’ menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra ‘Tools’ menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223475339851 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} http://ak.imgag.com/imgag/cp/install/Crusher.cab (Creative Toolbox Plug-in)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\vtUlKBRH: DllName - vtUlKBRH.dll - File not found
O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\mlJYqPiI) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/25 00:32:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT – [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT – [ FAT32 ]
O33 - MountPoints2{2d435b36-e506-11d9-9b78-e6b009352ae7}\Shell - “” = AutoRun
O33 - MountPoints2{2d435b36-e506-11d9-9b78-e6b009352ae7}\Shell\AutoRun - “” = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk ) - File not found
O35 - comfile [open] – “%1” %
O35 - exefile [open] – “%1” %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/10/05 17:49:14 | 00,000,000 | —D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

3

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (52920744480342016)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/22 08:59:07 | 00,513,536 | ---- | C] (OldTimer Tools) – C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
[2009/12/20 01:14:36 | 00,000,000 | —D | C] – C:\Documents and Settings\Compaq_Owner\My Documents\Moved Desktop
[2009/12/19 19:30:41 | 00,023,120 | ---- | C] (ALWIL Software) – C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/12/19 19:30:40 | 00,048,560 | ---- | C] (ALWIL Software) – C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/12/19 19:30:39 | 00,027,408 | ---- | C] (ALWIL Software) – C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/12/19 19:30:37 | 00,097,480 | ---- | C] (ALWIL Software) – C:\WINDOWS\System32\AvastSS.scr
[2009/12/19 19:30:36 | 00,114,768 | ---- | C] (ALWIL Software) – C:\WINDOWS\System32\drivers\aswSP.sys
[2009/12/19 19:30:36 | 00,094,160 | ---- | C] (ALWIL Software) – C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/12/19 19:30:36 | 00,093,424 | ---- | C] (ALWIL Software) – C:\WINDOWS\System32\drivers\aswmon.sys
[2009/12/19 19:30:36 | 00,020,560 | ---- | C] (ALWIL Software) – C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/12/19 19:30:15 | 01,280,480 | ---- | C] (ALWIL Software) – C:\WINDOWS\System32\aswBoot.exe
[2009/12/19 19:30:12 | 00,000,000 | —D | C] – C:\Program Files\Alwil Software
[2009/12/19 10:42:45 | 00,000,000 | —D | C] – C:\Documents and Settings\All Users\Application Data\McAfee
[2009/12/19 09:08:31 | 00,000,000 | —D | C] – C:\Program Files\Trend Micro
[2009/12/14 07:14:53 | 00,000,000 | -HSD | C] – C:\Documents and Settings\Compaq_Owner\PrivacIE
[2009/12/13 12:12:46 | 00,000,000 | -HSD | C] – C:\Documents and Settings\Compaq_Owner\IETldCache
[2009/12/13 11:44:05 | 00,000,000 | —D | C] – C:\WINDOWS\ie8updates
[2009/12/13 10:34:36 | 00,000,000 | -H-D | C] – C:\WINDOWS\ie8
[2009/12/11 18:07:40 | 00,000,000 | —D | M] – C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/11 18:07:40 | 00,000,000 | —D | M] – C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/11 18:07:40 | 00,000,000 | —D | M] – C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/11 18:07:40 | 00,000,000 | —D | M] – C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/10 18:45:19 | 00,000,000 | —D | C] – C:\Documents and Settings\Compaq_Owner\Application Data\AVG8
[2009/12/09 17:18:04 | 00,000,000 | —D | C] – C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
[2009/12/09 17:17:41 | 00,000,000 | —D | C] – C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/02 22:43:01 | 00,000,000 | —D | M] – C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2005/05/12 09:36:48 | 00,012,288 | ---- | C] (Hewlett-Packard Co.) – C:\WINDOWS\Fonts\RandFont.dll
[4 C:\WINDOWS*.tmp files → C:\WINDOWS*.tmp → ]
[11 C:\Documents and Settings\All Users\Application Data*.tmp files → C:\Documents and Settings\All Users\Application Data*.tmp → ]
[1 C:\WINDOWS\System32*.tmp files → C:\WINDOWS\System32*.tmp → ]

========== Files - Modified Within 14 Days ==========

[2009/12/22 08:59:07 | 00,513,536 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
[2009/12/22 08:42:35 | 00,002,187 | ---- | M] () – C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/12/22 08:40:03 | 00,000,268 | ---- | M] () – C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/12/21 16:39:44 | 00,000,246 | ---- | M] () – C:\WINDOWS\System\hpsysdrv.dat
[2009/12/21 15:59:05 | 00,000,006 | -H-- | M] () – C:\WINDOWS\tasks\SA.DAT
[2009/12/21 15:58:56 | 00,002,048 | --S- | M] () – C:\WINDOWS\bootstat.dat
[2009/12/21 15:58:53 | 10,051,13344 | -HS- | M] () – C:\hiberfil.sys
[2009/12/21 15:57:51 | 06,291,456 | ---- | M] () – C:\Documents and Settings\Compaq_Owner\ntuser.dat
[2009/12/21 15:57:51 | 00,000,178 | -HS- | M] () – C:\Documents and Settings\Compaq_Owner\ntuser.ini
[2009/12/19 19:30:41 | 00,001,717 | ---- | M] () – C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/19 19:30:36 | 00,002,626 | ---- | M] () – C:\WINDOWS\System32\CONFIG.NT
[2009/12/19 09:11:24 | 00,001,742 | ---- | M] () – C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.lnk
[2009/12/15 23:43:01 | 00,000,284 | ---- | M] () – C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/13 12:00:30 | 00,001,393 | ---- | M] () – C:\WINDOWS\imsins.BAK
[2009/12/11 01:56:00 | 00,000,382 | ---- | M] () – C:\WINDOWS\tasks\Windows Update.job
[2009/12/10 07:48:17 | 00,000,932 | ---- | M] () – C:\Documents and Settings\Compaq_Owner\My Documents\My Sharing Folders.lnk
[2009/12/10 07:47:30 | 00,000,268 | -H-- | M] () – C:\sqmdata15.sqm
[2009/12/10 07:47:30 | 00,000,244 | -H-- | M] () – C:\sqmnoopt16.sqm
[2009/12/10 07:35:43 | 00,000,268 | -H-- | M] () – C:\sqmdata14.sqm
[2009/12/10 07:35:43 | 00,000,244 | -H-- | M] () – C:\sqmnoopt15.sqm
[2009/12/10 03:29:50 | 00,000,268 | -H-- | M] () – C:\sqmdata13.sqm
[2009/12/10 03:29:50 | 00,000,244 | -H-- | M] () – C:\sqmnoopt14.sqm
[2009/12/09 03:52:37 | 00,524,016 | ---- | M] () – C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/09 03:52:37 | 00,442,796 | ---- | M] () – C:\WINDOWS\System32\perfh009.dat
[2009/12/09 03:52:37 | 00,071,936 | ---- | M] () – C:\WINDOWS\System32\perfc009.dat
[2009/12/09 03:49:58 | 00,000,268 | -H-- | M] () – C:\sqmdata12.sqm
[2009/12/09 03:49:58 | 00,000,244 | -H-- | M] () – C:\sqmnoopt13.sqm
[2009/12/08 19:49:17 | 00,000,268 | -H-- | M] () – C:\sqmdata11.sqm
[2009/12/08 19:49:17 | 00,000,244 | -H-- | M] () – C:\sqmnoopt12.sqm
[2009/12/08 18:51:34 | 00,001,158 | ---- | M] () – C:\WINDOWS\System32\wpa.dbl
[2009/12/08 18:48:58 | 00,008,212 | ---- | M] () – C:\WINDOWS\mfebcdata
[2009/12/08 09:26:39 | 00,000,272 | --S- | M] () – C:\WINDOWS\System32\1987403168.dat
[4 C:\WINDOWS*.tmp files → C:\WINDOWS*.tmp → ]
[11 C:\Documents and Settings\All Users\Application Data*.tmp files → C:\Documents and Settings\All Users\Application Data*.tmp → ]
[1 C:\WINDOWS\System32*.tmp files → C:\WINDOWS\System32*.tmp → ]

4

========== Files Created - No Company Name ==========

[2009/12/19 19:30:41 | 00,001,717 | ---- | C] () – C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/19 19:30:15 | 00,380,928 | ---- | C] () – C:\WINDOWS\System32\actskin4.ocx
[2009/12/19 09:08:31 | 00,001,742 | ---- | C] () – C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.lnk
[2009/12/08 18:48:58 | 00,008,212 | ---- | C] () – C:\WINDOWS\mfebcdata
[2009/12/08 18:44:50 | 10,051,13344 | -HS- | C] () – C:\hiberfil.sys
[2009/12/08 09:25:19 | 00,000,272 | --S- | C] () – C:\WINDOWS\System32\1987403168.dat
[2008/10/11 07:25:39 | 00,007,168 | ---- | C] () – C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/11 06:35:14 | 00,000,135 | ---- | C] () – C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
[2007/06/05 03:11:37 | 00,000,214 | ---- | C] () – C:\WINDOWS\HP_InstantSHareJPG.ini
[2007/06/05 02:53:26 | 00,000,221 | ---- | C] () – C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/06/11 07:48:41 | 00,001,747 | ---- | C] () – C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/05/02 17:38:23 | 00,000,748 | ---- | C] () – C:\WINDOWS\SetBrowser.ini
[2006/04/22 16:16:13 | 00,000,047 | ---- | C] () – C:\WINDOWS\NeroDigital.ini
[2006/04/02 21:10:07 | 00,000,051 | ---- | C] () – C:\Documents and Settings\All Users\Application Data\Installer.log
[2006/03/07 17:56:02 | 00,000,029 | ---- | C] () – C:\WINDOWS\atid.ini
[2006/02/23 17:57:06 | 00,000,474 | ---- | C] () – C:\WINDOWS\cdplayer.ini
[2006/02/20 16:18:26 | 00,000,067 | ---- | C] () – C:\WINDOWS\PLAY-DOH.INI
[2006/02/20 14:57:49 | 00,000,162 | ---- | C] () – C:\WINDOWS\kodakpcd.Compaq_Owner.ini
[2005/11/12 20:19:21 | 00,000,061 | ---- | C] () – C:\WINDOWS\smscfg.ini
[2005/11/12 19:56:06 | 00,022,396 | ---- | C] () – C:\WINDOWS\System32\drivers\USBkey.sys
[2005/11/12 19:50:16 | 00,012,994 | ---- | C] () – C:\WINDOWS\System32\CHODDI.SYS
[2005/11/12 19:50:10 | 00,045,056 | ---- | C] () – C:\WINDOWS\System32\hpreg.dll
[2005/11/12 19:47:45 | 00,000,054 | ---- | C] () – C:\WINDOWS\Quicken.ini
[2005/11/12 19:44:59 | 00,000,737 | ---- | C] () – C:\WINDOWS\ODBC.INI
[2005/11/12 19:39:06 | 00,204,800 | ---- | C] () – C:\WINDOWS\System32\IVIresizeW7.dll
[2005/11/12 19:39:06 | 00,200,704 | ---- | C] () – C:\WINDOWS\System32\IVIresizeA6.dll
[2005/11/12 19:39:06 | 00,192,512 | ---- | C] () – C:\WINDOWS\System32\IVIresizeP6.dll
[2005/11/12 19:39:06 | 00,192,512 | ---- | C] () – C:\WINDOWS\System32\IVIresizeM6.dll
[2005/11/12 19:39:06 | 00,188,416 | ---- | C] () – C:\WINDOWS\System32\IVIresizePX.dll
[2005/11/12 19:39:06 | 00,020,480 | ---- | C] () – C:\WINDOWS\System32\IVIresize.dll
[2005/11/12 19:31:40 | 00,000,479 | ---- | C] () – C:\WINDOWS\WININIT.INI
[2005/11/12 19:30:29 | 00,000,698 | ---- | C] () – C:\WINDOWS\NSSetDefaultBrowser.ini
[2005/11/12 19:25:06 | 00,000,337 | ---- | C] () – C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/11/12 19:23:53 | 00,001,793 | ---- | C] () – C:\WINDOWS\System32\fxsperf.ini
[2005/11/12 19:08:15 | 00,000,780 | ---- | C] () – C:\WINDOWS\orun32.ini
[2005/11/12 19:04:55 | 00,323,584 | ---- | C] () – C:\WINDOWS\System32\pythoncom22.dll
[2005/11/12 19:04:55 | 00,094,208 | ---- | C] () – C:\WINDOWS\System32\pywintypes22.dll
[2005/11/12 19:04:32 | 00,016,896 | ---- | C] () – C:\WINDOWS\System32\bcbmm.dll
[2005/10/05 15:50:52 | 00,000,000 | ---- | C] () – C:\WINDOWS\System32\px.ini
[2004/06/16 00:38:02 | 00,000,592 | ---- | C] () – C:\WINDOWS\System32\oeminfo.ini
[1999/01/22 13:46:58 | 00,065,536 | ---- | C] () – C:\WINDOWS\System32\MSRTEDIT.DLL
[1996/11/16 23:00:00 | 00,022,016 | ---- | C] () – C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/16 23:00:00 | 00,022,016 | ---- | C] () – C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/16 23:00:00 | 00,012,288 | ---- | C] () – C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2007/10/03 12:40:22 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\F-Secure
[2008/05/17 07:25:43 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\Flood Light Games
[2007/10/03 12:39:49 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\fssg
[2007/05/22 21:53:53 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/11/07 10:34:19 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\SupportSoft
[2008/05/17 08:07:27 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\TEMP
[2008/04/01 19:44:19 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/11/28 09:28:04 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/11/09 19:15:43 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/10 05:44:21 | 00,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/12/22 08:00:43 | 00,000,000 | —D | M] – C:\Documents and Settings\Compaq_Owner\Application Data\CallingID
[2009/12/21 20:41:54 | 00,000,000 | —D | M] – C:\Documents and Settings\Compaq_Owner\Application Data\comcasttb
[2008/11/02 17:38:56 | 00,000,000 | —D | M] – C:\Documents and Settings\Compaq_Owner\Application Data\InterVideo
[2008/10/10 14:16:22 | 00,000,000 | —D | M] – C:\Documents and Settings\Compaq_Owner\Application Data\WinPatrol
[2009/12/22 08:40:03 | 00,000,268 | ---- | M] () – C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
[2009/12/11 01:56:00 | 00,000,382 | ---- | M] () – C:\WINDOWS\Tasks\Windows Update.job

========== Purity Check ==========

========== Custom Scans ==========

5

< %SYSTEMDRIVE%*.exe >

< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 – C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 – C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 – C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 – C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 – C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\atapi.sys
[2009/12/22 09:00:41 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 – C:\WINDOWS\system32\dllcache\atapi.sys
[2009/12/22 09:00:41 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 – C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 – C:\WINDOWS$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 – C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 – C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 – C:\WINDOWS\system32\eventlog.dll
[2004/08/04 07:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 – C:\WINDOWS$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/03/09 20:09:18 | 00,870,912 | ---- | M] (Intel Corporation) MD5=79AE2A97C120F282845D854D0F070EA9 – C:\hp\drivers\Intel_Emery_RAID_v5.0.0.1032\iaStor.sys
[2005/03/09 20:09:18 | 00,870,912 | ---- | M] (Intel Corporation) MD5=79AE2A97C120F282845D854D0F070EA9 – C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 – C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 – C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 – C:\WINDOWS\system32\netlogon.dll
[2004/08/04 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A – C:\WINDOWS$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A – C:\WINDOWS$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 – C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 – C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 – C:\WINDOWS\system32\scecli.dll

< %systemroot%*. /mp /s >

< c:$recycle.bin*.* /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes → C:\Documents and Settings\All Users\Application Data\TEMP:05113FB9
< End of report >

Extras Scan?
OTL Extras logfile created on: 12/22/2009 9:00:40 AM - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\Compaq_Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 378.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.08 Gb Total Space | 114.41 Gb Free Space | 80.53% Space Free | Partition Type: NTFS
Drive D: | 6.96 Gb Total Space | 1.20 Gb Free Space | 17.18% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPAQ
Current User Name: Compaq_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes<extension>]
.html [@ = htmlfile] – C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes<key>\shell[command]\command]
batfile [open] – “%1” %*
cmdfile [open] – “%1” %*
comfile [open] – “%1” %*
exefile [open] – “%1” %*
htmlfile [edit] – “C:\Program Files\Microsoft Office\Office\msohtmed.exe” %1 (Microsoft Corporation)
htmlfile [open] – “C:\Program Files\Internet Explorer\IEXPLORE.EXE” -nohome (Microsoft Corporation)
htmlfile [opennew] – “C:\Program Files\Internet Explorer\IEXPLORE.EXE” %1 (Microsoft Corporation)
http [open] – “C:\Program Files\Internet Explorer\IEXPLORE.EXE” -nohome (Microsoft Corporation)
https [open] – “C:\Program Files\Internet Explorer\IEXPLORE.EXE” -nohome (Microsoft Corporation)
piffile [open] – “%1” %*
regfile [merge] – Reg Error: Key error.
scrfile [config] – “%1”
scrfile [install] – rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] – “%1” /S
txtfile [edit] – Reg Error: Key error.
Unknown [openas] – %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] – %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] – %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] – %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] – %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] – “C:\Program Files\Internet Explorer\IEXPLORE.EXE” %1 (Microsoft Corporation)
CLSID{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] – “C:\Program Files\Internet Explorer\iexplore.exe” (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
“FirstRunDisabled” = 1
“UpdatesDisableNotify” = 0
“AntiVirusOverride” = 0
“FirewallOverride” = 0
“AntiVirusDisableNotify” = 0
“FirewallDisableNotify” = 0

6

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
“EnableFirewall” = 1
“DoNotAllowExceptions” = 0
“DisableNotifications” = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe” = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe::Enabled:Compaq Connections – (Hewlett-Packard)
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe” = C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger – File not found
“C:\Program Files\Windows Live\Messenger\livecall.exe” = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) – File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe” = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe::Enabled:Compaq Connections – (Hewlett-Packard)
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe::Enabled:Yahoo! Messenger – (Yahoo! Inc.)
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe” = C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger – File not found
“C:\Program Files\Windows Live\Messenger\livecall.exe” = C:\Program Files\Windows Live\Messenger\livecall.exe::Enabled:Windows Live Messenger (Phone) – File not found
“C:\Program Files\Bonjour\mDNSResponder.exe” = C:\Program Files\Bonjour\mDNSResponder.exe::Enabled:Bonjour – (Apple Inc.)
“C:\Program Files\iTunes\iTunes.exe” = C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes – (Apple Inc.)
“C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe” = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent – File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

7

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
“{00010409-78E1-11D2-B60F-006097C998E7}” = Microsoft Office 2000 Professional
“{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}” = PhotoGallery
“{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}” = CP_Package_Variety1
“{07287123-B8AC-41CE-8346-3D777245C35B}” = Bonjour
“{075473F5-846A-448B-BCB3-104AA1760205}” = Sonic RecordNow Data
“{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}” = Destinations
“{0BEDBD4E-2D34-47B5-9973-57E62B29307C}” = ATI Control Panel
“{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}” = CP_Package_Variety3
“{21657574-BD54-48A2-9450-EB03B2C7FC29}” = Sonic MyDVD Plus
“{21DB3D90-D816-4092-A260-CA3F6B55A6DD}” = Sonic_PrimoSDK
“{23012310-3E05-46A5-88A9-C6CBCABCAC79}” = Customer Experience Enhancement
“{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}” = CP_Panorama1Config
“{2818095F-FB6C-42C8-827E-0A406CC9AFF5}” = Quicken 2006
“{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}” = Unload
“{30465B6C-B53F-49A1-9EBA-A3F187AD502E}” = Sonic Update Manager
“{3248F0A8-6813-11D6-A77B-00B0D0150050}” = J2SE Runtime Environment 5.0 Update 5
“{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}” = InstantShareDevices
“{341201D4-4F61-4ADB-987E-9CCE4D83A58D}” = Windows Live Toolbar Extension (Windows Live Toolbar)
“{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}” = WebFldrs XP
“{36E47DA1-10E1-45d9-8B19-14D19607CDCF}” = CP_CalendarTemplates1
“{382E94C0-6E22-44e4-B003-8EB31DFE296F}” = cp_LightScribeConfig
“{3912A629-0020-0005-3757-2FBA74D4DF0A}” = InterVideo WinDVD Player
“{3AC54383-31D1-4907-961B-B12CBB1D0AE8}” = MobileMe Control Panel
“{3BA95526-6AE0-4B87-A62D-17187EF565FC}” = HP Boot Optimizer
“{3FA365DF-2D68-45ED-8F83-8C8A33E65143}” = Apple Application Support
“{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}” = Microsoft Works
“{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}” = FullDPAppQFolder
“{56EE8B17-8274-418d-89AC-C057C5DB251E}” = RandMap
“{5A01C58E-B0EC-49b9-AD71-7C0468688087}” = CP_Package_Basic1
“{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}” = Sonic Express Labeler
“{66BA8C26-AFE4-4408-807B-43E76B57EF53}” = SkinsHP1
“{6956856F-B6B3-4BE0-BA0B-8F495BE32033}” = Apple Software Update
“{7299052b-02a4-4627-81f2-1818da5d550d}” = Microsoft Visual C++ 2005 Redistributable
“{770657D0-A123-3C07-8E44-1C83EC895118}” = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
“{7745B7A9-F323-4BB9-9811-01BF57A028DA}” = Map Button (Windows Live Toolbar)
“{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}” = Windows Live Favorites for Windows Live Toolbar
“{7E27304E-BAA2-4d90-A34E-76641FAFABB4}” = CP_AtenaShokunin1Config
“{91477C6F-EC7C-4BFC-BBE1-E45908019DED}” = LightScribe 1.4.52.1
“{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}” = InterVideo WinDVD Player
“{9422C8EA-B0C6-4197-B8FC-DC797658CA00}” = Windows Live Sign-in Assistant
“{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}” = Microsoft .NET Framework 3.0 Service Pack 2
“{A3D44AD8-D3C9-45E4-B861-3B653C6EF620}” = Rhapsody MP3 Download Manager
“{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}” = QuickTime
“{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}” = CueTour
“{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}” = Highlight Viewer (Windows Live Toolbar)
“{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}” = Windows Live installer
“{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}” = Apple Mobile Device Support
“{AB5D51AE-EBC3-438D-872C-705C7C2084B0}” = DeviceManagementQFolder
“{AB708C9B-97C8-4AC9-899B-DBF226AC9382}” = Sonic RecordNow Audio
“{AC76BA86-7AD7-1033-7B44-A70000000000}” = Adobe Reader 7.0
“{B12665F4-4E93-4AB4-B7FC-37053B524629}” = Sonic RecordNow Copy
“{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}” = CP_Package_Variety2
“{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}” = BufferChm
“{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}” = Microsoft .NET Framework 2.0 Service Pack 2
“{C104580B-1C79-4d73-9BF0-CA0B184296A4}” = cp_LightScribePlugin
“{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}” = Microsoft .NET Framework 1.1
“{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}” = Microsoft .NET Framework 3.5 SP1
“{CEF7211D-CE3A-44C4-B321-D84A2099AE94}” = Comcast Desktop Software (v1.2.0.9)
“{D0122362-6333-4DE4-93F6-A5A2F3CC101A}” = Compaq Organize
“{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}” = iTunes
“{D5A145FC-D00C-4F1A-9119-EB4D9D659750}” = Windows Live Toolbar
“{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}” = Safari
“{D7DBA21A-CDE5-42EC-BB1C-AE4B3E616B9A}_is1” = HP Support Overview
“{D87149B3-7A1D-4548-9CBF-032B791E5908}” = Desktop Doctor
“{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}” = HpSdpAppCoreApp
“{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}” = HP Software Update
“{F084395C-40FB-4DB3-981C-B51E74E1E83D}” = Smart Menus (Windows Live Toolbar)
“045C89A0-CA37-443C-8826-F750227DE69C” = Shooting Stars Pool from Compaq (remove only)
“05E21449-3BA3-42BF-BBDA-95205F4EA40A” = Polar Bowler from Compaq (remove only)
“0BD36D37-C5D7-4B96-B64A-CB2C3A82EC4D” = Zuma Deluxe from Compaq (remove only)
“29FF6D07-4A15-41F1-9D5E-E0F3A58012C6” = Bounce Symphony from Compaq (remove only)
“3330A279-CC39-4A17-AE19-DA464B26AD9A” = Polar Golfer from Compaq (remove only)
“422C7575-C10D-4795-87FA-9972765379E6” = Mah Jong Quest from Compaq (remove only)
“52AEBC18-F252-4B0C-B3E1-724537D9F873” = Ricochet Lost Worlds from Compaq (remove only)
“53474592-01BC-4338-8647-FE350957D912” = Barnyard Invasion from Compaq (remove only)
“5AF1DD17-7B06-45EF-8592-2E524E458BAB” = Insaniquarium Deluxe from Compaq (remove only)
“63E4EC24-7173-4E1F-9C77-B4403CBCF91F” = Lemonade Tycoon 2 from Compaq (remove only)
“66195170-D19D-46C5-8FB7-8A4630071ADC” = Tradewinds from Compaq (remove only)
“75528D5F-DD82-402E-BA7C-045B7DC6A712” = Blasterball 2 from Compaq (remove only)
“85CF9BF3-1057-468C-962D-31BAABC6AC72” = FATE from Compaq (remove only)
“8D11F98B-4931-44F6-8FC6-971CCBBBB131” = Snowboard SuperJam from Compaq (remove only)
“9448DE42-C017-4A3E-A0BB-C50BF673E9E0” = Chuzzle Deluxe from Compaq (remove only)
“9D7E7CDA-051E-4B0D-8CEE-58F41F449CF9” = Blasterball 2 Remix from Compaq (remove only)
“Adobe Flash Player ActiveX” = Adobe Flash Player 10 ActiveX
“Adobe Flash Player Plugin” = Adobe Flash Player 10 Plugin
“Agere Systems Soft Modem” = Agere Systems PCI-SV92PP Soft Modem
“ATI Display Driver” = ATI Display Driver
“avast!” = avast! Antivirus
“BBCBAA5D-AC5A-4098-A53E-EC60A68F38F9” = Shrek 2 Ogre Bowler from Compaq (remove only)
“BBE9E0F3-11F7-4424-9905-8E0153E872C1” = Family Feud
“BFAF1EEC-E987-415B-BCB8-80CDB0BC6CDF” = Blackhawk Striker 2 from Compaq (remove only)
“C43D84CD-EBFC-48D3-A330-7868C8AD415A” = Crystal Maze from Compaq (remove only)
“C6D35CCA-3F9E-4B6E-A17F-409EE7379D6B” = Boggle Supreme from Compaq (remove only)
“comcasttb” = Comcast Toolbar 3.0
“Compaq Game Console” = Compaq Game Console and games
“D84AC71A-75E8-4709-8BA5-4B46EAC00C5E” = Bejeweled 2 Deluxe from Compaq (remove only)
“DE87FA96-7840-420C-86F9-33F3B7B3CED1” = Super Granny from Compaq (remove only)
“E1A0F769-A43A-4DDB-9F73-12791E453557” = Puzzle Express from Compaq (remove only)
“E618FC78-EE4F-4243-8409-078EB5E0B1F6” = Bookworm Deluxe from Compaq (remove only)
“F05A08BF-E600-4FBD-A53A-3D47296B1275” = Lexibox Deluxe from Compaq (remove only)
“F19E8CDF-5EFD-45E0-9FAF-66CBAE84B1D9” = Slingo Deluxe from Compaq (remove only)
“FA6A73EB-40AB-4B58-851D-3892B3C10EF6” = SCRABBLE from Compaq (remove only)
“HijackThis” = HijackThis 2.0.2
“HP Imaging Device Functions” = HP Imaging Device Functions 5.3
“HP Photo & Imaging” = HP Image Zone 5.3

8

“HPOOVClient-5577497 Uninstaller” = Compaq Connections (remove only)
“IDNMitigationAPIs” = Microsoft Internationalized Domain Names Mitigation APIs
“ie7” = Windows Internet Explorer 7
“ie8” = Windows Internet Explorer 8
“Install WeatherBug” = Remove WeatherBug Installer
“InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}” = Customer Experience Enhancement
“Microsoft .NET Framework 1.1 (1033)” = Microsoft .NET Framework 1.1
“Microsoft .NET Framework 3.5 SP1” = Microsoft .NET Framework 3.5 SP1
“Money2005b” = Microsoft Money 2005
“MSCompPackV1” = Microsoft Compression Client Pack 1.0 for Windows XP
“NLSDownlevelMapping” = Microsoft National Language Support Downlevel APIs
“PS2” = PS2
“Python 2.2.3” = Python 2.2.3
“pywin32-py2.2” = Python 2.2 pywin32 extensions (build 203)
“RealPlayer 6.0” = RealPlayer
“Windows Live Toolbar” = Windows Live Toolbar
“Windows Media Format Runtime” = Windows Media Format 11 runtime
“Windows Media Player” = Windows Media Player 11
“Windows XP Service Pack” = Windows XP Service Pack 3
“WMFDist11” = Windows Media Format 11 runtime
“wmp11” = Windows Media Player 11
“Wudf01000” = Microsoft User-Mode Driver Framework Feature Pack 1.0
“Yahoo! Companion” = Yahoo! Toolbar
“Yahoo! Messenger” = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/20/2009 12:26:50 PM | Computer Name = COMPAQ | Source = Application Hang | ID = 1001
Description = Fault bucket 734562961.

Error - 12/20/2009 12:27:22 PM | Computer Name = COMPAQ | Source = Application Hang | ID = 1002
Description = Hanging application bcont.exe, version 6.9.2258.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/20/2009 12:27:27 PM | Computer Name = COMPAQ | Source = Application Hang | ID = 1001
Description = Fault bucket 439016576.

Error - 12/21/2009 4:59:50 PM | Computer Name = COMPAQ | Source = AntiSpywareService | ID = 0
Description =

Error - 12/22/2009 3:27:36 AM | Computer Name = COMPAQ | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module gdi32.dll, version 5.1.2600.5698, fault address 0x0001f0e8.

Error - 12/22/2009 4:13:23 AM | Computer Name = COMPAQ | Source = Application Hang | ID = 1002
Description = Hanging application ashChest.exe, version 4.8.1367.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/22/2009 8:53:12 AM | Computer Name = COMPAQ | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/22/2009 8:53:23 AM | Computer Name = COMPAQ | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 12/22/2009 9:24:09 AM | Computer Name = COMPAQ | Source = Application Hang | ID = 1002
Description = Hanging application Safari.exe, version 5.31.21.10, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/22/2009 9:24:12 AM | Computer Name = COMPAQ | Source = Application Hang | ID = 1001
Description = Fault bucket 1555737561.

[ System Events ]
Error - 12/17/2009 4:18:20 PM | Computer Name = COMPAQ | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/19/2009 11:44:04 AM | Computer Name = COMPAQ | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/19/2009 11:44:04 AM | Computer Name = COMPAQ | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/20/2009 1:33:46 AM | Computer Name = COMPAQ | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/20/2009 1:33:46 AM | Computer Name = COMPAQ | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/20/2009 2:07:06 AM | Computer Name = COMPAQ | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/20/2009 2:07:06 AM | Computer Name = COMPAQ | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/20/2009 5:40:33 PM | Computer Name = COMPAQ | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 12/21/2009 4:59:16 PM | Computer Name = COMPAQ | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/21/2009 4:59:16 PM | Computer Name = COMPAQ | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

< End of report > :o

9

:slight_smile: Hi :

As far as I know, the only One knowledgeable to interpret those Logs is
“essexboy”, who is an experienced, CERTIFIED, Volunteer “Malware Removal
Specialist”, who occasionally helps out on these forums who is also a
Moderator on the GeeksToGo Advanced Malware Removal Forums at
www.geekstogo.com/forum/forums.html .

So I recommend you either send him an Avast-oriented “Private Message”
asking for help OR go to those GeeksToGo Forums and request Help .

10

Hi there,

Some signs of malware are present. We need a deeper look before proceeding.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

Download GMER Rootkit Scanner from here or here.

[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.


http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif

Click the image to enlarge it

[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[] Sections
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and post it in your next reply.

Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

.
Please post back with
[*]GMER log

Thanks

11

Old man, not trying to hijack this user’s post and will be happy to start my own thread, but I am having almost the exact same issue too - can you help me as well?

12

@avwonder,

Please start you own thread with the OTL logs and a GMER log. I’ll have a look.