asked on

Runaway SVCHost.exe consumes memory creates many files in Local Service App Data temp Internet Files

On one of our computers runing WinXP Pro sp3, we have an instance of a runaway svchost.exe. It looks like a virus has it but neither AVG nor MalwareBytes have beed able to detect and destroy.
Major symptoms include:
1. At first logon after boot m we may get message from AVG Link scanner sying threat "Exploi Blackhole ..." has been blocked - process is svchost.exe (with its pid ). I've tried somespywares purported to remove the "Exploit Blackhole Exploit kit" - no joy here either.
2. The Local Service Account's C:\Doc and Set\Local service\Application Data\Temporary Internet Files has at least 2 folders and several hundred files - many look like cookiesof pages from commercial ads - count is growing constantly. When I try to delete these files and folders, Unlocker tells me the file is "contolled" (locked) by svchost.exe in pid same as one with rnaway memory consumption identified in 1 above
3. Using Tasklist /svc and ms's process excplorer, I see that this instance of svc host has launched a lot of the standard services (see below)
-----------------------------
I cleaned out a suspectedviral programs found in C:\windows\temp named VNC.exe, VND.exe and VNE.exe
-----------------------------
The services listed for the runaway svchost.exe process are:
(hand copied from peocexp ballon)
bits
com+
computer browser
dhcp client
distributed link
error reporting service
fast user switching
help and support
human interface
logical disk manager
network connections
network location awareness
Remote acccess conn manager
secondary login
security center
server
shell hardware detection
system event notification
system restore service
task scheduler
Telephony
Themes
WMI
Windows Time
Workstation
------------------------
Then here;s th svchost.exe ask list - the offender is pid 6884 (the last in list)
Image Name PID Services
========================= ====== =============================================
svchost.exe 1112 DcomLaunch, TermService
svchost.exe 1192 RpcSs
svchost.exe 1484 Dnscache
svchost.exe 1724 LmHosts, RemoteRegistry, SSDPSRV
svchost.exe 424 WebClient
svchost.exe 1016 itlperf
svchost.exe 2108 stisvc
svchost.exe 4264 N/A
svchost.exe 6884 BITS, Browser, Dhcp, dmserver, ERSvc,
EventSystem, FastUserSwitchingCompatibility,
helpsvc, HidServ, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, ShellHWDetection,
srservice, TapiSrv, Themes, TrkWks, W32Time,
winmgmt, wscsvc
===============================================
What is this spook and how do I eradicate it without having to do a total system reconstruction - or am I stuck with having to baseline the machine?

grant-ellsworth

ASKER

Just noticed some critical typing errors - so redundantly ...
----- symptoms ... again ----
1. At first logon after boot m we may get message from AVG Link scanner sying threat "Exploit Blackhole ..." has been blocked - process is svchost.exe (with its pid ). I've tried some spywares purported to remove the "Exploit Blackhole Exploit kit" - no joy here either.
2. The Local Service Account's C:\Doc and Set\LocalService\Local Settings\Temporary Internet Files has at least 20 folders and several hundred files - many look like cookiesof pages from commercial ads - count is growing constantly. When I try to delete these files and folders, Unlocker tells me the file is "contolled" (locked) by svchost.exe in pid same as one with rnaway memory consumption identified in 1 above
3. Using Tasklist /svc and ms's process excplorer, I see that this instance of svc host has launched a lot of the standard

ASKER CERTIFIED SOLUTION

younghv

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

younghv

If the combinations shown above do not help you, we can also walk you through the use of:

TDSKiller;
HitmanPro; and
ComboFix

SOLUTION

rpggamergirl

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

grant-ellsworth

ASKER

I downloaded and ran rogue-killer - option 1. It killed several svchost.exe processes, generated a logfile (below), and forced a reboot - saying that[NT Athority had to shutdown because Deconm launcher lervice was ternubated / not available.. After reboot, Log said it couldn't delete vnc.exe, vnd.exe, vne.exe. I could find them nowhere on computer (searching for vn*.exe dir /s /e P; I am inserting the first log herea). Local service / local settings / temp internet files all boogus folders could be deleted. I let the machine sit and fester for about 2 hrs to see if anything adverse would occur. It did and we're almost back to where we started. Temp internet Files\content.ie5\ 20 bogus folders - same as ones deleted earlier. svchost.exe is gobbling ram. I repeated process again with roguekiller - got same results. I am appending the RK log here. Also, of interest, the RK-quarantine folder contains a svchost.exe.vir file which is about the same size the file in the windows folder - 14K, but much smaller than the file in the prefetch folder (80K). What next? Is baselining this box the only option?
---------------------------------------------------------------------------------------------------
RK Log from 1st run:
RogueKiller V4.3.8 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: sysadmin [Admin rights]
Mode: Scan -- Date : 04/10/2011 16:42:48

Bad processes: 9
[SVCHOST] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED
[RESIDUE] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED
[RESIDUE] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED
[RESIDUE] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED
[RESIDUE] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED
[RESIDUE] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED
[RESIDUE] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED
[RESIDUE] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED
[RESIDUE] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED

Registry Entries: 6
[APPDT/TMP/DESKTOP] {BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job : vne.exe -> FOUND
[APPDT/TMP/DESKTOP] {810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job : vnc.exe -> FOUND
[APPDT/TMP/DESKTOP] {22116563-108C-42c0-A7CE-60161B75E508}.job : vnd.exe -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND

HOSTS File:

Finished : << RKreport[1].txt >>
RKreport[1].txt
------------------
Quarantine log
Time : 10/04/2011 16:42:48
--------------------------
[svchost.exe.vir] -> c:\windows\system32\svchost.exe
ERROR [vne.exe.vir] -> c:\windows\temp\vne.exe
ERROR [vnc.exe.vir] -> c:\windows\temp\vnc.exe
ERROR [vnd.exe.vir] -> c:\windows\temp\vnd.exe
[svchost.exe.vir] -> c:\windows\system32\svchost.exe
[svchost.exe.vir] -> c:\windows\system32\svchost.exe
[svchost.exe.vir] -> c:\windows\system32\svchost.exe
[svchost.exe.vir] -> c:\windows\system32\svchost.exe
[svchost.exe.vir] -> c:\windows\system32\svchost.exe
[svchost.exe.vir] -> c:\windows\system32\svchost.exe
[svchost.exe.vir] -> c:\windows\system32\svchost.exe
[svchost.exe.vir] -> c:\windows\system32\svchost.exe

grant-ellsworth

ASKER

I neglected to note: SVCHost.exe is gobbling up ram as it did before attempting to clean it with roguekiller.

Again - what[\'s next?

younghv

Have you taken any of the other actions described in my articles?

Running RogueKiller is merely a way to stop the malware processes so that Malwarebytes can scan/clean the infection.

grant-ellsworth

ASKER

I ran malwarebytes after the forced reboot - it didn't find anything. This may have been pointless because evidence shows that the gremlin returned. Any ssuggestions on how to stop the forced reboot?

grant-ellsworth

ASKER

Just to clarify -- repeating what I wrote above with a little less noise and typos fixed .. >> It (roougue killer) killed several svchost.exe processes, generated a logfile (below), and forced a reboot - saying that NT Authouity had to shutdown because Decom launcher Service was terminated / not available.

I was unable to prevent the reboot. The machine wouldn't let me do a damn thing - no clicks, except to scroll the RK results window.

younghv

What happens now when you run RogueKiller - does it still force a reboot?

With XP, you should be able to "Ctrl+Tab" between applications - even if one of the applications is asking you to re-boot.

grant-ellsworth

ASKER

Apparently, being a little slow sometimes, I missed a detail. Here's the more detailed sequence:
1. I reboot/start computer
2. Login as admin enabled user
2. Launch RogueKill
**** HERE IS DETAIL I MISSED! ***
4. Roguekill screeen stgart off reporting that it killed a process using svchost.exe
[I didn't pay attention to this and went on to next step]
5. I keyed in "1" <cr> to trigger scan
6. processing procoeeds,I see same content as in report ,,, and then "boom" ...
7. message pops up about dcom launcher service nt authority initiating reboot
8. no apps to tab thru - just the rootkill dos screen where I can only scroll - no way to arrest reboot.
9. System reboots. We go directly to jail; we do not pass go; we do not collect $200. We are back where we started.

What's next? Should I try running mbam after RK kills tbe process before running the RK scan (option 1)?

younghv

"Should I try running mbam after RK kills tbe process before running the RK scan (option 1)? "

Yes - if that is the only way to kick the MBAM scan.

Please clarify - the system 'auto-reboots' without any action on your part?
Thanks.

grant-ellsworth

ASKER

In this context, I used the term :auto reboot" to mean that the machine aujtoatically went to reboot after produing that NT Authority requested reboot message without my doing anything. I did not mean that it went into a <shuddder> reboot loop.

younghv

Yikes on the loop!
Glad that isn't happening.

You can also try similiar applications:
RKill: http://www.bleepingcomputer.com/download/anti-virus/rkill
exeHelper: http://www.raktor.net/exeHelper/exeHelper.com

grant-ellsworth

ASKER

Ran Rouguekill as specified. Say displayu saying that bad process svchost.exe was terminated. closed RK w/o doing anything in RK.
Ran malwarebytes - perform full scan. Found nothing.
My next step can't occurr untill I can finnger the machine directly to launch into safe mode. if we can get into safe mode, we'll run rouguekill / mbam again. But now I'm thinking this machine should be euthanized. Unless you have other ideas . . .

younghv

"rpggamergirl" is the best we have on EE and she had some specific suggestions here:
http:#a35359782

She is one of the certified/trusted helpers for ComboFix, so try running that - then post the log for her to review.

grant-ellsworth

ASKER

Situation update.
Reboooted victim
logged in as admin
waited till I saw an instance of svchost going runaway use of ram (in task manager)
ran RK
Saw dos box report terminated svchost.exe - but no evidence it was ever visible in Task Manager
Closed RK
The Run-amok svchost.exe still consuming ram
Ran RK again after afew mins
Still reports bad process svchost.exe killed (terminated)
Closed RK
Ran RK again
This time - no svchost.exe process killed
Ran RK Scan - found nothing
closed RK
Ran Mbam - found some registry entries and files
Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleUpdateBeta (Backdoor.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLEUPDATEBETA (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Temp\933c2726-97e9-4012-b98f-1decc94ba955.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\e824d586-56ab-40a9-b675-34f103613ac2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\0.06967788854536572.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\0.6173767796342979.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
----------------------------
rebooted victim and logged in as admin
waited about 5 mins
See svchost.exe instance growing
Ran RK
RK reports killed process svchost.exe
close RK
Wait a few
Ran RK
RK still reports killed process svchost.exe
close RK
Wait a few
Ran RK
RK now does not report killed process svchost.exe
close RK
wait a few
svchost.exe keeps on rising.
Kill run-amok svchost.exe via task manager
wait awhille
svchost.exe rises again.
check registry for deleted values (did they com back, too>) - Not present
checked for files - not present

I'm ready to degauss this thing. I just wish you all could identify/name this trojan devil

Will give the OTL and Combofix a look - but i'm thinking I'm now on a wild goose chase hunting snipes.

grant-ellsworth

ASKER

OTL Quick Scan Log - used default settings
---------------------------

OTL logfile created on: 4/12/2011 1:15:55 AM - Run 1
OTL by OldTimer - Version 3.2.22.3     Folder = C:\Documents and Settings\sysadmin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 44.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 49.04 Gb Total Space | 17.90 Gb Free Space | 36.49% Space Free | Partition Type: NTFS
Drive D: | 6.83 Gb Total Space | 4.72 Gb Free Space | 69.13% Space Free | Partition Type: FAT32
 
Computer Name: JESSAMINE | User Name: sysadmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2011/04/12 00:54:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sysadmin\Desktop\OTL.exe
PRC - [2010/11/24 09:37:56 | 000,725,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/09/20 09:24:29 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/06/22 09:31:11 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/06/22 09:31:06 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/06/22 09:30:16 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/06/22 09:30:14 | 000,842,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2010/02/11 12:11:14 | 000,403,184 | ---- | M] (NTRglobal) -- C:\Program Files\NTR global\NTRconnect\NTRconnect.exe
PRC - [2009/09/18 05:54:20 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/15 23:14:20 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2005/01/27 05:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIABA.EXE
PRC - [2004/12/17 09:00:00 | 000,118,784 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\WinZip\WZQKPICK.EXE
 
 
[color=#E56717]========== Modules (SafeList) ==========[/color]
 
MOD - [2011/04/12 00:54:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sysadmin\Desktop\OTL.exe
MOD - [2011/04/09 13:08:12 | 000,016,784 | -H-- | M] (NTRglobal (Net Transmit & Receive S.L.)) -- C:\Program Files\NTR global\NTRconnect\7.ntr
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
 
 
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
 
SRV - [2011/04/05 17:40:51 | 000,215,552 | ---- | M] (Intel Corporation                                           ) [Auto | Running] -- C:\WINDOWS\system32\itlpfw32.dll -- (itlperf)
SRV - [2010/06/22 09:31:06 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/02/11 12:11:14 | 000,403,184 | ---- | M] (NTRglobal) [Auto | Running] -- C:\Program Files\NTR global\NTRconnect\NTRconnect.exe -- (ntrconnect)
SRV - [2009/12/17 12:11:42 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/18 05:54:20 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor8.0)
SRV - [2006/02/15 23:14:20 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV - [2010/06/22 09:31:14 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/06/22 09:30:19 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/01 08:42:03 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/05/22 08:07:23 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/03/12 04:00:00 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2008/03/12 04:00:00 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2006/02/15 23:18:51 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005/06/05 20:30:00 | 000,233,216 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/05/22 22:31:46 | 001,034,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/05/22 22:30:54 | 000,222,720 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/05/22 22:30:42 | 000,716,288 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/03/31 03:46:58 | 000,350,976 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/03/31 03:46:10 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2005/03/16 01:43:06 | 000,159,488 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005/02/11 10:46:00 | 000,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
[color=#E56717]========== FireFox ==========[/color]
 
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.855
FF - prefs.js..extensions.enabledItems: {C2862851-E5BF-4B49-B937-E6C36B7BFC25}:1.9.1
FF - prefs.js..extensions.enabledItems: {624C9C8F-80F2-4274-89B4-B61FA600F5A6}:1.9.1
 
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/11/24 09:41:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{C2862851-E5BF-4B49-B937-E6C36B7BFC25}: C:\Documents and Settings\Owner\Local Settings\Application Data\{C2862851-E5BF-4B49-B937-E6C36B7BFC25} [2011/04/05 12:58:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{624C9C8F-80F2-4274-89B4-B61FA600F5A6}: C:\Documents and Settings\sysadmin\Local Settings\Application Data\{624C9C8F-80F2-4274-89B4-B61FA600F5A6} [2010/09/25 02:28:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/12 22:29:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/26 01:12:57 | 000,000,000 | ---D | M]
 
[2010/06/04 00:17:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\sysadmin\Application Data\Mozilla\Extensions
[2010/09/26 10:15:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\sysadmin\Application Data\Mozilla\Firefox\Profiles\gucp2epz.default\extensions
[2010/09/26 10:15:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\sysadmin\Application Data\Mozilla\Firefox\Profiles\gucp2epz.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/08 02:43:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/05 12:58:49 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\{C2862851-E5BF-4B49-B937-E6C36B7BFC25}
[2010/09/25 02:28:55 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\SYSADMIN\LOCAL SETTINGS\APPLICATION DATA\{624C9C8F-80F2-4274-89B4-B61FA600F5A6}
[2010/11/24 09:41:02 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG9\FIREFOX
[2010/02/25 20:23:01 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
 
Hosts file not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe ()
O4 - HKLM..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Hliqoq]  File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask    .exe ()
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\Remind_XP.exe ()
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe ()
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant    .exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275625861264 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://clubgames.pogo.com/online2/pogop/bejeweled2/popcaploader_v6.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 66.92.159.2
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Filter\application/xhtml+xml {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)
O18 - Protocol\Filter\text/xml; charset=iso-8859-1 {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)
O18 - Protocol\Filter\text/xml; charset=utf-8 {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\itlnfw32: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Gateway.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Gateway.bmp
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 14:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 13:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2011/04/12 01:07:25 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\sysadmin\Desktop\OTL.exe
[2011/04/10 16:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sysadmin\Desktop\RK_Quarantine
[2011/04/10 04:53:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2011/04/10 04:15:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/10 01:06:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2011/04/09 13:17:55 | 000,000,000 | ---D | C] -- C:\Program Files\SpyNoMore
[2011/04/09 13:17:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sysadmin\Start Menu\Programs\SpyNoMore
[2011/04/09 13:16:16 | 004,776,814 | ---- | C] (Digital River) -- C:\Documents and Settings\sysadmin\My Documents\Spynomore.exe
[2011/04/09 13:15:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sysadmin\Application Data\GetRightToGo
[2011/04/09 13:13:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sysadmin\My Documents\AntiMalware-lab
[2011/04/09 13:01:49 | 000,000,000 | ---D | C] -- C:\Program Files\NTR global
[2011/04/09 13:01:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\NTR global
[2011/04/09 13:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sysadmin\Application Data\ntr
[2011/04/08 14:44:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Google
[2011/04/08 07:19:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/04/08 03:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sysadmin\Application Data\com.oxygenxml
[2011/04/08 03:28:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sysadmin\Application Data\TextPad
[2011/04/08 00:14:41 | 000,000,000 | ---D | C] -- C:\Program Files\Utilities-Microsoft
[2011/04/07 12:14:31 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2011/04/06 16:06:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2011/04/06 09:42:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Identities
[2011/04/06 09:42:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Identities
[2011/04/06 04:49:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/04/05 20:30:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2011/04/05 20:30:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2011/04/05 16:53:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2011/04/05 16:52:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/04/05 13:57:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/05 13:57:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/05 13:07:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/05 13:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/03/15 08:16:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2011/04/12 00:54:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sysadmin\Desktop\OTL.exe
[2011/04/12 00:23:57 | 000,012,626 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/11 23:30:55 | 074,504,406 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/04/11 22:10:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/11 22:10:21 | 2137,493,504 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/10 12:57:44 | 001,103,872 | ---- | M] () -- C:\Documents and Settings\sysadmin\Desktop\RogueKiller.exe
[2011/04/10 05:07:44 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Nu3cKT46.dat
[2011/04/10 02:51:19 | 000,001,753 | ---- | M] () -- C:\Documents and Settings\sysadmin\Desktop\Scheduled Tasks.lnk
[2011/04/10 02:45:16 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\FIMX.job
[2011/04/09 22:01:41 | 000,460,626 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/09 22:01:41 | 000,079,442 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/09 21:31:42 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/09 21:31:06 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/09 21:27:10 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\windrv.sys
[2011/04/09 13:18:23 | 000,001,152 | ---- | M] () -- C:\WINDOWS\System32\windrv.sys.trojan
[2011/04/09 13:17:58 | 000,000,658 | ---- | M] () -- C:\Documents and Settings\sysadmin\Desktop\SpyNoMore.lnk
[2011/04/09 13:17:03 | 004,776,814 | ---- | M] (Digital River) -- C:\Documents and Settings\sysadmin\My Documents\Spynomore.exe
[2011/04/09 12:59:26 | 001,418,752 | ---- | M] () -- C:\Documents and Settings\sysadmin\My Documents\NTRConnect_setup.msi
[2011/04/09 11:46:11 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/08 14:40:40 | 000,135,168 | RHS- | M] () -- C:\WINDOWS\System32\drmstorp.dll
[2011/04/07 11:39:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/06 16:34:11 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Mtecohofaf.dat
[2011/04/06 01:30:12 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Xwifejuzakaxod.bin
[2011/04/05 17:40:51 | 000,034,816 | ---- | M] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/03/21 16:24:51 | 000,007,930 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\n64gp1we6i07o5y8s6j68jxcg7fuj0xm276p2jc36.suspect
[2011/03/16 10:53:32 | 000,008,360 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3687413652
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2011/04/10 16:39:20 | 001,103,872 | ---- | C] () -- C:\Documents and Settings\sysadmin\Desktop\RogueKiller.exe
[2011/04/10 05:07:44 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Nu3cKT46.dat
[2011/04/10 02:51:19 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\sysadmin\Desktop\Scheduled Tasks.lnk
[2011/04/09 21:27:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2011/04/09 13:18:23 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys.trojan
[2011/04/09 13:17:58 | 000,000,658 | ---- | C] () -- C:\Documents and Settings\sysadmin\Desktop\SpyNoMore.lnk
[2011/04/09 12:59:19 | 001,418,752 | ---- | C] () -- C:\Documents and Settings\sysadmin\My Documents\NTRConnect_setup.msi
[2011/04/08 14:40:41 | 000,000,308 | -HS- | C] () -- C:\WINDOWS\tasks\FIMX.job
[2011/04/08 14:40:40 | 000,135,168 | RHS- | C] () -- C:\WINDOWS\System32\drmstorp.dll
[2011/04/08 03:28:46 | 000,000,650 | ---- | C] () -- C:\Documents and Settings\sysadmin\Start Menu\Programs\TextPad.lnk
[2011/04/05 17:40:51 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/03/21 16:22:58 | 000,007,930 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\n64gp1we6i07o5y8s6j68jxcg7fuj0xm276p2jc36.suspect
[2011/03/15 21:22:58 | 000,008,360 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3687413652
[2010/09/26 02:56:07 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/24 22:22:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Xwifejuzakaxod.bin
[2010/09/24 22:22:53 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Mtecohofaf.dat
[2010/06/03 22:47:26 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2010/06/03 22:47:21 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2010/06/03 22:47:21 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2010/06/03 22:47:19 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2010/06/03 22:47:18 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2010/06/03 22:47:11 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2010/06/03 22:47:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2010/06/03 22:46:58 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2010/06/03 22:46:45 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2010/01/07 21:30:53 | 000,004,940 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
[2009/06/30 15:07:23 | 000,000,090 | ---- | C] () -- C:\WINDOWS\System32\Oemstatus.ini
[2009/06/30 15:05:33 | 000,000,414 | ---- | C] () -- C:\WINDOWS\GrabIt Pro.ini
[2009/06/30 15:05:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\oemstatus.ini
[2008/01/30 15:39:08 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/01/30 15:39:07 | 000,066,532 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2008/01/30 15:39:07 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2008/01/30 15:39:07 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2008/01/30 15:39:07 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2008/01/30 15:39:07 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2008/01/30 15:39:07 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2008/01/30 15:39:07 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2008/01/30 15:39:07 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2008/01/30 15:39:07 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2008/01/30 15:39:07 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2008/01/30 15:39:07 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2008/01/30 15:39:07 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2008/01/30 15:39:07 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2008/01/30 15:37:41 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2008/01/30 15:37:01 | 000,000,058 | ---- | C] () -- C:\WINDOWS\EPSONSC88+.ini
[2007/04/17 17:07:19 | 000,000,061 | ---- | C] () -- C:\WINDOWS\icsetup.INI
[2006/10/03 11:34:20 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/09/26 14:08:24 | 000,029,008 | ---- | C] () -- C:\WINDOWS\System32\helphelp.dll
[2006/09/26 14:08:24 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\kwimage.dll
[2006/09/25 16:30:07 | 000,009,850 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/07/19 12:49:35 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/02/15 23:17:44 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/02/15 23:15:59 | 000,000,004 | ---- | C] () -- C:\WINDOWS\Pix11.dat
[2006/02/15 23:14:20 | 000,471,298 | ---- | C] () -- C:\WINDOWS\wallpg.exe
[2006/02/15 23:12:13 | 000,000,480 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/27 06:50:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/27 05:54:47 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\HotlineClient.exe
[2004/08/26 14:07:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/26 14:01:37 | 000,023,444 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/26 12:12:43 | 000,001,230 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/26 12:12:43 | 000,000,489 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/08/26 12:12:10 | 000,460,626 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/26 12:12:10 | 000,079,442 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/26 12:12:05 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/26 06:54:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/26 06:54:01 | 000,260,640 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 19:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2011/01/07 16:54:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Altova
[2010/11/23 13:46:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/15 08:16:03 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2009/07/17 11:09:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2009/06/16 14:17:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2006/02/15 23:16:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2007/04/25 16:46:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sophos
[2009/06/16 14:38:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/02/15 23:18:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/06/16 19:04:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/06/03 23:34:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysadmin\Application Data\AVG9
[2011/04/10 21:33:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysadmin\Application Data\com.oxygenxml
[2011/04/09 14:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysadmin\Application Data\GetRightToGo
[2011/04/09 13:01:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysadmin\Application Data\ntr
[2006/02/15 23:23:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysadmin\Application Data\SampleView
[2011/04/08 03:28:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sysadmin\Application Data\TextPad
[2011/04/10 02:45:16 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\Tasks\FIMX.job
 
[color=#E56717]========== Purity Check ==========[/color]
 
 
 
[color=#E56717]========== Alternate Data Streams ==========[/color]
 
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914

< End of report >
-----------------------

Open in new window

grant-ellsworth

ASKER

OTL Extras Log
---------------------

OTL Extras logfile created on: 4/12/2011 1:15:55 AM - Run 1
OTL by OldTimer - Version 3.2.22.3     Folder = C:\Documents and Settings\sysadmin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 44.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 49.04 Gb Total Space | 17.90 Gb Free Space | 36.49% Space Free | Partition Type: NTFS
Drive D: | 6.83 Gb Total Space | 4.72 Gb Free Space | 69.13% Space Free | Partition Type: FAT32
 
Computer Name: JESSAMINE | User Name: sysadmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Extra Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== File Associations ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
 
[color=#E56717]========== Shell Spawning ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[color=#E56717]========== Security Center Settings ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[color=#E56717]========== System Restore Settings ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
 
[color=#E56717]========== Firewall Settings ==========[/color]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions" = 0
"EnableFirewall" = 0
"DisableNotifications" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"2799:UDP" = 2799:UDP:*:Enabled:Altova License Metering Port (UDP)
"2799:TCP" = 2799:TCP:*:Enabled:Altova License Metering Port (TCP)
 
[color=#E56717]========== Authorized Applications List ==========[/color]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed
"C:\Program Files\Common Files\AOL\1140059874\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1140059874\EE\AOLServiceHost.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG9\avgam.exe" = C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
 
 
[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
"{17DFE37C-064E-4834-AD8F-A4B2B4DF68F8}" = Adobe Photoshop Elements 8.0
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{32A3A4F4-B792-11D6-A78A-00B0D0150090}" = J2SE Development Kit 5.0 Update 9
"{32F66A20-7614-11D4-BD11-00104BD3F987}" = MathPlayer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{549514BF-2BDA-422B-9134-67B5A79C2487}" = NTRconnect
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
"{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = TIxx21
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{7166AC07-AD8D-409D-B482-61E5DFE42290}" = Eudora
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11170417}" = Luxor 2
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{8BEB0766-3867-4236-A2ED-E86B90833263}" = SoftQuad XMetaL 3.0
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{938DB54D-B302-4594-A782-32219F1734AB}" = Canon Camera WIA Driver
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA53316F-C568-4069-9EFC-CA3D39E418A6}" = ICVERIFY User Manager
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AC76BA86-7AD7-5760-0000-705000000001}" = Adobe Reader Japanese Fonts
"{B510A987-487E-4C66-9F4F-D386AC275715}" = TextPad 4.7
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DDF9EE-C67F-368B-EB42-ECB44FD7556D}" = Adobe Photoshop.com Inspiration Browser
"{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}" = ArcSoft PhotoImpression 5
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (ICV)
"{E472E5D2-410A-487D-8B30-241E92B06700}" = ICVERIFY for Windows 4.0
"8531-1278-6363-8538" = Oxygen XML Editor 12.1
"ActiveXControlPad" = Microsoft ActiveX Control Pad
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 8.0" = Adobe Photoshop Elements 8.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AdobeESD" = Adobe Download Manager 2.2 (Remove Only)
"AVG9Uninstall" = AVG 9.0
"BigFix" = BigFix
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_0460107B" = Soft Data Fax Modem with SmartCP
"EPSON Printer and Utilities" = EPSON Printer Software
"FileZilla Client" = FileZilla Client 3.3.2
"GrabIt Pro 6.02" = GrabIt Pro 6.02
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = Texas Instruments PCIxx21/x515 drivers.
"InstallShield_{938DB54D-B302-4594-A782-32219F1734AB}" = Canon PowerShot S45 WIA Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"MSNINST" = MSN
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero BurnRights!UninstallKey" = Nero BurnRights
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoshopdotcomInspirationBrowser.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1" = Adobe Photoshop.com Inspiration Browser
"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
"RealPlayer 6.0" = RealPlayer Basic
"Silent Package Run-Time Sample" = EPSON C88+ User's Guide
"SpyNoMore" = SpyNoMore 2.98
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Unlocker" = Unlocker 1.8.9
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinZip" = WinZip
 
[color=#E56717]========== Last 10 Event Log Errors ==========[/color]
 
[ Application Events ]
Error - 4/10/2011 5:40:40 PM | Computer Name = JESSAMINE | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
 processing.  HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
  Please contact Microsoft Product Support Services to report this erro
 
Error - 4/10/2011 5:40:41 PM | Computer Name = JESSAMINE | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
 CoCreateInstance.  hr = 0x80040206.
 
Error - 4/10/2011 7:25:27 PM | Computer Name = JESSAMINE | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
 processing.  HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
  Please contact Microsoft Product Support Services to report this erro
 
Error - 4/10/2011 7:25:27 PM | Computer Name = JESSAMINE | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
 CoCreateInstance.  hr = 0x80040206.
 
Error - 4/10/2011 8:39:47 PM | Computer Name = JESSAMINE | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
 processing.  HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
  Please contact Microsoft Product Support Services to report this erro
 
Error - 4/10/2011 8:39:47 PM | Computer Name = JESSAMINE | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
 CoCreateInstance.  hr = 0x80040206.
 
[ System Events ]
Error - 4/9/2011 9:39:37 PM | Computer Name = JESSAMINE | Source = Service Control Manager | ID = 7034
Description = The Google Update Service service terminated unexpectedly.  It has
 done this 1 time(s).
 
Error - 4/10/2011 1:15:39 AM | Computer Name = JESSAMINE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
 with DCOM within the required timeout.
 
Error - 4/10/2011 1:31:37 AM | Computer Name = JESSAMINE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
 with DCOM within the required timeout.
 
Error - 4/10/2011 2:26:15 AM | Computer Name = JESSAMINE | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
 the service) after the unexpected termination of the Windows Management Instrumentation
 service, but this action failed with the following error:   %%1056
 
Error - 4/10/2011 4:17:41 AM | Computer Name = JESSAMINE | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
 the service) after the unexpected termination of the Windows Management Instrumentation
 service, but this action failed with the following error:   %%1056
 
Error - 4/10/2011 11:36:33 AM | Computer Name = JESSAMINE | Source = TermDD | ID = 655410
Description = The RDP protocol component X.224 detected an error in the protocol
 stream and has disconnected the client.
 
Error - 4/11/2011 5:34:01 AM | Computer Name = JESSAMINE | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
 LAUREL  that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F4E68B80-F5C5-4A21-A9.
The
 master browser is stopping or an election is being forced.
 
Error - 4/11/2011 10:19:59 AM | Computer Name = JESSAMINE | Source = TermDD | ID = 655410
Description = The RDP protocol component X.224 detected an error in the protocol
 stream and has disconnected the client.
 
Error - 4/11/2011 11:12:30 AM | Computer Name = JESSAMINE | Source = TermDD | ID = 655410
Description = The RDP protocol component X.224 detected an error in the protocol
 stream and has disconnected the client.
 
Error - 4/11/2011 5:11:35 PM | Computer Name = JESSAMINE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   abp480n5  adpu160m  agp440  agpCPQ  Aha154x  aic78u2  aic78xx  AliIde  alim1541  amdagp  amsint  asc  asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
ini910u
mraid35x
PCIIde
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde
 
 
< End of report >

Open in new window

rpggamergirl

There are many bad files/trojans showing in the OTL log.... I rather run ComboFix as there may be TDL or bootkit there as well and CF will auto fix it.

See if ComboFix will run and post the log.

rpggamergirl

You need to unisntall AVG first befroe running ComboFix so it doesn't interfer with the scan.

grant-ellsworth

ASKER

Couldn't I judt turn off all avg protections (disable the 2 visable services, etc.) instead of doing a full uninstall?

Can you cite for me a few lof the bad files/trojans which show up in the logs?

Do you have any clues as to what process is restarting and revvng up the svchost.exe instance? Is there any way to determine this from what wwe have?

Have we reached the point where rebuilding this victim from the bare metal would be better use of time and get it done faster/sooner?

rpggamergirl

I prefer to use ComboFix as it creates backup.

svchost.exe must've been loading the service "itlperf" that points to a file C:\WINDOWS\system32\itlpfw32.dll

The rest of the files are listed on the script.

Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. So best to download Erunt.

•Download ERUNT
http://www.larshederer.homepage.t-online.de/erunt/

•Double-click erunt_setup.exe to run.
•Follow the prompts and install using the default configuration (setup language, install location, shortcuts...).
•Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later

•Start ERUNT
•Choose a location for the backup
The default location C:\WINDOWS\ERDNT\[today's date] is preferred
•The first two check boxes are ticked by default (System registry and Current user registry).
•Press OK
•When prompted, click YES to create a new folder.
•Progress bars will show backup status.
•A confirmation window will popup when complete. Click OK to close.

--------------------------------------

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

----------------------------------------------------

:OTL
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
FF - prefs.js..extensions.enabledItems: {C2862851-E5BF-4B49-B937-E6C36B7BFC25}:1.9.1
FF - prefs.js..extensions.enabledItems: {624C9C8F-80F2-4274-89B4-B61FA600F5A6}:1.9.1
[2011/04/08 02:43:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/05 12:58:49 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\{C2862851-E5BF-4B49-B937-E6C36B7BFC25}
[2010/09/25 02:28:55 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\SYSADMIN\LOCAL SETTINGS\APPLICATION DATA\{624C9C8F-80F2-4274-89B4-B61FA600F5A6}
O4 - HKLM..\Run: [Hliqoq] File not found
O20 - Winlogon\Notify\itlnfw32: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
[2011/04/06 16:34:11 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Mtecohofaf.dat
[2011/04/06 01:30:12 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Xwifejuzakaxod.bin
[2011/04/05 17:40:51 | 000,034,816 | ---- | M] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/03/21 16:24:51 | 000,007,930 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\n64gp1we6i07o5y8s6j68jxcg7fuj0xm276p2jc36.suspect
[2011/03/16 10:53:32 | 000,008,360 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3687413652
[2011/04/10 05:07:44 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Nu3cKT46.dat
[2011/04/05 17:40:51 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/03/21 16:22:58 | 000,007,930 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\n64gp1we6i07o5y8s6j68jxcg7fuj0xm276p2jc36.suspect
[2011/03/15 21:22:58 | 000,008,360 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3687413652
[2010/09/24 22:22:53 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Mtecohofaf.dat
[2010/06/03 22:47:26 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2010/01/07 21:30:53 | 000,004,940 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914

:Services
SRV - [2011/04/05 17:40:51 | 000,215,552 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\itlpfw32.dll -- (itlperf)

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]

grant-ellsworth

ASKER

I may have fixed the problem and stomped the invader.
Here's what happened.
--------------------------
I got physical posession of machine which I did not have previously and launched in Safe

Mode.
I ran AVG scan whole compter - which found several threats; J let AVG clear them all.
I ended SafeMode - returning to normal desktop.I launched task manager checked for the

run-amok svchost - after 5 mins of loading other commonly used program, I ran RK which

also reported nothing. Not even a bad process stopped.
SVCHost instances were well-behaved - no ram use above 31K.
It looked like the virus/invader was cured.
-------------------------
But this is not the end of the story.
Assuming the system was now stable, I launched the FireFoox 4 installer to upgrade from

FFox3.6 on this computer.
At end of install I saw msg with incomaatibilities which included AVG's LinkScanner.

When I clicked coninue, alluva suddden I saw a boogus xp security window with all

warnings lit up, When I closed that window, I saw an Antivirus Antimalware 2011 screen tying to delete a bunch of infected files. I tried to stop the program with right-click close on taskbar and could not even get the popup menu. I'd right click on blank task bar area and try to launch task manager - that failed. I manually powered down and restarted in safe mode command prompt.
------------------------------------------
Using safe mode command prompt, I was able to launch task manager, regedit, mbam, avg, and use CD to get to direcories where there were pieces of this 2nd infection cycle still residing. I also had to undo the damage done to the shell/open/command for exefile and .exe in HK_Classes_Root before I could finish cleaning this out. After I got done with manual cleanouj\t, I reran mbam - found nothing, RK at a desktop - found nothing, and AVG Scanner - all in safe mode - AVG found itlnfw32.dll and sent it to the vault.

Later I ran HouseCall for final checkout. Housecall found about 9 minor threat files and 916 RootKits - all were hidden files and most looked like image filenames. Housecall cleaned them all out.

In the process, I noticed that I still had a run-amok mem-eating svchost.exe.
I also found that this infection had a trademark 3 character process name (TTQ.EXE) which was likely random like the "XP Home Security AntiMalware" rogue AV. This infection used the "All Users" area to house the Antivirus 2011.exe and the NetworkServices user area to hide the bogus security center (TTQ.EXE)

unfortunately, when I wrote up the useful details in a EE post, I must have hit a key that launched another screen and I lost the full essay. So the details are lost in the fog of war.

The most perplexing thing is where the 2nd infection of Antivirus Antimalware 2011 was hiding and why installing FFox4 triggered the installation.

I want to thank all contribujtors - you really did give me the clues to identify the components of the proble. I want to think about how todistribute the points for a day or so which I verifyh thet this patient is cured;

SOLUTION

younghv

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

grant-ellsworth

ASKER

The malware breaker was being able to run the malware/antivirus s/w in safe mode command prompt. The Roguekiller showed me that I had to do this before doing anything else like combofix. Turns out that combofix was not necessary --- this time.

younghv

Sorry that you thought our assistance was so bad that you gave us the lowest grade possible.

"What's the right grade to give?"
https://www.experts-exchange.com/help.jsp#hs=29&hi=403

A "C" grade is normally only given when the Experts give up on the Asker; which was clearly not the case here.

All around, a very disappointing finish to an interesting problem.