Win32/Olmarik trojan - unable to clean [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Win32/Olmarik trojan - unable to clean [Solved]

#1 Shrimp

Group: Member
Posts: 10
Joined: 31-January 10

Posted 31 January 2010 - 08:04 AM

NOD32 detects this Olmarik trojan in the operating memory, but it is unable to remove it.

Background:

A friend asked me if i would look at his computer, he had become infected with the SDRA64 trojan.
I removed it using the method described here http://pcanswers.techradar.com/blog/sdra64...menace-21-05-09 which seemed to work.I then ran MBAM with the latest updates which removed the lowsec remnant and a few e bots.
My friend was using Macafee AV, which i recommended he replace with nod32.He agreed and so nod32 was installed.
At boot up time the following message appears "Win32/Olmarik trojan in operating memory - unable to clean" and nod32 is unable to remove it.

I've tried spybot S&D, it picks up two instances (each) of PWS.LDPinchIE and Winn32Agent.chh and some other malware but half way through the scan the following message appears "Windows will shut down in "x" seconds Initiated by NT AUTHORITY SYSTEM.DCOM SERVER PROCESS LAUNCHER SERVICE TERMINATED UNEXPECTIDLY" and the computer reboots.NOTE the same shutdown message also appears when scanning with GMER.
MBAM does not setect any further entries.
The computer also reboots every 15 - 20 minutes.

Here are my logs after following your malware and spyware cleaning guide:

MBAM

Malwarebytes' Anti-Malware 1.44
Database version: 3667
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

31/01/2010 10:28:34
mbam-log-2010-01-31 (10-28-34).txt

Scan type: Quick Scan
Objects scanned: 185568
Time elapsed: 10 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER (all i could get from it)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-31 12:15:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\C9E00~1.JYA\LOCALS~1\Temp\fgldrpog.sys

---- System - GMER 1.0.15 ----

SSDT 82ABAA70 ZwAssignProcessToJobObject
SSDT 82ABB5F0 ZwDebugActiveProcess
SSDT 82ABB020 ZwDuplicateObject
SSDT 82ABA1B0 ZwOpenProcess
SSDT 82ABA4B0 ZwOpenThread
SSDT 82ABAEB0 ZwProtectVirtualMemory
SSDT 82ABAD50 ZwSetContextThread
SSDT 82ABABD0 ZwSetInformationThread
SSDT 82AB7A90 ZwSetSecurityObject
SSDT 82ABA910 ZwSuspendProcess
SSDT 82ABA7B0 ZwSuspendThread
SSDT 82ABA340 ZwTerminateProcess
SSDT 82ABA640 ZwTerminateThread
SSDT 82ABB440 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 832FF369

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

OTL

OTL logfile created on: 31/01/2010 12:22:50 - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\C.J YATES\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 226.00 Mb Available Physical Memory | 44.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.95 Gb Total Space | 14.44 Gb Free Space | 51.68% Space Free | Partition Type: NTFS
Drive D: | 121.10 Gb Total Space | 121.05 Gb Free Space | 99.96% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 1.89 Gb Total Space | 1.78 Gb Free Space | 94.50% Space Free | Partition Type: FAT

Computer Name: RYANS
Current User Name: C.J YATES
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/31 09:53:16 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\C.J YATES\Desktop\OTL\OTL.exe
PRC - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2009/11/16 09:03:32 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/06/21 12:19:23 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/10/23 07:48:52 | 000,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/10/09 14:32:56 | 000,014,336 | ---- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/11/15 21:00:00 | 000,335,872 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2003/11/14 15:23:20 | 000,090,112 | ---- | M] (Sony Corporation) -- C:\Program Files\sony\giga pocket\RM_SV.exe
PRC - [2003/11/14 15:23:20 | 000,077,824 | ---- | M] (Sony Corporation) -- C:\Program Files\sony\giga pocket\shwserv.exe
PRC - [2002/08/20 10:29:26 | 000,040,960 | ---- | M] (Easy Systems Japan Ltd.) -- C:\WINDOWS\system32\ezSP_Px.exe
PRC - [2001/08/23 11:23:10 | 000,045,056 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe

========== Modules (SafeList) ==========

MOD - [2010/01/31 09:53:16 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\C.J YATES\Desktop\OTL\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/11/16 09:12:54 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/06/21 12:19:23 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/10/23 07:48:52 | 000,303,104 | ---- | M] (Motive Communications, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/10/09 14:32:56 | 000,014,336 | ---- | M] (Vodafone) [Auto | Running] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2003/11/14 19:17:38 | 000,966,656 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\sony\giga pocket\GPVSvr.exe -- (VAIOMediaPlatform-VideoServer-AppServer)
SRV - [2003/11/14 15:24:06 | 000,118,784 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\sony\giga pocket\halsv.exe -- (Sony TV Tuner Controller)
SRV - [2003/11/14 15:23:20 | 000,090,112 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\sony\giga pocket\RM_SV.exe -- (Sony TV Tuner Manager)
SRV - [2003/11/14 15:23:20 | 000,077,824 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\sony\giga pocket\shwserv.exe -- (Giga Pocket Hardware Detector)
SRV - [2003/10/21 10:48:08 | 000,679,936 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe -- (VAIOMediaPlatform-VideoServer-UPnP) VAIO Media Video Server (UPnP)
SRV - [2003/10/21 10:48:08 | 000,679,936 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe -- (VAIOMediaPlatform-PhotoServer-UPnP) VAIO Media Photo Server (UPnP)
SRV - [2003/10/21 10:48:08 | 000,679,936 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe -- (VAIOMediaPlatform-MusicServer-UPnP) VAIO Media Music Server (UPnP)
SRV - [2003/09/19 21:29:14 | 000,540,749 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\sony\vaio media music server\SSSvr.exe -- (VAIOMediaPlatform-MusicServer-AppServer)
SRV - [2003/08/18 16:56:00 | 000,077,824 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2003/07/28 17:31:14 | 000,065,536 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe -- (SPTISRV)
SRV - [2003/06/24 10:08:06 | 000,860,160 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe -- (VAIOMediaPlatform-PhotoServer-AppServer)
SRV - [2003/06/23 13:42:30 | 000,057,344 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe -- (VAIOMediaPlatform-VideoServer-HTTP) VAIO Media Video Server (HTTP)
SRV - [2003/06/23 13:42:30 | 000,057,344 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe -- (VAIOMediaPlatform-PhotoServer-HTTP) VAIO Media Photo Server (HTTP)
SRV - [2003/06/23 13:42:30 | 000,057,344 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe -- (VAIOMediaPlatform-MusicServer-HTTP) VAIO Media Music Server (HTTP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = www.live.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/04/29 14:26:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/06/21 12:19:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/01/30 12:29:40 | 000,000,000 | ---D | M]

[2009/04/29 14:26:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\C.J YATES\Application Data\Mozilla\Extensions
[2009/04/29 14:26:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\C.J YATES\Application Data\Mozilla\Firefox\Profiles\d204h95d.default\extensions
[2009/06/21 12:19:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/01/04 15:36:50 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2008/01/04 15:36:50 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2008/09/22 19:14:04 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2008/01/04 15:36:50 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/01/30 17:47:19 | 000,377,755 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13022 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (IObitCom Toolbar) - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll (Conduit Ltd.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (IObitCom Toolbar) - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (IObitCom Toolbar) - {31C7D459-9CC3-44F2-9DCA-FC11795309B4} - C:\Program Files\IObitCom\tbIObi.dll (Conduit Ltd.)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: sony-europe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sonystyle-europe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: vaio-link.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: 61 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1176386643750 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_01)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\tehlink0: DllName - tehlink0.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\C.J YATES\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\C.J YATES\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/12/01 16:43:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{84001070-5b33-11de-8bba-000ea65c80e3}\Shell - "" = AutoRun
O33 - MountPoints2\{84001070-5b33-11de-8bba-000ea65c80e3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{84001070-5b33-11de-8bba-000ea65c80e3}\Shell\AutoRun\command - "" = J:\setup_vmc_lite.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/12/01 16:38:55 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 14 Days ==========

[2010/01/31 11:32:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/31 11:31:10 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/31 11:19:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Desktop\TFC
[2010/01/31 11:19:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Desktop\ERUNT
[2010/01/31 10:46:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Desktop\RootRepeal
[2010/01/31 10:46:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Desktop\OTL
[2010/01/31 10:46:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Desktop\GMER Rootkit Scanner
[2010/01/30 17:09:35 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/01/30 17:09:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/01/30 17:08:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Desktop\Trend Micro HijackThis 2.0.2
[2010/01/30 17:08:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Desktop\Spybot - Search & Destroy 1.6.2
[2010/01/30 17:08:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Desktop\Ad-Aware Free Anti-Malware 8.1.3
[2010/01/30 12:29:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/01/30 09:28:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/01/22 21:06:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Local Settings\Application Data\Conduit
[2010/01/22 21:06:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\C.J YATES\Local Settings\Application Data\IObitCom
[2010/01/22 15:05:30 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2010/01/22 15:05:28 | 000,000,000 | ---D | C] -- C:\Program Files\IObitCom
[2009/12/02 13:19:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/11/28 14:32:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/11/13 10:35:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/07/31 07:25:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/06/17 11:41:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Vodafone
[2009/03/29 14:48:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/03/29 14:48:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!
[2009/03/29 14:48:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2008/11/23 12:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Sony Corporation
[2007/04/12 15:55:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/12/01 16:43:44 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2003/12/01 16:43:44 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/01/31 12:17:46 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/31 12:17:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/31 12:17:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/31 12:17:22 | 536,268,800 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/31 12:16:13 | 007,864,320 | ---- | M] () -- C:\Documents and Settings\C.J YATES\ntuser.dat
[2010/01/31 12:16:13 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\C.J YATES\ntuser.ini
[2010/01/31 12:15:57 | 006,451,598 | -H-- | M] () -- C:\Documents and Settings\C.J YATES\Local Settings\Application Data\IconCache.db
[2010/01/31 11:56:01 | 000,000,992 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3603931759-637771645-3647106734-1005UA.job
[2010/01/31 11:34:22 | 000,000,396 | ---- | M] () -- C:\WINDOWS\tasks\AWC Update.job
[2010/01/31 11:31:15 | 000,000,615 | ---- | M] () -- C:\Documents and Settings\C.J YATES\Desktop\NTREGOPT.lnk
[2010/01/31 11:31:15 | 000,000,596 | ---- | M] () -- C:\Documents and Settings\C.J YATES\Desktop\ERUNT.lnk
[2010/01/31 10:38:37 | 000,000,544 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/31 10:38:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/31 10:38:37 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/01/31 10:15:50 | 000,000,959 | ---- | M] () -- C:\Documents and Settings\C.J YATES\Desktop\Spybot - Search & Destroy.lnk
[2010/01/30 17:47:19 | 000,377,755 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/27 14:56:00 | 000,000,940 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3603931759-637771645-3647106734-1005Core.job
[2010/01/22 20:34:10 | 000,000,007 | ---- | M] () -- C:\WINDOWS\System32\Class11
[2010/01/22 20:34:10 | 000,000,005 | ---- | M] () -- C:\WINDOWS\System32\Band4
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/31 11:31:15 | 000,000,615 | ---- | C] () -- C:\Documents and Settings\C.J YATES\Desktop\NTREGOPT.lnk
[2010/01/31 11:31:15 | 000,000,596 | ---- | C] () -- C:\Documents and Settings\C.J YATES\Desktop\ERUNT.lnk
[2010/01/30 17:09:49 | 000,000,959 | ---- | C] () -- C:\Documents and Settings\C.J YATES\Desktop\Spybot - Search & Destroy.lnk
[2010/01/22 21:29:36 | 536,268,800 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/22 20:34:10 | 000,000,007 | ---- | C] () -- C:\WINDOWS\System32\Class11
[2009/10/22 06:12:28 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/09/22 13:21:34 | 000,127,092 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4
[2008/08/20 15:45:46 | 000,020,270 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceInstaller.xml
[2008/07/07 10:08:41 | 000,000,312 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/02/13 14:07:23 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2006/07/31 15:00:40 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006/07/21 18:16:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2005/06/29 10:13:26 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDER300Euro.ini
[2004/03/10 21:15:05 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\C.J YATES\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/12/23 14:00:29 | 000,001,295 | ---- | C] () -- C:\WINDOWS\System32\Px.ini
[2003/12/23 13:55:59 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2003/12/23 13:54:29 | 000,262,416 | ---- | C] () -- C:\WINDOWS\System32\ASFV2.DLL
[2003/12/23 13:53:44 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2003/12/02 14:50:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/12/01 16:46:25 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/12/01 15:30:21 | 000,002,698 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/11/15 20:38:02 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2003/03/28 12:34:12 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\cbldrm.dll
[2003/02/03 04:26:18 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2009/03/06 12:08:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Birdstep Technology
[2010/01/30 12:29:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2008/08/15 17:39:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MCA14.tmp
[2005/06/29 10:21:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2008/11/05 13:05:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/09/08 12:50:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vodafone
[2008/08/07 14:59:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\C.J YATES\Application Data\Image Zone Express
[2006/08/21 13:39:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\C.J YATES\Application Data\InterVideo
[2009/02/26 10:50:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\C.J YATES\Application Data\IObit
[2004/03/28 11:15:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\C.J YATES\Application Data\Template
[2009/06/17 11:41:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\C.J YATES\Application Data\Vodafone
[2010/01/31 11:34:22 | 000,000,396 | ---- | M] () -- C:\WINDOWS\Tasks\AWC Update.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2007/04/12 15:05:46 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/10/30 13:46:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2007/04/12 15:05:46 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/10/30 13:46:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/10/15 06:09:17 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:AGP440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 06:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/03/31 12:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2007/04/12 15:05:46 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/10/30 13:46:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2003/03/31 12:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:atapi.sys
[2007/04/12 15:05:46 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/10/30 13:46:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/10/15 06:09:17 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:atapi.sys
[2002/08/29 01:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtUninstallQ331958$\atapi.sys
[2003/03/31 12:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2010/01/25 15:56:05 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/01/25 15:56:05 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 07:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 07:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 07:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >

EXTRAS

OTL Extras logfile created on: 31/01/2010 12:22:50 - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\C.J YATES\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 226.00 Mb Available Physical Memory | 44.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.95 Gb Total Space | 14.44 Gb Free Space | 51.68% Space Free | Partition Type: NTFS
Drive D: | 121.10 Gb Total Space | 121.05 Gb Free Space | 99.96% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 1.89 Gb Total Space | 1.78 Gb Free Space | 94.50% Space Free | Partition Type: FAT

Computer Name: RYANS
Current User Name: C.J YATES
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirstRunDisabled" =
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0E3F1A40-3104-4C76-8A2D-2CC2ED414BD1}" = ISP Selector
"{109D28C7-FB38-483A-9C91-001CB59E2699}" = EPSON CardMonitor
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1D057E97-A116-4BF9-B307-83C3FBD86515}" = VAIO Clock Screen Saver
"{1EB317D8-8945-4FD6-B37F-DF470317C6AB}" = VAIO Media 2.5
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2366D960-F00F-11D3-99D3-00C04FCCB775}" = VAIO System Information
"{23B59B9F-C360-11D7-875B-0090CC005647}" = PIF DESIGNER2.1
"{23B59ED4-C360-11D7-875B-0090CC005647}" = EPSON PRINT Image Framer Tool2.1
"{23F20D6B-F211-486F-93DA-DA68AF7FE55F}" = WWTBAM 2nd Edition
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{2D9D1CE4-8C3D-469A-9894-0857B6C9F426}" = VAIO Media Setup 2.5
"{3147661C-2807-49EC-B971-3B0F23D95018}" = VAIO DeepSea Wallpaper
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3559D7E5-6307-4EEE-B3CD-A488FE64A9FA}" = ArcSoft PhotoBase 4.5
"{3560CE5A-C4EF-4DB0-9ECC-BA035FE309C5}" = MSN Toolbar
"{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}" = Music Visualizer Library 1.4.00
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4C75086F-7753-41B9-8B4C-F38DE6CC8C20}" = VAIO Remote Commander Utility 6.2
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4D1D6640-CD43-4AD9-A52F-E48265DB28E0}" = VAIO BrightColor Wallpaper
"{5F2CE2DD-5119-4860-9E46-6A0129A34FF1}" = Giga Pocket Demo Movie
"{5FA1C51C-6E35-42C1-B2EC-DC9FA1E20694}" = OpenMG Secure Module 3.3.01
"{63C6BABD-0BF7-488B-9AB5-B989E23CC581}" = VAIO Media Video Server 2.5
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65F5B7AF-3363-11D7-BB6B-00018021113F}" = EPSON PhotoQuicker3.5
"{668B1BD6-4593-4959-970E-249AFFE6F35C}" = VOR
"{685BCC47-B8EC-45EC-BBCE-77DF2451502C}" = DVgate Plus
"{6864ABC3-A982-436B-BEF1-5652D6303361}" = ESET NOD32 Antivirus
"{6990A2BF-D1D2-11D3-81BC-00609789C908}" = Sony Video Shared Library
"{6E945031-37AA-4F35-BBD1-E378D62B5DA0}" = ArcSoft Panorama Maker 3
"{7128C69B-8F7E-4336-8698-3FD3CDD955EC}" = VAIO Media Redistribution 2.5
"{7148F0A8-6813-11D6-A77B-00B0D0142010}" = Java 2 Runtime Environment, SE v1.4.2_01
"{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}" = SonicStage 1.6.00
"{761C9026-14F0-4352-8658-934558272404}" = VAIO Edit Components
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{7C2F71B2-6C73-11D6-B659-00C04F790F76}" = Click to DVD 1.3
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{88DA0A52-3372-4803-971A-ADFB961707E8}" = PictureGear Studio 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{9080C5D2-82FA-452A-87FA-CBB4B05D67A5}" = VPS
"{93B80FB1-7A23-11D3-B250-00105A1F4184}" =
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C48817E7-AA05-4151-A99D-1E1E550CE801}" = EPSON PhotoStarter3.1
"{C656142F-EFE1-44CD-BFAD-6CBC6DCB9860}" = Vodafone Mobile Connect Lite
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4A90BFA-C75E-420A-BB00-D54C82A5A245}" = Giga Pocket 5.5
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DDC146FA-73E0-4FA1-A353-841EA14BF600}" = Drag'n Drop CD+DVD
"{DF0DD6E9-F673-4466-8353-70B50A506FD9}" = VAIO Media Platform 2.5
"{DF733005-0F40-11D6-9254-0000F460E7A9}" = VAIO Media Music Server 2.5
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E5E6E687-1033-BA7E-6000-000000000001}" = Adobe Acrobat Elements 6.0
"{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}" = ScanToWeb
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6587A1E-A87D-4CF9-9BA6-CE2CEB58950E}" = VAIO Media Photo Server 2.5
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F898AB3C-792E-4351-B3E8-4958BAA8E101}" = Giga Pocket Hardware Library 5.5
"{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}" = EPSON Print CD
"Ad-Aware SE Professional" = Ad-Aware SE Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"BT Business Broadband Desktop Help" = BT Business Broadband Desktop Help
"BT Wireless Connection Manager" = BT Wireless Connection Manager
"BTBusinessHub" = BTBusinessHub
"CCleaner" = CCleaner (remove only)
"EPSON Printer and Utilities" = EPSON Printer Software
"ERUNT_is1" = ERUNT 1.1j
"ESPR300 Reference Guide" = ESPR300 Reference Guide
"ESPR300 Software Guide" = ESPR300 Software Guide
"ESPR300 Standalone Guide" = ESPR300 Standalone Guide
"'Full Speed' Internet Booster + Performance Tests3.3t" = 'Full Speed' Internet Booster + Performance Tests
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0E3F1A40-3104-4C76-8A2D-2CC2ED414BD1}" = ISP Selector (English)
"InstallShield_{668B1BD6-4593-4959-970E-249AFFE6F35C}" = VAIO Online Registration (English)
"InstallShield_{9080C5D2-82FA-452A-87FA-CBB4B05D67A5}" = VAIO Product Survey (English)
"IObitCom Toolbar" = IObitCom Toolbar
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Uninstall Utility" = McAfee Uninstall Wizard
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MoodLogic" = MoodLogic
"MouseSuite98" = Sony USB Mouse
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nuclear Motocross_is1" = Nuclear Motocross
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"Photo To Sketch_is1" = Photo To Sketch 3.51
"PhotoToolkit_is1" = Photo! Editor 1.1
"PROSet" = Intel® PRO Network Adapters and Drivers
"QuickTime" = QuickTime
"Red Alert 2" = Command & Conquer Red Alert 2
"Tiberian Sun" = Command & Conquer Tiberian Sun
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WOLAPI" = Westwood Shared Internet Components
"Yahoo! Companion" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 31/01/2010 07:35:33 | Computer Name = RYANS | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 31/01/2010 08:08:55 | Computer Name = RYANS | Source = ESENT | ID = 489
Description = wuauclt (3588) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 31/01/2010 08:08:55 | Computer Name = RYANS | Source = ESENT | ID = 455
Description = wuaueng.dll (3588) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 31/01/2010 08:09:05 | Computer Name = RYANS | Source = ESENT | ID = 489
Description = wuauclt (3588) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 31/01/2010 08:09:05 | Computer Name = RYANS | Source = ESENT | ID = 455
Description = wuaueng.dll (3588) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 31/01/2010 08:09:17 | Computer Name = RYANS | Source = ESENT | ID = 489
Description = wuauclt (3640) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 31/01/2010 08:09:17 | Computer Name = RYANS | Source = ESENT | ID = 455
Description = wuaueng.dll (3640) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 31/01/2010 08:09:27 | Computer Name = RYANS | Source = ESENT | ID = 489
Description = wuauclt (3640) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 31/01/2010 08:09:27 | Computer Name = RYANS | Source = ESENT | ID = 455
Description = wuaueng.dll (3640) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 31/01/2010 08:17:40 | Computer Name = RYANS | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

[ System Events ]
Error - 26/01/2010 15:13:12 | Computer Name = RYANS | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 27/01/2010 02:05:35 | Computer Name = RYANS | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 27/01/2010 02:08:21 | Computer Name = RYANS | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 27/01/2010 09:59:35 | Computer Name = RYANS | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 27/01/2010 10:09:17 | Computer Name = RYANS | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 27/01/2010 12:48:46 | Computer Name = RYANS | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 28/01/2010 03:08:48 | Computer Name = RYANS | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 29/01/2010 02:02:57 | Computer Name = RYANS | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 29/01/2010 03:19:11 | Computer Name = RYANS | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 31/01/2010 07:04:43 | Computer Name = RYANS | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer EPSON Stylus Photo R300 Series
share name EPSON Stylus Photo R300 Series.

< End of report >

The PC is a mess but i really hope you can help me with this problem.
Many thanks in advance.

Shrimp.

#2 Essexboy

Group: GeekU Moderator
Posts: 55,594
Joined: 31-May 06

Posted 31 January 2010 - 08:22 AM

Hi and :

:

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#3 Shrimp

Group: Member
Posts: 10
Joined: 31-January 10

Posted 31 January 2010 - 08:50 AM

Many thanks for getting back to me so quickly.

Here is the combofix log:

ComboFix 10-01-30.05 - C.J YATES 31/01/2010 14:36:02.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.260 [GMT 0:00]
Running from: c:\documents and settings\C.J YATES\Desktop\ComboFix\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{C005E515-EC90-4758-89AB-497FEC9F7889}\setup.msi
C:\s
c:\windows\ie-hook.txt
c:\windows\system32\11478.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17421.exe
c:\windows\system32\18467.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\config\systemprofile\Desktop\Internet Security 2010.lnk
c:\windows\system32\config\systemprofile\Start Menu\Internet Security 2010.lnk

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))
.

2010-01-31 14:36 . 2010-01-31 14:36 -------- d-----w- c:\documents and settings\C.J YATES\Local Settings\Application Data\ESET
2010-01-31 11:31 . 2010-01-31 11:31 -------- d-----w- c:\program files\ERUNT
2010-01-30 19:17 . 2010-01-30 19:17 -------- d-----w- c:\documents and settings\RYAN\Local Settings\Application Data\Conduit
2010-01-30 19:17 . 2010-01-30 19:17 -------- d-----w- c:\documents and settings\RYAN\Local Settings\Application Data\IObitCom
2010-01-30 17:09 . 2010-01-30 17:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-30 17:09 . 2010-01-30 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-30 12:29 . 2010-01-30 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-01-22 21:25 . 2010-01-22 21:25 -------- d-sh--w- c:\documents and settings\Administrator.RYANS.000\IETldCache
2010-01-22 21:06 . 2010-01-22 21:06 -------- d-----w- c:\documents and settings\C.J YATES\Local Settings\Application Data\Conduit
2010-01-22 21:06 . 2010-01-30 17:21 -------- d-----w- c:\documents and settings\C.J YATES\Local Settings\Application Data\IObitCom
2010-01-22 15:05 . 2010-01-22 15:05 -------- d-----w- c:\program files\Conduit
2010-01-22 15:05 . 2010-01-22 15:05 -------- d-----w- c:\documents and settings\R. YATES\Local Settings\Application Data\Conduit
2010-01-22 15:05 . 2010-01-22 20:29 -------- d-----w- c:\documents and settings\R. YATES\Local Settings\Application Data\IObitCom
2010-01-22 15:05 . 2010-01-22 15:05 -------- d-----w- c:\program files\IObitCom
2010-01-22 14:48 . 2010-01-22 15:05 -------- d-----w- c:\documents and settings\R. YATES\Application Data\IObit
2010-01-15 17:55 . 2010-01-15 17:55 -------- d-----w- c:\documents and settings\R. YATES\Application Data\Arcsoft
2010-01-15 14:30 . 2010-01-15 14:31 -------- d-----w- c:\documents and settings\Administrator
2010-01-13 06:55 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 18:44 . 2010-01-12 18:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-12 18:43 . 2010-01-12 18:43 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Vodafone
2010-01-07 15:44 . 2010-01-07 15:44 -------- d-----w- c:\documents and settings\R. YATES\Application Data\Malwarebytes
2010-01-06 19:32 . 2010-01-06 19:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-06 19:29 . 2010-01-12 18:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-06 18:44 . 2010-01-06 18:44 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 17:38 . 2008-08-09 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-30 12:29 . 2007-04-12 16:13 -------- d-----w- c:\program files\ESET
2010-01-30 11:35 . 2008-08-09 11:58 -------- d-----w- c:\program files\McAfee.com
2010-01-25 15:56 . 2003-12-02 08:51 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-22 16:46 . 2009-12-12 16:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 14:31 . 2010-01-08 16:49 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-20 12:51 . 2008-04-13 08:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-15 17:51 . 2004-03-10 21:34 -------- d-----w- c:\documents and settings\R. YATES\Application Data\AdobeUM
2010-01-07 16:07 . 2009-12-12 16:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 14:54 . 2009-12-12 16:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2006-06-23 11:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-12 16:16 . 2009-12-12 16:16 -------- d-----w- c:\documents and settings\C.J YATES\Application Data\Malwarebytes
2009-12-12 16:15 . 2009-12-12 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-21 15:51 . 2003-12-01 15:29 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 09:06 . 2009-11-16 09:06 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-11-16 09:03 . 2009-11-16 09:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 08:56 . 2009-11-16 08:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-11-04 16:54 . 2009-11-27 18:35 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 16:54 . 2009-11-27 18:35 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 16:54 . 2009-11-27 18:35 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 16:54 . 2009-11-04 16:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 16:53 . 2009-11-27 18:19 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-11-04 16:49 . 2010-01-22 15:05 635664 ----a-w- c:\documents and settings\R. YATES\Application Data\IObit\Common\TB_Helper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]
2009-11-09 18:38 2331672 ----a-w- c:\program files\IObitCom\tbIObi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{31c7d459-9cc3-44f2-9dca-fc11795309b4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 335872]
"Mouse Suite 98 Daemon"="ICO.EXE" [2001-08-23 45056]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-18 4841472]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remocon Driver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Remocon Driver.lnk
backup=c:\windows\pss\Remocon Driver.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-05-23 09:43 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2009-02-10 15:53 1548288 ----a-w- c:\program files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
2009-02-10 15:54 1516032 ----a-w- c:\program files\BT Business Broadband Desktop Help\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD]
2003-08-08 18:54 1175552 ----a-w- c:\program files\drag'n drop cd+dvd\BinFiles\DragDrop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2002-08-20 10:29 40960 ----a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-05-02 12:45 133104 ----atw- c:\documents and settings\C.J YATES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2008-10-09 14:33 2086912 ----a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2003-12-23 13:43 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 16:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16/11/2009 09:03 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [16/11/2009 09:06 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16/11/2009 09:04 735960]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/05/2009 15:39 54752]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 14:32 14336]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3603931759-637771645-3647106734-1005Core.job
- c:\documents and settings\C.J YATES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-02 12:45]

2010-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3603931759-637771645-3647106734-1005UA.job
- c:\documents and settings\C.J YATES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-02 12:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
FF - ProfilePath - c:\documents and settings\C.J YATES\Application Data\Mozilla\Firefox\Profiles\d204h95d.default\
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJPI142_01.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-31 14:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1304)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\sony\giga pocket\shwserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\sony\giga pocket\RM_SV.exe
c:\windows\system32\ICO.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-31 14:48:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-31 14:48

Pre-Run: 15,282,061,312 bytes free
Post-Run: 15,261,089,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 8581CDD43A9497E3584D8761BF0630C4

#4 Essexboy

Group: GeekU Moderator
Posts: 55,594
Joined: 31-May 06

Posted 31 January 2010 - 08:57 AM

OK the redirects should have gone now - so lets look for remnants

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#5 Shrimp

Group: Member
Posts: 10
Joined: 31-January 10

Posted 31 January 2010 - 09:14 AM

Thank you Essexboy.

OTS.Txt (114.51K)
Number of downloads: 76

#6 Essexboy

Group: GeekU Moderator
Posts: 55,594
Joined: 31-May 06

Posted 31 January 2010 - 09:41 AM

OK that looks good - what problems do you have now ?

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3603931759-637771645-3647106734-1005\] > -> HKEY_USERS\S-1-5-21-3603931759-637771645-3647106734-1005\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3603931759-637771645-3647106734-1005\] > -> HKEY_USERS\S-1-5-21-3603931759-637771645-3647106734-1005\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

THEN

Please update and do a new scan with Malwarebytes and post the resultant log please

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#7 Shrimp

Group: Member
Posts: 10
Joined: 31-January 10

Posted 31 January 2010 - 10:03 AM

Ok, i think it's looking good this end.
NOD32 isn't kicking any alerts out at start up.
The pc hasn't rebooted except when it applied the OTS fix.

OTS LOG:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_USERS\S-1-5-21-3603931759-637771645-3647106734-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-3603931759-637771645-3647106734-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
Registry value HKEY_USERS\S-1-5-21-3603931759-637771645-3647106734-1005\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.RYANS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.RYANS.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: C.J YATES
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: cj.yates@btconect.co
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Owner

User: R. YATES
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: RYAN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: Ryan yates
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: RYANS PC SECTOR
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.20.1 fix logfile created on 01312010_154838

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

MBAM LOG:

Malwarebytes' Anti-Malware 1.44
Database version: 3668
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

31/01/2010 15:56:48
mbam-log-2010-01-31 (15-56-48).txt

Scan type: Quick Scan
Objects scanned: 171195
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detect

Hopefully it's now clean.

I'm also going to do a full scan with NOD32 and spybot S&D.

Many thanks, you do great work here.

Shrimp.

#8 Essexboy

Group: GeekU Moderator
Posts: 55,594
Joined: 31-May 06

Posted 31 January 2010 - 10:11 AM

Cool

If you can let me know the result on completion - subject to all being well, I will remove my tools and tidy up

#9 Shrimp

Group: Member
Posts: 10
Joined: 31-January 10

Posted 31 January 2010 - 10:42 AM

Please dont put them away yet

Nod32 is flagging up an intrusion.

Bear with me, NOD is still finishing the scan, will post deails asap.

#10 Essexboy

Group: GeekU Moderator
Posts: 55,594
Joined: 31-May 06

Posted 31 January 2010 - 10:45 AM

OK we will see where it is first - as it may be in system restore

#11 Shrimp

Group: Member
Posts: 10
Joined: 31-January 10

Posted 31 January 2010 - 10:58 AM

Nod32 has flagged up the following:

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.RF virus No action
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\9687253-79d96f56 multiple threats No action

I set it for no action just in case you wished to go another route as far as cleaning.

#12 Essexboy

Group: GeekU Moderator
Posts: 55,594
Joined: 31-May 06

Posted 31 January 2010 - 11:12 AM

OK the first is safely tucked away in combofixes quarantine

For the second you will just need to clear your Java cache

As you go through the procedure - on the second picture is an option to set the size of the Java cache, select Maximum and then type in 0 (zero) that way they will not be saved to disc

How is the computer behaving now ?

#13 Shrimp

Group: Member
Posts: 10
Joined: 31-January 10

Posted 31 January 2010 - 11:21 AM

Its not showing a maximum or minimum, there's just a slider bar for disc space and the minimum i can enter is 1Mb.
I went to update to the latest java but i get a notice that the available files failed to download.

#14 Essexboy

Group: GeekU Moderator
Posts: 55,594
Joined: 31-May 06

Posted 31 January 2010 - 11:45 AM

Lots of problems with Java just lately

OK download and run this programme

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.

Then going to add/remove programs within control panel, uninstall java
Re- run Javara

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 18.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u18-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586-p.exe and select "Run as an Administrator.")

#15 Shrimp

Group: Member
Posts: 10
Joined: 31-January 10

Posted 31 January 2010 - 01:15 PM

Thank you Essexboy, will do as you say.

Incidentally SB S&D found a sysguard fraud entry which it hopefully has removed (its checking files from reboot as i type)

I'm going to recommend that he install Eset internet suite as precaution against further attacks.Could i ask your opinion on my choice?I currently run it on my dual boot XP64/Win7 64 bit system and it has served me well but i wont be offended in any way if you recommend anything else

Once SB S&D has finished im going to do a few rescans (just to be on the safe side)

Will report back any further problems i encounter by Tuesday latest.

Once again many thanks, you have done a great job

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Win32/Olmarik trojan - unable to clean [Solved] - Geeks to Go Forums