Win32/Zbot.G

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Win32/Zbot.G Help This is taking over my laptop

#1 owainb

Group: Member
Posts: 63
Joined: 04-November 05

Posted 10 March 2011 - 02:13 PM

Hi,

Please could somebody advise me how I go about removing this nuisance of a virus.

Many Thanks In Advance

OB

#2 michaelg9

Group: Malware Removal
Posts: 2,862
Joined: 19-June 09

Posted 14 March 2011 - 01:12 PM

. My name is Michael and I am here to help you fix your computer.

If you have already received help elsewhere please inform me so that this topic can be closed.
If you haven't, please keep reading:
Note: Before we start the process you should:

POST your logs, don't attach them, as it makes it harder to read.
Save or print these instructions as a part of the fix will be in safe mode where you will not be able to access the internet.
Disable ANY programs that offer real-time protection features while executing my instructions. That includes your antivirus, antispyware, windows defender or any other program that offers protection. When you're clean or waiting for my next set of instructions, re-enable them .If you need any help disabling them, ask.
Each time I instruct you to download a file to use it, please do it even if I have told you before to download it again. This is because these tools are frequently updated to detect newer infections.
Last, as most of the tools we use here need administrative rights in order to function properly, I expect that you will be running them from an administrator account.

You should really tell us more. We can't work with only this few information.
Please read this guide and post here the requested information. If you can't run programs like OTL, just report it here and we'll see what to do

#3 owainb

Group: Member
Posts: 63
Joined: 04-November 05

Posted 14 March 2011 - 02:07 PM

Hi,

Thanks for getting back to me! Yes I still need help. Please see OTL scan. I hope this is all thats required for now. OB

OTL logfile created on: 14/03/2011 19:45:17 - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = F:\Virus Tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

702.00 Mb Total Physical Memory | 177.00 Mb Available Physical Memory | 25.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 17.47 Gb Free Space | 46.89% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 7.47 Gb Total Space | 1.91 Gb Free Space | 25.59% Space Free | Partition Type: FAT32

Computer Name: SARAHSLAPTOP | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/14 19:37:56 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\Virus Tools\OTL.exe
PRC - [2011/02/25 17:14:52 | 002,004,480 | ---- | M] () -- C:\Program Files\SpyDig\spydig.exe
PRC - [2010/11/24 19:58:09 | 002,069,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/11/24 19:57:50 | 000,725,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/11/24 19:57:16 | 001,047,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgupd.exe
PRC - [2010/10/03 23:43:16 | 001,266,920 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/10/03 23:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/09/23 19:04:19 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/09/23 19:04:19 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/09/23 19:04:16 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/09/23 19:04:13 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/10/30 14:08:26 | 000,486,216 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
PRC - [2009/10/30 14:05:48 | 001,021,256 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/20 20:38:48 | 001,247,600 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2006/06/20 12:42:44 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/11/10 01:44:00 | 000,557,056 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe

========== Modules (SafeList) ==========

MOD - [2011/03/14 19:37:56 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\Virus Tools\OTL.exe
MOD - [2010/10/03 23:43:42 | 000,431,336 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Unknown | Stopped] -- -- (McTaskManager)
SRV - File not found [Unknown | Stopped] -- -- (McShield)
SRV - File not found [Unknown | Stopped] -- -- (McAfeeFramework)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/10/06 11:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/10/03 23:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/09/23 19:04:16 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/09/14 21:13:34 | 000,435,016 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2009/10/30 14:05:48 | 001,021,256 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2009/10/30 14:01:00 | 000,030,024 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2007/09/20 20:38:48 | 001,247,600 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)

========== Driver Services (SafeList) ==========

DRV - [2011/03/02 21:30:36 | 000,055,224 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys -- (RapportCerberus_23945)
DRV - [2011/02/16 20:09:15 | 000,018,872 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\23645\RapportIaso.sys -- (RapportIaso)
DRV - [2010/12/30 10:54:06 | 000,034,736 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RKHit.sys -- (RkHit)
DRV - [2010/10/03 23:43:44 | 000,169,320 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/10/03 23:43:44 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2010/09/23 19:04:20 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/09/23 19:04:19 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/09/23 19:04:14 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/10/14 06:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2007/01/28 17:21:57 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2006/06/27 00:42:14 | 003,972,672 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/11/10 01:47:00 | 000,922,148 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2005/05/05 00:08:38 | 000,463,168 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/01/14 14:22:54 | 000,005,504 | ---- | M] (EnE Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr)
DRV - [2004/08/03 22:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3SavageNB)
DRV - [2003/09/05 06:47:22 | 000,514,859 | ---- | M] (Digital Camera) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\Ca536av.sys -- (Ca536av) Icatch(VII)
DRV - [2003/07/01 18:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/05/14 10:28:14 | 000,011,048 | ---- | M] (USB BULK) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Bulk536.sys -- (USBCamera) Icatch(VII)
DRV - [2001/10/18 09:00:00 | 000,006,144 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaidexp.sys -- (ViaIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2010/09/14 20:38:47 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [spydig.exe] C:\Program Files\SpyDig\spydig.exe ()
O4 - HKCU..\RunOnce: [Shockwave Updater] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Program Files\kqjugoya\swxhqriq.exe) - C:\Program Files\kqjugoya\swxhqriq.exe File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/13 17:49:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 12:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2011/03/14 19:46:42 | 000,000,003 | RHS- | M] () - F:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/10 20:50:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpyDig
[2011/03/10 20:50:25 | 000,000,000 | ---D | C] -- C:\Program Files\SpyDig
[2011/03/10 19:23:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/03/10 19:23:29 | 000,000,000 | ---D | C] -- C:\Program Files\kqjugoya
[2011/03/09 22:14:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/09 22:05:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/03/02 21:34:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Sarah\Recent
[2011/03/02 21:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/03/02 20:24:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\F5C3453C4620B7A135490455D9F88CEE
[2011/03/02 20:24:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/03/02 20:24:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/02 19:48:36 | 000,000,000 | ---D | C] -- C:\rei
[2011/03/02 19:48:32 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2011/03/02 19:39:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/02 19:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/02/27 09:33:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\bLlFbMc06300

========== Files - Modified Within 30 Days ==========

[2011/03/14 20:02:20 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Automatic troubleshooting.job
[2011/03/14 20:00:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/14 19:43:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/14 19:41:58 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/14 19:41:38 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/14 19:41:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/14 19:41:19 | 736,260,096 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/10 21:07:09 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/10 20:50:59 | 000,000,022 | ---- | M] () -- C:\WINDOWS\tpcsd
[2011/03/10 19:24:23 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006UA.job
[2011/03/10 19:13:13 | 000,002,290 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Google Chrome.lnk
[2011/03/10 19:13:13 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/10 18:34:00 | 072,356,956 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/03/09 22:06:00 | 000,001,921 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/03/09 21:24:24 | 000,000,924 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006Core.job
[2011/03/08 18:00:01 | 000,000,444 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration3.job
[2011/03/07 22:39:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/02 21:32:33 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/02/23 11:14:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/10 21:05:57 | 736,260,096 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/10 20:50:59 | 000,000,022 | ---- | C] () -- C:\WINDOWS\tpcsd
[2011/03/10 20:50:26 | 000,034,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\RKHit.sys
[2011/03/09 22:06:00 | 000,001,921 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/03/02 21:32:33 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/03/02 19:40:04 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/14 21:03:37 | 000,000,186 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/09/14 20:22:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 20:22:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 20:22:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 20:22:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 20:22:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/14 17:34:15 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\OHcllLr.dat
[2009/10/10 21:51:01 | 000,000,069 | ---- | C] () -- C:\WINDOWS\LOGO.INI
[2009/09/30 19:59:45 | 000,000,423 | ---- | C] () -- C:\WINDOWS\System32\Dext536.ini
[2008/10/20 20:55:11 | 000,001,247 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/02/03 17:34:19 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/28 19:24:24 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\fusioncache.dat
[2007/01/28 19:03:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/02 22:36:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/01/02 22:35:19 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/01/02 22:35:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2007/01/02 22:35:12 | 000,053,248 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2007/01/02 22:35:12 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2007/01/02 22:35:11 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56brz.dll
[2007/01/02 22:35:11 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2006/02/13 18:11:03 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/02/13 17:55:28 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/02/13 17:53:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/02/13 17:47:13 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/02/13 17:40:57 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/02/13 17:39:56 | 000,273,376 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/13 16:33:23 | 000,000,976 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/02/13 16:32:52 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/13 16:32:49 | 000,476,890 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/13 16:32:49 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/13 16:32:49 | 000,085,700 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/13 16:32:49 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/13 16:32:46 | 000,004,711 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/13 16:32:45 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/13 16:32:43 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/02/13 16:32:38 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/13 16:32:38 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/13 16:32:31 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/13 16:32:20 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/08/07 14:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/03/24 04:03:00 | 000,279,552 | ---- | C] () -- C:\WINDOWS\System32\FGWVB32.DLL
[2000/06/22 06:09:24 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2000/05/11 06:52:22 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\Indounin.dll
[1998/03/25 23:12:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2008/10/16 21:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Activ Software
[2010/07/30 12:07:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/09/14 17:38:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/02 20:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\bLlFbMc06300
[2011/01/18 20:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2011/01/18 20:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/12/08 21:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2007/01/28 19:24:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PowerQuest
[2008/08/29 18:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/14 22:11:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2010/04/21 21:41:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2010/01/10 20:20:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/08/19 13:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/04/21 21:36:02 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
[2010/04/09 16:55:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Arkadium
[2010/09/15 20:04:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\F5C3453C4620B7A135490455D9F88CEE
[2010/12/08 21:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\FUJIFILM
[2010/09/11 20:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\InterTrust
[2007/01/28 19:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\IsolatedStorage
[2010/09/14 22:12:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Trusteer
[2008/02/20 22:20:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\TuneUp Software
[2009/08/19 14:24:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\UseNeXT
[2008/08/29 18:02:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\WinPatrol
[2011/03/14 20:02:20 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Automatic troubleshooting.job
[2011/03/08 18:00:01 | 000,000,444 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration3.job

========== Purity Check ==========

< End of report >

#4 michaelg9

Group: Malware Removal
Posts: 2,862
Joined: 19-June 09

Posted 15 March 2011 - 09:35 AM

Hey,

Please describe me what symptoms you have and how you learned that you're infected.\

Warning!!
You have an information stealing trojan installed on your computer.
Backdoor Trojans, IRCBots, keyloggers and Infostealers are very dangerous because they provide a way of accessing a computer system that bypasses security mechanisms and can steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following.

All passwords should be changed to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed using a different computer and not the infected one. If you use the infected computer, an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breach.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Quote
:OTL
SRV - File not found [Unknown | Stopped] -- -- (McTaskManager)
SRV - File not found [Unknown | Stopped] -- -- (McShield)
SRV - File not found [Unknown | Stopped] -- -- (McAfeeFramework)
DRV - [2010/12/30 10:54:06 | 000,034,736 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RKHit.sys -- (RkHit)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKCU..\RunOnce: [Shockwave Updater] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O20 - HKLM Winlogon: UserInit - (C:\Program Files\kqjugoya\swxhqriq.exe) - C:\Program Files\kqjugoya\swxhqriq.exe File not found
O32 - AutoRun File - [2008/05/06 12:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2011/03/14 19:46:42 | 000,000,003 | RHS- | M] () - F:\autorun.inf -- [ FAT32 ]
[2011/03/10 19:23:29 | 000,000,000 | ---D | C] -- C:\Program Files\kqjugoya
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/03/10 20:50:59 | 000,000,022 | ---- | C] () -- C:\WINDOWS\tpcsd
[2011/03/10 20:50:26 | 000,034,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\RKHit.sys
[2010/09/14 17:34:15 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\OHcllLr.dat

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again.

Under the Custom Scans/Fixes box at the bottom, paste in the following

C:\Documents and Settings\NetworkService\Application Data\F5C3453C4620B7A135490455D9F88CEE\* /s
C:\rei\* /s
C:\Documents and Settings\All Users\Application Data\bLlFbMc06300\* /s

Click the Quick Scan button. Post the log it produces in your next reply.

Next:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Next:

1 - Flash Drive Disinfector

Flash_Disinfector.exe by sUBs

here

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

#5 owainb

Group: Member
Posts: 63
Joined: 04-November 05

Posted 15 March 2011 - 04:51 PM

Hi,

I've got AVG installed and basically cant do anything without it popping up saying infected. Basically taking over my computer.

Thanks for replying, please now see my OTL log and Combo Fix Log as requested. Many Thanks Again OB

OTL logfile created on: 15/03/2011 20:25:02 - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

702.00 Mb Total Physical Memory | 208.00 Mb Available Physical Memory | 30.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 17.38 Gb Free Space | 46.64% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 7.47 Gb Total Space | 1.89 Gb Free Space | 25.35% Space Free | Partition Type: FAT32

Computer Name: SARAHSLAPTOP | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/14 19:37:56 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
PRC - [2011/02/25 17:14:52 | 002,004,480 | ---- | M] () -- C:\Program Files\SpyDig\spydig.exe
PRC - [2010/12/08 21:19:09 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Sarah\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PRC - [2010/11/24 19:58:09 | 002,069,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/11/24 19:57:50 | 000,725,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/10/03 23:43:16 | 001,266,920 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/10/03 23:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/09/23 19:04:19 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/09/23 19:04:19 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/09/23 19:04:16 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/09/23 19:04:13 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/10/30 14:08:26 | 000,486,216 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
PRC - [2009/10/30 14:05:48 | 001,021,256 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/20 20:38:48 | 001,247,600 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2006/06/20 12:42:44 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/11/10 01:44:00 | 000,557,056 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe

========== Modules (SafeList) ==========

MOD - [2011/03/14 19:37:56 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
MOD - [2010/10/03 23:43:42 | 000,431,336 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/10/06 11:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/10/03 23:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/09/23 19:04:16 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/09/14 21:13:34 | 000,435,016 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2009/10/30 14:05:48 | 001,021,256 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2009/10/30 14:01:00 | 000,030,024 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2007/09/20 20:38:48 | 001,247,600 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)

========== Driver Services (SafeList) ==========

DRV - [2011/03/02 21:30:36 | 000,055,224 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys -- (RapportCerberus_23945)
DRV - [2010/10/03 23:43:44 | 000,169,320 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/10/03 23:43:44 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2010/09/23 19:04:20 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/09/23 19:04:19 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/09/23 19:04:14 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/10/14 06:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2007/01/28 17:21:57 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2006/06/27 00:42:14 | 003,972,672 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/11/10 01:47:00 | 000,922,148 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2005/05/05 00:08:38 | 000,463,168 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/01/14 14:22:54 | 000,005,504 | ---- | M] (EnE Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr)
DRV - [2004/08/03 22:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3SavageNB)
DRV - [2003/09/05 06:47:22 | 000,514,859 | ---- | M] (Digital Camera) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\Ca536av.sys -- (Ca536av) Icatch(VII)
DRV - [2003/07/01 18:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/05/14 10:28:14 | 000,011,048 | ---- | M] (USB BULK) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Bulk536.sys -- (USBCamera) Icatch(VII)
DRV - [2001/10/18 09:00:00 | 000,006,144 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaidexp.sys -- (ViaIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2010/09/14 20:38:47 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [spydig.exe] C:\Program Files\SpyDig\spydig.exe ()
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Program Files\kqjugoya\swxhqriq.exe) - C:\Program Files\kqjugoya\swxhqriq.exe File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/13 17:49:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 12:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2011/03/15 20:26:18 | 000,000,003 | RHS- | M] () - F:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/15 20:22:51 | 000,000,000 | ---D | C] -- C:\Program Files\kqjugoya
[2011/03/15 20:20:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/15 20:19:21 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2011/03/10 20:50:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpyDig
[2011/03/10 20:50:25 | 000,000,000 | ---D | C] -- C:\Program Files\SpyDig
[2011/03/10 19:23:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/03/09 22:14:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/09 22:05:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/03/02 21:34:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Sarah\Recent
[2011/03/02 21:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/03/02 20:24:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\F5C3453C4620B7A135490455D9F88CEE
[2011/03/02 20:24:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/03/02 20:24:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/02 19:48:36 | 000,000,000 | ---D | C] -- C:\rei
[2011/03/02 19:48:32 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2011/03/02 19:39:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/02 19:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/02/27 09:33:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\bLlFbMc06300

========== Files - Modified Within 30 Days ==========

[2011/03/15 20:24:34 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Automatic troubleshooting.job
[2011/03/15 20:24:21 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006UA.job
[2011/03/15 20:23:21 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/15 20:23:13 | 000,000,022 | ---- | M] () -- C:\WINDOWS\tpcsd
[2011/03/15 20:22:57 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/15 20:22:23 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/15 20:21:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/15 20:21:52 | 736,260,096 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/15 20:07:17 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/14 20:00:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/14 19:37:56 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2011/03/10 19:13:13 | 000,002,290 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Google Chrome.lnk
[2011/03/10 19:13:13 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/10 18:34:00 | 072,356,956 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/03/09 22:06:00 | 000,001,921 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/03/09 21:24:24 | 000,000,924 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006Core.job
[2011/03/08 18:00:01 | 000,000,444 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration3.job
[2011/03/07 22:39:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/02 21:32:33 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/02/23 11:14:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

========== Files Created - No Company Name ==========

[2011/03/15 20:23:13 | 000,000,022 | ---- | C] () -- C:\WINDOWS\tpcsd
[2011/03/14 20:00:14 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/10 21:05:57 | 736,260,096 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/09 22:06:00 | 000,001,921 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/03/02 21:32:33 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2010/09/14 21:03:37 | 000,000,186 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/09/14 20:22:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 20:22:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 20:22:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 20:22:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 20:22:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/10 21:51:01 | 000,000,069 | ---- | C] () -- C:\WINDOWS\LOGO.INI
[2009/09/30 19:59:45 | 000,000,423 | ---- | C] () -- C:\WINDOWS\System32\Dext536.ini
[2008/10/20 20:55:11 | 000,001,247 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/02/03 17:34:19 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/28 19:24:24 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\fusioncache.dat
[2007/01/28 19:03:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/02 22:36:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/01/02 22:35:19 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/01/02 22:35:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2007/01/02 22:35:12 | 000,053,248 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2007/01/02 22:35:12 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2007/01/02 22:35:11 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56brz.dll
[2007/01/02 22:35:11 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2006/02/13 18:11:03 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/02/13 17:55:28 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/02/13 17:53:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/02/13 17:47:13 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/02/13 17:40:57 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/02/13 17:39:56 | 000,273,376 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/13 16:33:23 | 000,000,976 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/02/13 16:32:52 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/13 16:32:49 | 000,476,890 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/13 16:32:49 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/13 16:32:49 | 000,085,700 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/13 16:32:49 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/13 16:32:46 | 000,004,711 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/13 16:32:45 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/13 16:32:43 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/02/13 16:32:38 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/13 16:32:38 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/13 16:32:31 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/13 16:32:20 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/08/07 14:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/03/24 04:03:00 | 000,279,552 | ---- | C] () -- C:\WINDOWS\System32\FGWVB32.DLL
[2000/06/22 06:09:24 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2000/05/11 06:52:22 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\Indounin.dll
[1998/03/25 23:12:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2008/10/16 21:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Activ Software
[2010/07/30 12:07:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/09/14 17:38:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/02 20:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\bLlFbMc06300
[2011/01/18 20:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2011/01/18 20:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/12/08 21:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2007/01/28 19:24:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PowerQuest
[2008/08/29 18:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/14 22:11:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2010/04/21 21:41:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2010/01/10 20:20:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/08/19 13:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/04/21 21:36:02 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
[2010/04/09 16:55:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Arkadium
[2010/09/15 20:04:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\F5C3453C4620B7A135490455D9F88CEE
[2010/12/08 21:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\FUJIFILM
[2010/09/11 20:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\InterTrust
[2007/01/28 19:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\IsolatedStorage
[2010/09/14 22:12:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Trusteer
[2008/02/20 22:20:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\TuneUp Software
[2009/08/19 14:24:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\UseNeXT
[2008/08/29 18:02:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\WinPatrol
[2011/03/15 20:24:34 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Automatic troubleshooting.job
[2011/03/08 18:00:01 | 000,000,444 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration3.job

========== Purity Check ==========

========== Custom Scans ==========

< C:\Documents and Settings\NetworkService\Application Data\F5C3453C4620B7A135490455D9F88CEE\* /s >
[2011/03/02 20:24:36 | 000,028,842 | ---- | M] () -- C:\Documents and Settings\NetworkService\Application Data\F5C3453C4620B7A135490455D9F88CEE\enemies-names.txt

< C:\rei\* /s >
[2011/02/23 13:52:18 | 000,442,688 | ---- | M] () -- C:\rei\cfl.rei
[2011/03/02 19:48:56 | 000,024,884 | ---- | M] () -- C:\rei\reimage.log
[2011/03/02 19:58:29 | 000,000,704 | ---- | M] () -- C:\rei\reimage.qsr
[2011/02/13 08:57:16 | 000,000,115 | ---- | M] () -- C:\rei\AV\avupdate.conf
[2011/02/13 08:57:16 | 000,007,174 | ---- | M] () -- C:\rei\AV\avupdate_msg.avr
[2011/02/13 08:57:16 | 000,000,512 | ---- | M] () -- C:\rei\AV\HBEDV.KEY
[2011/03/02 19:49:01 | 000,000,166 | ---- | M] () -- C:\rei\Results\EXE1.5.0.6\RUN20110302_1948\Compress.res
[2011/03/02 19:57:05 | 000,823,444 | ---- | M] () -- C:\rei\Results\EXE1.5.0.6\RUN20110302_1948\debug-repair-2.log
[2011/03/02 19:58:31 | 000,437,178 | ---- | M] () -- C:\rei\Results\EXE1.5.0.6\RUN20110302_1948\debug-repair.log
[2011/03/02 19:48:58 | 000,035,888 | ---- | M] () -- C:\rei\Results\EXE1.5.0.6\RUN20110302_1948\Info_EnvironmentVars.res
[2011/03/02 19:49:00 | 000,019,392 | ---- | M] () -- C:\rei\Results\EXE1.5.0.6\RUN20110302_1948\Info_Installed.rec
[2011/03/02 19:57:05 | 001,399,088 | ---- | M] () -- C:\rei\Results\EXE1.5.0.6\RUN20110302_1948\out.log

< C:\Documents and Settings\All Users\Application Data\bLlFbMc06300\* /s >
[2011/03/02 20:51:47 | 000,000,098 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\bLlFbMc06300\bLlFbMc06300

< End of report >

ComboFix 11-03-15.01 - Sarah 15/03/2011 22:28:33.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.398 [GMT 0:00]
Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Application Data\F5C3453C4620B7A135490455D9F88CEE
c:\documents and settings\NetworkService\Application Data\F5C3453C4620B7A135490455D9F88CEE\enemies-names.txt
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_RkHit
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-15 21:54 . 2011-03-15 21:54 -------- d-----w- c:\documents and settings\Sarah\Local Settings\Application Data\VS Revo Group
2011-03-15 21:54 . 2009-12-30 11:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-03-15 21:54 . 2011-03-15 21:54 -------- d-----w- c:\program files\VS Revo Group
2011-03-15 21:42 . 2011-03-15 21:42 -------- d-----w- c:\program files\Perfect Uninstaller
2011-03-15 20:22 . 2011-03-15 22:37 -------- d-----w- c:\program files\kqjugoya
2011-03-15 20:20 . 2011-03-15 20:20 -------- d-----w- C:\_OTL
2011-03-10 20:50 . 2011-03-15 22:37 -------- d-----w- c:\program files\SpyDig
2011-03-02 20:55 . 2011-03-02 20:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-02 20:24 . 2011-03-10 19:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-02 19:48 . 2011-03-02 20:55 -------- d-----w- C:\rei
2011-03-02 19:48 . 2011-03-02 19:48 -------- d-----w- c:\program files\Reimage
2011-03-02 19:09 . 2011-03-02 20:55 -------- d-s---w- c:\documents and settings\Administrator.SARAHSLAPTOP
2011-02-27 09:33 . 2011-03-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\bLlFbMc06300
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2006-02-13 16:32 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2006-02-13 16:32 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2006-02-13 16:32 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2006-02-13 16:32 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2006-02-13 16:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2006-02-13 16:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2006-02-13 16:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2010-09-14 17:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-09-14 17:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2006-02-13 16:32 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2006-02-13 16:32 385024 ----a-w- c:\windows\system32\html.iec
.

<pre>
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
</pre>

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-12-08 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 577536]
"SMSERIAL"="sm56hlpr.exe" [2005-11-10 557056]
"spydig.exe"="c:\program files\SpyDig\spydig.exe" [2011-02-25 2004480]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\kqjugoya\swxhqriq.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys [02/03/2011 21:30 55224]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [30/10/2009 14:05 1021256]
R3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\drivers\EKBfltr.sys [19/10/2006 12:24 5504]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\23645\RapportIaso.sys [16/02/2011 20:09 18872]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14/10/2009 06:24 10064]
S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [30/09/2009 19:59 514859]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/09/2010 22:54 136176]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [15/03/2011 21:54 27064]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-15 c:\windows\Tasks\Automatic troubleshooting.job
- c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe [2009-10-30 14:12]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 22:54]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 22:54]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006Core.job
- c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-08 21:19]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006UA.job
- c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-08 21:19]
.
2011-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.
- - - - ORPHANS REMOVED - - - -
.
Notify-avgrsstarter - avgrsstx.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 22:37
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Sarah\Start Menu\Programs\Startup\swxhqriq.exe 170397 bytes executable
C:\swxhqriq.exe 170397 bytes executable
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\sm56hlpr.exe
c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-03-15 22:43:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-15 22:43
ComboFix2.txt 2010-09-14 20:43
.
Pre-Run: 20,590,493,696 bytes free
Post-Run: 20,524,879,872 bytes free
.
- - End Of File - - F5EFE5142F9670272D13A1CAED876FD3

#6 michaelg9

Group: Malware Removal
Posts: 2,862
Joined: 19-June 09

Posted 16 March 2011 - 09:58 AM

Hey,

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Next:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Quote
:OTL
O20 - HKLM Winlogon: UserInit - (C:\Program Files\kqjugoya\swxhqriq.exe) - C:\Program Files\kqjugoya\swxhqriq.exe File not found
[2011/03/15 20:22:51 | 000,000,000 | ---D | C] -- C:\Program Files\kqjugoya
[2011/03/02 20:24:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\F5C3453C4620B7A135490455D9F88CEE
[2011/03/15 20:23:13 | 000,000,022 | ---- | M] () -- C:\WINDOWS\tpcsd
[2011/03/15 20:23:13 | 000,000,022 | ---- | C] () -- C:\WINDOWS\tpcsd
2011-03-15 20:22 . 2011-03-15 22:37 -------- d-----w- c:\program files\kqjugoya

:Services

:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

:Files
c:\documents and settings\Sarah\Start Menu\Programs\Startup\swxhqriq.exe

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Next:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

RenV::
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#7 owainb

Group: Member
Posts: 63
Joined: 04-November 05

Posted 16 March 2011 - 01:51 PM

Hi, Please see logs as requested. Many Thanks again OB

2011/03/16 18:56:20.0656 0272 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/16 18:56:21.0609 0272 ================================================================================
2011/03/16 18:56:21.0609 0272 SystemInfo:
2011/03/16 18:56:21.0609 0272
2011/03/16 18:56:21.0609 0272 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/16 18:56:21.0609 0272 Product type: Workstation
2011/03/16 18:56:21.0609 0272 ComputerName: SARAHSLAPTOP
2011/03/16 18:56:21.0609 0272 UserName: Sarah
2011/03/16 18:56:21.0609 0272 Windows directory: C:\WINDOWS
2011/03/16 18:56:21.0609 0272 System windows directory: C:\WINDOWS
2011/03/16 18:56:21.0609 0272 Processor architecture: Intel x86
2011/03/16 18:56:21.0609 0272 Number of processors: 1
2011/03/16 18:56:21.0609 0272 Page size: 0x1000
2011/03/16 18:56:21.0609 0272 Boot type: Normal boot
2011/03/16 18:56:21.0609 0272 ================================================================================
2011/03/16 18:56:21.0828 0272 Initialize success
2011/03/16 18:56:28.0734 4092 ================================================================================
2011/03/16 18:56:28.0734 4092 Scan started
2011/03/16 18:56:28.0734 4092 Mode: Manual;
2011/03/16 18:56:28.0734 4092 ================================================================================
2011/03/16 18:56:31.0031 4092 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/03/16 18:56:31.0343 4092 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/16 18:56:31.0671 4092 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/03/16 18:56:32.0046 4092 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/03/16 18:56:32.0375 4092 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/16 18:56:32.0578 4092 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/16 18:56:32.0750 4092 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/03/16 18:56:32.0906 4092 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/03/16 18:56:33.0015 4092 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/03/16 18:56:33.0156 4092 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/03/16 18:56:33.0765 4092 ALCXWDM (fcb505a7fa9dd4b8b98064792fd038a4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/03/16 18:56:34.0671 4092 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/03/16 18:56:34.0859 4092 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/03/16 18:56:35.0187 4092 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/03/16 18:56:35.0312 4092 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/03/16 18:56:35.0593 4092 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/03/16 18:56:35.0796 4092 AR5211 (d4e7ed3ae224c851b08f3a3a85c37e88) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2011/03/16 18:56:35.0984 4092 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/03/16 18:56:36.0078 4092 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/03/16 18:56:36.0187 4092 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/03/16 18:56:36.0421 4092 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/16 18:56:36.0500 4092 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/16 18:56:36.0828 4092 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/16 18:56:36.0921 4092 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/16 18:56:37.0000 4092 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/16 18:56:37.0156 4092 Ca536av (48fed7d4ef20020bc6020200256cb8b3) C:\WINDOWS\system32\Drivers\Ca536av.sys
2011/03/16 18:56:37.0468 4092 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/03/16 18:56:37.0515 4092 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/16 18:56:37.0578 4092 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/16 18:56:37.0640 4092 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/03/16 18:56:37.0734 4092 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/16 18:56:37.0812 4092 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/16 18:56:37.0906 4092 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/16 18:56:38.0046 4092 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/03/16 18:56:38.0125 4092 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/03/16 18:56:38.0312 4092 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/03/16 18:56:38.0406 4092 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/03/16 18:56:38.0468 4092 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/03/16 18:56:38.0531 4092 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/03/16 18:56:38.0593 4092 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/16 18:56:38.0703 4092 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/16 18:56:38.0796 4092 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/16 18:56:38.0937 4092 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/16 18:56:39.0156 4092 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/16 18:56:39.0375 4092 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2011/03/16 18:56:39.0500 4092 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2011/03/16 18:56:39.0578 4092 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
2011/03/16 18:56:39.0671 4092 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2011/03/16 18:56:39.0859 4092 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/03/16 18:56:39.0984 4092 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/16 18:56:40.0109 4092 EKBfltr (74f17da54cec320e3eab105b73234534) C:\WINDOWS\system32\DRIVERS\EKBfltr.sys
2011/03/16 18:56:40.0312 4092 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/16 18:56:40.0453 4092 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/16 18:56:40.0718 4092 FETND5BV (7d53d569892b46738e87f39c9aa8488a) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2011/03/16 18:56:40.0906 4092 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/03/16 18:56:40.0984 4092 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/16 18:56:41.0078 4092 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/16 18:56:41.0281 4092 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/16 18:56:41.0437 4092 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/16 18:56:41.0625 4092 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/16 18:56:41.0828 4092 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/03/16 18:56:42.0078 4092 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/16 18:56:42.0234 4092 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/16 18:56:42.0359 4092 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/03/16 18:56:42.0500 4092 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/16 18:56:42.0765 4092 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/03/16 18:56:42.0953 4092 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/03/16 18:56:43.0078 4092 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/16 18:56:43.0265 4092 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/03/16 18:56:43.0765 4092 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/16 18:56:44.0000 4092 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/03/16 18:56:44.0156 4092 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/16 18:56:44.0265 4092 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/16 18:56:44.0359 4092 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/16 18:56:44.0640 4092 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/16 18:56:44.0890 4092 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/16 18:56:45.0046 4092 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/16 18:56:45.0296 4092 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/16 18:56:45.0656 4092 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/16 18:56:45.0890 4092 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/16 18:56:46.0140 4092 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/16 18:56:46.0203 4092 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/16 18:56:46.0312 4092 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/16 18:56:47.0343 4092 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/16 18:56:47.0578 4092 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/16 18:56:47.0734 4092 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/16 18:56:47.0921 4092 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/16 18:56:48.0109 4092 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/16 18:56:48.0265 4092 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/03/16 18:56:48.0406 4092 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/16 18:56:48.0687 4092 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/16 18:56:49.0062 4092 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/16 18:56:49.0203 4092 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/16 18:56:49.0328 4092 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/16 18:56:49.0437 4092 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/16 18:56:49.0546 4092 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/16 18:56:49.0734 4092 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/16 18:56:49.0843 4092 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/16 18:56:50.0390 4092 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/16 18:56:50.0640 4092 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/16 18:56:50.0703 4092 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/16 18:56:50.0843 4092 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/16 18:56:50.0953 4092 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/16 18:56:51.0046 4092 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/16 18:56:51.0265 4092 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/16 18:56:51.0484 4092 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/16 18:56:51.0656 4092 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/16 18:56:51.0937 4092 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/16 18:56:52.0125 4092 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/16 18:56:52.0578 4092 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/16 18:56:52.0718 4092 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/16 18:56:52.0921 4092 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/16 18:56:53.0062 4092 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/16 18:56:53.0312 4092 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/16 18:56:53.0453 4092 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/16 18:56:53.0687 4092 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/16 18:56:54.0140 4092 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/16 18:56:54.0328 4092 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/03/16 18:56:54.0906 4092 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/03/16 18:56:55.0109 4092 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/03/16 18:56:55.0671 4092 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/16 18:56:55.0968 4092 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/16 18:56:56.0187 4092 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/16 18:56:56.0328 4092 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/03/16 18:56:56.0578 4092 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/03/16 18:56:56.0734 4092 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/03/16 18:56:56.0906 4092 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/03/16 18:56:57.0140 4092 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/03/16 18:56:57.0296 4092 RapportCerberus_23945 (d9569c76a4e3fbae2cfe7ebf444ece4d) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys
2011/03/16 18:56:57.0390 4092 RapportIaso (4c58289c196947c3ce5c0c53bcbd6ffd) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\23645\RapportIaso.sys
2011/03/16 18:56:57.0906 4092 RapportKELL (b64262f33c53d690ed662fde57102b10) C:\WINDOWS\system32\Drivers\RapportKELL.sys
2011/03/16 18:56:58.0187 4092 RapportPG (c9b8a131aaf77d969cbc3987537b319d) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
2011/03/16 18:56:58.0453 4092 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/16 18:56:58.0718 4092 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/16 18:56:58.0906 4092 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/16 18:56:59.0062 4092 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/16 18:56:59.0328 4092 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/16 18:56:59.0546 4092 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/16 18:56:59.0640 4092 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/16 18:56:59.0828 4092 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/16 18:56:59.0937 4092 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/16 18:57:00.0218 4092 S3SavageNB (0dbcc071a268e0340a2ba6bdd98bace4) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
2011/03/16 18:57:00.0468 4092 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/16 18:57:00.0828 4092 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/03/16 18:57:01.0000 4092 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/03/16 18:57:01.0390 4092 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/16 18:57:01.0750 4092 smserial (0eb62cdf4168c49e7568fd544f05d0f1) C:\WINDOWS\system32\DRIVERS\smserial.sys
2011/03/16 18:57:02.0078 4092 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/03/16 18:57:02.0265 4092 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/16 18:57:02.0437 4092 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/16 18:57:02.0734 4092 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/16 18:57:03.0015 4092 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/16 18:57:03.0234 4092 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/16 18:57:03.0312 4092 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/16 18:57:03.0484 4092 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/03/16 18:57:03.0640 4092 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/03/16 18:57:03.0968 4092 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
2011/03/16 18:57:04.0093 4092 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/03/16 18:57:04.0234 4092 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/03/16 18:57:04.0468 4092 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/16 18:57:04.0640 4092 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/16 18:57:04.0953 4092 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/16 18:57:05.0171 4092 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/16 18:57:05.0343 4092 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/16 18:57:05.0609 4092 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/03/16 18:57:05.0953 4092 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
2011/03/16 18:57:06.0265 4092 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2011/03/16 18:57:06.0390 4092 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/16 18:57:06.0578 4092 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/03/16 18:57:06.0703 4092 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/16 18:57:06.0812 4092 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/16 18:57:07.0078 4092 USBCamera (2038824260efdffa6f78d9bef767622d) C:\WINDOWS\system32\Drivers\Bulk536.sys
2011/03/16 18:57:07.0203 4092 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/16 18:57:07.0546 4092 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/16 18:57:07.0921 4092 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/16 18:57:08.0031 4092 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/16 18:57:08.0078 4092 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/16 18:57:08.0250 4092 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/16 18:57:08.0531 4092 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/03/16 18:57:08.0671 4092 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2011/03/16 18:57:08.0875 4092 viagfx (5dbffb9a41da40c8d77c5cdeb98a55b8) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2011/03/16 18:57:09.0093 4092 ViaIde (a5d8b6c8d43786d4215c1df6fab0aae0) C:\WINDOWS\system32\DRIVERS\viaidexp.sys
2011/03/16 18:57:09.0296 4092 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/16 18:57:09.0531 4092 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/16 18:57:09.0921 4092 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/16 18:57:10.0140 4092 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/03/16 18:57:10.0281 4092 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/16 18:57:10.0562 4092 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/16 18:57:10.0843 4092 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/16 18:57:12.0250 4092 ================================================================================
2011/03/16 18:57:12.0250 4092 Scan finished
2011/03/16 18:57:12.0250 4092 ================================================================================

OTL logfile created on: 16/03/2011 19:12:20 - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

702.00 Mb Total Physical Memory | 397.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 18.51 Gb Free Space | 49.69% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 7.47 Gb Total Space | 1.84 Gb Free Space | 24.62% Space Free | Partition Type: FAT32

Computer Name: SARAHSLAPTOP | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/14 19:37:56 | 000,754,080 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
PRC - [2010/12/08 21:19:09 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Sarah\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PRC - [2010/10/03 23:43:16 | 001,266,920 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/10/03 23:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2009/10/30 14:12:24 | 000,316,232 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe
PRC - [2009/10/30 14:08:26 | 000,486,216 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
PRC - [2009/10/30 14:05:48 | 001,021,256 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/20 20:38:48 | 001,247,600 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2007/03/15 17:17:08 | 000,336,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
PRC - [2006/06/20 12:42:44 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/11/10 01:44:00 | 000,557,056 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe

========== Modules (SafeList) ==========

MOD - [2011/03/14 19:37:56 | 000,754,080 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/10/03 23:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/09/14 21:13:34 | 000,435,016 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2009/10/30 14:05:48 | 001,021,256 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2009/10/30 14:01:00 | 000,030,024 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2007/09/20 20:38:48 | 001,247,600 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)

========== Driver Services (SafeList) ==========

DRV - [2011/03/02 21:30:36 | 000,055,224 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys -- (RapportCerberus_23945)
DRV - [2011/02/16 20:09:15 | 000,018,872 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\23645\RapportIaso.sys -- (RapportIaso)
DRV - [2010/10/03 23:43:44 | 000,169,320 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/10/03 23:43:44 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2009/10/14 06:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2007/01/28 17:21:57 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2006/06/27 00:42:14 | 003,972,672 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/11/10 01:47:00 | 000,922,148 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2005/05/05 00:08:38 | 000,463,168 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/01/14 14:22:54 | 000,005,504 | ---- | M] (EnE Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr)
DRV - [2004/08/03 22:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3SavageNB)
DRV - [2003/09/05 06:47:22 | 000,514,859 | ---- | M] (Digital Camera) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\Ca536av.sys -- (Ca536av) Icatch(VII)
DRV - [2003/07/01 18:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/05/14 10:28:14 | 000,011,048 | ---- | M] (USB BULK) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Bulk536.sys -- (USBCamera) Icatch(VII)
DRV - [2001/10/18 09:00:00 | 000,006,144 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaidexp.sys -- (ViaIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2011/03/15 22:37:14 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Program Files\kqjugoya\swxhqriq.exe) - C:\Program Files\kqjugoya\swxhqriq.exe File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/13 17:49:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/03/15 22:44:02 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 12:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2011/03/16 19:13:16 | 000,000,003 | RHS- | M] () - F:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/16 19:11:42 | 000,000,000 | ---D | C] -- C:\Program Files\kqjugoya
[2011/03/16 18:56:14 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2011/03/15 22:47:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/15 22:44:02 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2011/03/15 22:20:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/15 22:20:01 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/03/15 22:11:27 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Sarah\Desktop\avg_remover_stf_x86_2011_1184.exe
[2011/03/15 21:54:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Local Settings\Application Data\VS Revo Group
[2011/03/15 20:20:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/15 20:19:21 | 000,754,080 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2011/03/10 19:23:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/03/09 22:14:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/09 22:05:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/03/02 21:34:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Sarah\Recent
[2011/03/02 21:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/03/02 20:24:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/03/02 20:24:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/02 19:48:36 | 000,000,000 | ---D | C] -- C:\rei
[2011/03/02 19:48:32 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2011/03/02 19:39:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/02 19:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/02/27 09:33:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\bLlFbMc06300

========== Files - Modified Within 30 Days ==========

[2011/03/16 19:13:17 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Automatic troubleshooting.job
[2011/03/16 19:12:18 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/16 19:11:56 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/16 19:11:43 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/16 19:11:41 | 000,170,397 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\OTLmgr.exe
[2011/03/16 19:11:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/16 19:11:29 | 736,276,480 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/16 19:07:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/15 22:37:14 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/15 22:11:26 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Sarah\Desktop\avg_remover_stf_x86_2011_1184.exe
[2011/03/15 21:42:57 | 000,000,042 | ---- | M] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2011/03/15 21:24:04 | 000,000,924 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006Core.job
[2011/03/15 21:24:03 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006UA.job
[2011/03/15 20:16:12 | 004,287,930 | R--- | M] () -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2011/03/15 20:16:04 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Flash_Disinfector.exe
[2011/03/14 20:00:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/14 19:37:56 | 000,754,080 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2011/03/10 19:13:13 | 000,002,290 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Google Chrome.lnk
[2011/03/10 19:13:13 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2011/03/09 22:06:00 | 000,001,921 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/03/07 22:39:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/02 21:32:33 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/02/23 11:14:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

========== Files Created - No Company Name ==========

[2011/03/16 19:11:41 | 000,170,397 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\OTLmgr.exe
[2011/03/15 22:19:08 | 004,287,930 | R--- | C] () -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2011/03/15 21:42:57 | 000,000,042 | ---- | C] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2011/03/15 20:46:06 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Flash_Disinfector.exe
[2011/03/14 20:00:14 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/10 21:05:57 | 736,276,480 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/09 22:06:00 | 000,001,921 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/03/02 21:32:33 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2010/09/14 21:03:37 | 000,000,186 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/09/14 20:22:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 20:22:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 20:22:00 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 20:22:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 20:22:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/10 21:51:01 | 000,000,069 | ---- | C] () -- C:\WINDOWS\LOGO.INI
[2009/09/30 19:59:45 | 000,000,423 | ---- | C] () -- C:\WINDOWS\System32\Dext536.ini
[2008/10/20 20:55:11 | 000,001,247 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/02/03 17:34:19 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/28 19:24:24 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\fusioncache.dat
[2007/01/28 19:03:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/02 22:36:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/01/02 22:35:19 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/01/02 22:35:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2007/01/02 22:35:12 | 000,053,248 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2007/01/02 22:35:12 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2007/01/02 22:35:11 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56brz.dll
[2007/01/02 22:35:11 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2006/02/13 18:11:03 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/02/13 17:55:28 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/02/13 17:53:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/02/13 17:47:13 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/02/13 17:40:57 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/02/13 17:39:56 | 000,273,376 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/13 16:33:23 | 000,000,976 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/02/13 16:32:52 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/13 16:32:49 | 000,476,890 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/13 16:32:49 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/13 16:32:49 | 000,085,700 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/13 16:32:49 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/13 16:32:46 | 000,004,711 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/13 16:32:45 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/13 16:32:43 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/02/13 16:32:38 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/13 16:32:38 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/13 16:32:31 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/13 16:32:20 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/08/07 14:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/03/24 04:03:00 | 000,279,552 | ---- | C] () -- C:\WINDOWS\System32\FGWVB32.DLL
[2000/06/22 06:09:24 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2000/05/11 06:52:22 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\Indounin.dll
[1998/03/25 23:12:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2008/10/16 21:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Activ Software
[2011/03/15 22:13:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/03/15 22:14:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/02 20:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\bLlFbMc06300
[2011/01/18 20:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2011/01/18 20:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/12/08 21:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2007/01/28 19:24:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PowerQuest
[2008/08/29 18:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/14 22:11:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2010/04/21 21:41:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2010/01/10 20:20:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/08/19 13:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/04/21 21:36:02 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
[2010/04/09 16:55:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Arkadium
[2010/09/15 20:04:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\F5C3453C4620B7A135490455D9F88CEE
[2010/12/08 21:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\FUJIFILM
[2010/09/11 20:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\InterTrust
[2007/01/28 19:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\IsolatedStorage
[2010/09/14 22:12:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Trusteer
[2008/02/20 22:20:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\TuneUp Software
[2009/08/19 14:24:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\UseNeXT
[2008/08/29 18:02:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\WinPatrol
[2011/03/16 19:13:17 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Automatic troubleshooting.job

========== Purity Check ==========

< End of report >

ComboFix 11-03-15.01 - Sarah 16/03/2011 19:31:37.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.415 [GMT 0:00]
Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sarah\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_RkHit
.
.
((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
.
.
2011-03-16 19:11 . 2011-03-16 19:41 -------- d-----w- c:\program files\kqjugoya
2011-03-15 21:54 . 2011-03-15 21:54 -------- d-----w- c:\documents and settings\Sarah\Local Settings\Application Data\VS Revo Group
2011-03-15 20:20 . 2011-03-15 20:20 -------- d-----w- C:\_OTL
2011-03-02 20:55 . 2011-03-02 20:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-02 20:24 . 2011-03-10 19:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-02 19:48 . 2011-03-02 20:55 -------- d-----w- C:\rei
2011-03-02 19:48 . 2011-03-02 19:48 -------- d-----w- c:\program files\Reimage
2011-03-02 19:09 . 2011-03-02 20:55 -------- d-s---w- c:\documents and settings\Administrator.SARAHSLAPTOP
2011-02-27 09:33 . 2011-03-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\bLlFbMc06300
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2006-02-13 16:32 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2006-02-13 16:32 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2006-02-13 16:32 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2006-02-13 16:32 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2006-02-13 16:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2006-02-13 16:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2006-02-13 16:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2010-09-14 17:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-09-14 17:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2006-02-13 16:32 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2006-02-13 16:32 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-12-08 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 577536]
"SMSERIAL"="sm56hlpr.exe" [2005-11-10 557056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\kqjugoya\swxhqriq.exe"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys [02/03/2011 21:30 55224]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [30/10/2009 14:05 1021256]
R3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\drivers\EKBfltr.sys [19/10/2006 12:24 5504]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\23645\RapportIaso.sys [16/02/2011 20:09 18872]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14/10/2009 06:24 10064]
S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [30/09/2009 19:59 514859]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/09/2010 22:54 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\Automatic troubleshooting.job
- c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe [2009-10-30 14:12]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 22:54]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 22:54]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006Core.job
- c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-08 21:19]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006UA.job
- c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-08 21:19]
.
2011-03-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-16 19:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Sarah\Start Menu\Programs\Startup\swxhqriq.exe 170397 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\sm56hlpr.exe
c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-03-16 19:48:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-16 19:48
ComboFix2.txt 2011-03-15 22:43
ComboFix3.txt 2010-09-14 20:43
.
Pre-Run: 19,513,667,584 bytes free
Post-Run: 19,385,995,264 bytes free
.
- - End Of File - - 049EA366537995C6DFC06458C31131CB

#8 michaelg9

Group: Malware Removal
Posts: 2,862
Joined: 19-June 09

Posted 17 March 2011 - 07:25 AM

Hey,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

KillAll::

Folder::
C:\Documents and Settings\Sarah\Application Data\F5C3453C4620B7A135490455D9F88CEE
C:\Documents and Settings\All Users\Application Data\bLlFbMc06300
C:\Program Files\kqjugoya

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

Rootkit::
c:\documents and settings\Sarah\Start Menu\Programs\Startup\swxhqriq.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Quote
:OTL
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - File not found
O20 - HKLM Winlogon: UserInit - (C:\Program Files\kqjugoya\swxhqriq.exe) - C:\Program Files\kqjugoya\swxhqriq.exe File not found
[2011/03/16 19:11:42 | 000,000,000 | ---D | C] -- C:\Program Files\kqjugoya
[2011/02/27 09:33:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\bLlFbMc06300
[2011/03/02 20:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\bLlFbMc06300
[2010/09/15 20:04:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\F5C3453C4620B7A135490455D9F88CEE

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#9 owainb

Group: Member
Posts: 63
Joined: 04-November 05

Posted 17 March 2011 - 12:49 PM

Thanks again for your help. Please see logs as requested

ComboFix 11-03-15.01 - Sarah 17/03/2011 17:43:56.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.379 [GMT 0:00]
Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sarah\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bLlFbMc06300
c:\documents and settings\All Users\Application Data\bLlFbMc06300\bLlFbMc06300
c:\documents and settings\Sarah\Application Data\F5C3453C4620B7A135490455D9F88CEE
c:\program files\kqjugoya
.
.
((((((((((((((((((((((((( Files Created from 2011-02-17 to 2011-03-17 )))))))))))))))))))))))))))))))
.
.
2011-03-15 21:54 . 2011-03-15 21:54 -------- d-----w- c:\documents and settings\Sarah\Local Settings\Application Data\VS Revo Group
2011-03-15 20:20 . 2011-03-15 20:20 -------- d-----w- C:\_OTL
2011-03-10 19:23 . 2011-03-10 19:23 170397 --s---w- C:\swxhqriq.exe
2011-03-02 20:55 . 2011-03-02 20:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-02 20:24 . 2011-03-10 19:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-02 19:48 . 2011-03-02 20:55 -------- d-----w- C:\rei
2011-03-02 19:48 . 2011-03-02 19:48 -------- d-----w- c:\program files\Reimage
2011-03-02 19:09 . 2011-03-02 20:55 -------- d-s---w- c:\documents and settings\Administrator.SARAHSLAPTOP
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2006-02-13 16:32 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2006-02-13 16:32 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2006-02-13 16:32 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2006-02-13 16:32 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2006-02-13 16:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2006-02-13 16:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2006-02-13 16:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2010-09-14 17:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-09-14 17:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2006-02-13 16:32 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2006-02-13 16:32 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-12-08 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 577536]
"SMSERIAL"="sm56hlpr.exe" [2005-11-10 557056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\kqjugoya\swxhqriq.exe"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys [02/03/2011 21:30 55224]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [30/10/2009 14:05 1021256]
R3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\drivers\EKBfltr.sys [19/10/2006 12:24 5504]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\23645\RapportIaso.sys [16/02/2011 20:09 18872]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14/10/2009 06:24 10064]
S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [30/09/2009 19:59 514859]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/09/2010 22:54 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-17 c:\windows\Tasks\Automatic troubleshooting.job
- c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe [2009-10-30 14:12]
.
2011-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 22:54]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 22:54]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006Core.job
- c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-08 21:19]
.
2011-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006UA.job
- c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-08 21:19]
.
2011-03-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 17:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Sarah\Start Menu\Programs\Startup\swxhqriq.exe 170397 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1484)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\sm56hlpr.exe
c:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\System32\rundll32.exe
c:\program files\Microsoft Office\Office12\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2011-03-17 17:57:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-17 17:57
ComboFix2.txt 2011-03-16 19:48
ComboFix3.txt 2011-03-15 22:43
ComboFix4.txt 2010-09-14 20:43
.
Pre-Run: 18,938,118,144 bytes free
Post-Run: 19,675,664,384 bytes free
.
- - End Of File - - 82DD977C5B984BE7AB12226A1F5BFFAA

OTL logfile created on: 17/03/2011 18:37:46 - Run 5
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

702.00 Mb Total Physical Memory | 368.00 Mb Available Physical Memory | 52.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 18.11 Gb Free Space | 48.61% Space Free | Partition Type: NTFS

Computer Name: SARAHSLAPTOP | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/14 19:37:56 | 000,754,080 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
PRC - [2010/12/08 21:19:09 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Sarah\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PRC - [2010/10/03 23:43:16 | 001,266,920 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/10/03 23:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2009/10/30 14:12:24 | 000,316,232 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe
PRC - [2009/10/30 14:08:26 | 000,486,216 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
PRC - [2009/10/30 14:05:48 | 001,021,256 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/20 20:38:48 | 001,247,600 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2006/06/20 12:42:44 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/11/10 01:44:00 | 000,557,056 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe

========== Modules (SafeList) ==========

MOD - [2011/03/14 19:37:56 | 000,754,080 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
MOD - [2010/10/03 23:43:42 | 000,431,336 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/10/03 23:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/09/14 21:13:34 | 000,435,016 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2009/10/30 14:05:48 | 001,021,256 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2009/10/30 14:01:00 | 000,030,024 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2007/09/20 20:38:48 | 001,247,600 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)

========== Driver Services (SafeList) ==========

DRV - [2011/03/02 21:30:36 | 000,055,224 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys -- (RapportCerberus_23945)
DRV - [2011/02/16 20:09:15 | 000,018,872 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\23645\RapportIaso.sys -- (RapportIaso)
DRV - [2010/10/03 23:43:44 | 000,169,320 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/10/03 23:43:44 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2009/10/14 06:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2007/01/28 17:21:57 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2006/06/27 00:42:14 | 003,972,672 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/11/10 01:47:00 | 000,922,148 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2005/05/05 00:08:38 | 000,463,168 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/01/14 14:22:54 | 000,005,504 | ---- | M] (EnE Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr)
DRV - [2004/08/03 22:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3SavageNB)
DRV - [2003/09/05 06:47:22 | 000,514,859 | ---- | M] (Digital Camera) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\Ca536av.sys -- (Ca536av) Icatch(VII)
DRV - [2003/07/01 18:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/05/14 10:28:14 | 000,011,048 | ---- | M] (USB BULK) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Bulk536.sys -- (USBCamera) Icatch(VII)
DRV - [2001/10/18 09:00:00 | 000,006,144 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaidexp.sys -- (ViaIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2011/03/17 17:50:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - File not found
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Program Files\kqjugoya\swxhqriq.exe) - C:\Program Files\kqjugoya\swxhqriq.exe File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/13 17:49:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/03/15 22:44:02 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/17 18:35:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/17 17:51:26 | 000,000,000 | ---D | C] -- C:\Program Files\kqjugoya
[2011/03/17 17:49:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/16 18:56:14 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2011/03/15 22:44:02 | 000,000,000 | R--D | C] -- C:\autorun.inf
[2011/03/15 22:20:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/15 22:11:27 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Sarah\Desktop\avg_remover_stf_x86_2011_1184.exe
[2011/03/15 21:54:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Local Settings\Application Data\VS Revo Group
[2011/03/15 20:20:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/15 20:19:21 | 000,754,080 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2011/03/10 19:23:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/03/09 22:14:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/09 22:05:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/03/02 21:34:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Sarah\Recent
[2011/03/02 21:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/03/02 20:24:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/03/02 20:24:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/02 19:48:36 | 000,000,000 | ---D | C] -- C:\rei
[2011/03/02 19:48:32 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2011/03/02 19:39:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/02 19:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

========== Files - Modified Within 30 Days ==========

[2011/03/17 18:38:29 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Automatic troubleshooting.job
[2011/03/17 18:37:44 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/17 18:37:30 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/17 18:37:12 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/17 18:37:10 | 000,170,397 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\OTLmgr.exe
[2011/03/17 18:37:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/17 18:36:58 | 736,276,480 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/17 18:24:17 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006UA.job
[2011/03/17 18:07:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/17 17:50:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/15 22:11:26 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Sarah\Desktop\avg_remover_stf_x86_2011_1184.exe
[2011/03/15 21:42:57 | 000,000,042 | ---- | M] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2011/03/15 21:24:04 | 000,000,924 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006Core.job
[2011/03/15 20:16:12 | 004,287,930 | R--- | M] () -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2011/03/15 20:16:04 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Flash_Disinfector.exe
[2011/03/14 20:00:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/14 19:37:56 | 000,754,080 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2011/03/10 19:13:13 | 000,002,290 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Google Chrome.lnk
[2011/03/10 19:13:13 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2011/03/09 22:06:00 | 000,001,921 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/03/07 22:39:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/02 21:32:33 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/02/23 11:14:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

========== Files Created - No Company Name ==========

[2011/03/16 19:11:41 | 000,170,397 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\OTLmgr.exe
[2011/03/15 22:19:08 | 004,287,930 | R--- | C] () -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2011/03/15 21:42:57 | 000,000,042 | ---- | C] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2011/03/15 20:46:06 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Flash_Disinfector.exe
[2011/03/14 20:00:14 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/10 21:05:57 | 736,276,480 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/09 22:06:00 | 000,001,921 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/03/02 21:32:33 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2010/09/14 21:03:37 | 000,000,186 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/09/14 20:22:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 20:22:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 20:22:00 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 20:22:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 20:22:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/10 21:51:01 | 000,000,069 | ---- | C] () -- C:\WINDOWS\LOGO.INI
[2009/09/30 19:59:45 | 000,000,423 | ---- | C] () -- C:\WINDOWS\System32\Dext536.ini
[2008/10/20 20:55:11 | 000,001,247 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/02/03 17:34:19 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/28 19:24:24 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\fusioncache.dat
[2007/01/28 19:03:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/02 22:36:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/01/02 22:35:19 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/01/02 22:35:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2007/01/02 22:35:12 | 000,053,248 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2007/01/02 22:35:12 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2007/01/02 22:35:11 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56brz.dll
[2007/01/02 22:35:11 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2006/02/13 18:11:03 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/02/13 17:55:28 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/02/13 17:53:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/02/13 17:47:13 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/02/13 17:40:57 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/02/13 17:39:56 | 000,273,376 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/13 16:33:23 | 000,000,976 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/02/13 16:32:52 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/13 16:32:49 | 000,476,890 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/13 16:32:49 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/13 16:32:49 | 000,085,700 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/13 16:32:49 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/13 16:32:46 | 000,004,711 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/13 16:32:45 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/13 16:32:43 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/02/13 16:32:38 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/13 16:32:38 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/13 16:32:31 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/13 16:32:20 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/08/07 14:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/03/24 04:03:00 | 000,279,552 | ---- | C] () -- C:\WINDOWS\System32\FGWVB32.DLL
[2000/06/22 06:09:24 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2000/05/11 06:52:22 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\Indounin.dll
[1998/03/25 23:12:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2008/10/16 21:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Activ Software
[2011/03/15 22:13:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/03/15 22:14:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/01/18 20:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2011/01/18 20:54:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/12/08 21:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2007/01/28 19:24:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PowerQuest
[2008/08/29 18:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/14 22:11:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2010/04/21 21:41:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2010/01/10 20:20:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/08/19 13:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/04/21 21:36:02 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
[2010/04/09 16:55:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Arkadium
[2010/12/08 21:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\FUJIFILM
[2010/09/11 20:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\InterTrust
[2007/01/28 19:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\IsolatedStorage
[2010/09/14 22:12:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Trusteer
[2008/02/20 22:20:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\TuneUp Software
[2009/08/19 14:24:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\UseNeXT
[2008/08/29 18:02:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\WinPatrol
[2011/03/17 18:38:29 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Automatic troubleshooting.job

========== Purity Check ==========

< End of report >

#10 michaelg9

Group: Malware Removal
Posts: 2,862
Joined: 19-June 09

Posted 17 March 2011 - 01:38 PM

Hey,

There are some stubborn files there. Let's try something else:

Download avz4.zip from HERE

Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window:
Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
Click on the “Execute selected scripts”.
Automatic scanning, healing and system check will be executed.
A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
All applications will work properly after the system restart.

When restarted

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
Click on the "Execute selected scripts".
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#11 owainb

Group: Member
Posts: 63
Joined: 04-November 05

Posted 17 March 2011 - 02:34 PM

Hi,

Attached files as requested! Thanks for your time and effort. OB

Attached File(s)

virusinfo_syscure.zip (25.8K)
Number of downloads: 19
virusinfo_syscheck.zip (25.41K)
Number of downloads: 17

#12 michaelg9

Group: Malware Removal
Posts: 2,862
Joined: 19-June 09

Posted 18 March 2011 - 12:43 PM

Hey,

AVZ FIX

Double click on AVZ.exe
First, click File > Quarantine' Folder Viewer . If there's a file there named rooksbas.dll, select it and click restore. Confirm the warning.
Click File > Custom scripts
Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )

Quote
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
BC_Activate;
BC_DeleteFile('C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\swxhqriq.exe');
BC_DeleteFile('C:\Program Files\kqjugoya\swxhqriq.exe');
ExecuteSysClean;
RebootWindows(true);
end.
Note: When you run the script, your PC will be restarted
Click Run
Restart your PC if it doesn't do it automatically.

Next:

Download OTS to your Desktop and double-click on it to run it

Make sure you close all other programs and don't use the PC while the scan runs.
Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

#13 owainb

Group: Member
Posts: 63
Joined: 04-November 05

Posted 18 March 2011 - 02:56 PM

Hi,

Please see attached log as requested. many Thanks OB

Attached File(s)

OTS.Txt (58.09K)
Number of downloads: 30

#14 michaelg9

Group: Malware Removal
Posts: 2,862
Joined: 19-June 09

Posted 19 March 2011 - 07:14 AM

Hey,

First, download the attached fix.txt to your desktop.

fix.txt (1.36K)
Number of downloads: 22

Then start your computer in safe mode. To do this, shut down your computer and start it again. As it's starting, tap continuously and quickly the "F8" key. You should see a black screen with some options, select "Safe Mode".

Start OTS. Click "Run Fix", and a pop up asking you to select a file should appear. Click "Yes" and choose the fix.txt file you just downloaded. Click again "Run Fix".

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Next:

Double click on OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open a notepad window. OTL.txt. Thia is saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of this file and post them with your next reply.

#15 owainb

Group: Member
Posts: 63
Joined: 04-November 05

Posted 19 March 2011 - 12:59 PM

Thanks again. Please see logs as requested

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Program Files\kqjugoya\swxhqriq.exe deleted successfully.
File move failed. C:\Program Files\kqjugoya\swxhqriq.exe scheduled to be moved on reboot.
[Files/Folders - Created Within 30 Days]
Folder move failed. C:\Program Files\kqjugoya scheduled to be moved on reboot.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\System32\drivers\vdezmtyx.sys moved successfully.
[Files - No Company Name]
File C:\WINDOWS\System32\drivers\vdezmtyx.sys not found!
[Purity]
Purity scan complete.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.SARAHSLAPTOP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.SARAHSLAPTOP.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Sarah
->Temp folder emptied: 7827321 bytes
->Temporary Internet Files folder emptied: 22911981 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 802 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17048 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 29.00 mb

[EMPTYFLASH]

User: Administrator

User: Administrator.SARAHSLAPTOP
->Flash cache emptied: 0 bytes

User: Administrator.SARAHSLAPTOP.000
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Sarah
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 03192011_184026

Files\Folders moved on Reboot...
File move failed. C:\Program Files\kqjugoya\swxhqriq.exe scheduled to be moved on reboot.
Folder move failed. C:\Program Files\kqjugoya scheduled to be moved on reboot.

Registry entries deleted on Reboot...

OTL logfile created on: 19/03/2011 18:44:43 - Run 6
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Sarah\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

702.00 Mb Total Physical Memory | 399.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 18.53 Gb Free Space | 49.74% Space Free | Partition Type: NTFS

Computer Name: SARAHSLAPTOP | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Sarah\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Sarah\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe (Google Inc.)
PRC - C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (Trusteer Ltd.)
PRC - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
PRC - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe (TuneUp Software)
PRC - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe (TuneUp Software)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ()
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Sarah\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll (Trusteer Ltd.)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (RapportMgmtService) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
SRV - (TuneUp.Defrag) -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe (TuneUp Software)
SRV - (TuneUp.UtilitiesSvc) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe (TuneUp Software)
SRV - (UxTuneUp) -- C:\WINDOWS\system32\uxtuneup.dll (TuneUp Software)
SRV - (Symantec Core LC) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ()

========== Driver Services (SafeList) ==========

DRV - (RapportCerberus_23945) -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys (Trusteer Ltd.)
DRV - (RapportIaso) -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\23645\RapportIaso.sys (Trusteer Ltd.)
DRV - (RapportPG) -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (Trusteer Ltd.)
DRV - (RapportKELL) -- C:\WINDOWS\System32\Drivers\RapportKELL.sys (Trusteer Ltd.)
DRV - (TuneUpUtilitiesDrv) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys (TuneUp Software)
DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (smserial) -- C:\WINDOWS\system32\drivers\smserial.sys (Motorola Inc.)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
DRV - (EKBfltr) -- C:\WINDOWS\system32\drivers\EKBfltr.sys (EnE Technology Inc.)
DRV - (S3SavageNB) -- C:\WINDOWS\system32\drivers\s3gnbm.sys (S3 Graphics, Inc.)
DRV - (Ca536av) Icatch(VII) -- C:\WINDOWS\system32\drivers\Ca536av.sys (Digital Camera)
DRV - (viaagp1) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (USBCamera) Icatch(VII) -- C:\WINDOWS\system32\drivers\Bulk536.sys (USB BULK)
DRV - (ViaIde) -- C:\WINDOWS\system32\DRIVERS\viaidexp.sys (VIA Technologies, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2011/03/17 17:50:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Program Files\kqjugoya\swxhqriq.exe) - C:\Program Files\kqjugoya\swxhqriq.exe File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/13 17:49:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/03/15 22:44:02 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/19 18:40:26 | 000,000,000 | ---D | C] -- C:\_OTS
[2011/03/19 10:03:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
[2011/03/19 09:57:41 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/03/18 20:45:57 | 000,819,055 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTS.exe
[2011/03/17 19:48:57 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Sarah\UserData
[2011/03/17 19:45:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Desktop\avz4
[2011/03/17 18:35:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/17 17:51:26 | 000,000,000 | ---D | C] -- C:\Program Files\kqjugoya
[2011/03/17 17:49:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/16 18:56:14 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2011/03/15 22:44:02 | 000,000,000 | R--D | C] -- C:\autorun.inf
[2011/03/15 22:20:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/15 22:11:27 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Sarah\Desktop\avg_remover_stf_x86_2011_1184.exe
[2011/03/15 21:54:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\Local Settings\Application Data\VS Revo Group
[2011/03/15 20:20:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/15 20:19:21 | 000,754,080 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2011/03/10 19:23:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/03/09 22:14:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/09 22:05:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/03/09 21:59:08 | 000,568,656 | ---- | C] (Google Inc.) -- C:\Documents and Settings\Sarah\My Documents\GoogleEarthSetup.exe
[2011/03/02 21:34:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Sarah\Recent
[2011/03/02 21:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/03/02 20:24:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/03/02 20:24:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/02 19:48:36 | 000,000,000 | ---D | C] -- C:\rei
[2011/03/02 19:48:32 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2011/03/02 19:39:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/02 19:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

========== Files - Modified Within 30 Days ==========

[2011/03/19 18:43:28 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Automatic troubleshooting.job
[2011/03/19 18:43:06 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/19 18:42:38 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/19 18:42:37 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/19 18:42:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/19 18:42:23 | 736,276,480 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/19 18:14:24 | 000,272,576 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/19 10:24:00 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006UA.job
[2011/03/19 10:07:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/18 20:46:05 | 000,819,055 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTS.exe
[2011/03/18 20:37:29 | 000,002,290 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Google Chrome.lnk
[2011/03/18 20:37:29 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/17 18:37:10 | 000,170,397 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\OTLmgr.exe
[2011/03/17 17:50:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/15 22:11:26 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Sarah\Desktop\avg_remover_stf_x86_2011_1184.exe
[2011/03/15 21:42:57 | 000,000,042 | ---- | M] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2011/03/15 21:24:04 | 000,000,924 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2543581181-1836738841-1604031686-1006Core.job
[2011/03/15 20:16:12 | 004,287,930 | R--- | M] () -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2011/03/15 20:16:04 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Flash_Disinfector.exe
[2011/03/14 20:00:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/14 19:37:56 | 000,754,080 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
[2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sarah\Desktop\TDSSKiller.exe
[2011/03/09 21:58:37 | 000,568,656 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Sarah\My Documents\GoogleEarthSetup.exe
[2011/03/07 22:39:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2543581181-1836738841-1604031686-1006.job
[2011/03/02 21:32:33 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/02/23 11:14:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

========== Files Created - No Company Name ==========

[2011/03/19 18:42:23 | 736,276,480 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/16 19:11:41 | 000,170,397 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\OTLmgr.exe
[2011/03/15 22:19:08 | 004,287,930 | R--- | C] () -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
[2011/03/15 21:42:57 | 000,000,042 | ---- | C] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2011/03/15 20:46:06 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Flash_Disinfector.exe
[2011/03/14 20:00:14 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/02 21:32:33 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2010/09/14 21:03:37 | 000,000,186 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/09/14 20:22:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 20:22:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 20:22:00 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 20:22:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 20:22:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/10 21:51:01 | 000,000,069 | ---- | C] () -- C:\WINDOWS\LOGO.INI
[2009/09/30 19:59:45 | 000,000,423 | ---- | C] () -- C:\WINDOWS\System32\Dext536.ini
[2008/10/20 20:55:11 | 000,001,247 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/02/03 17:34:19 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/28 19:24:24 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\fusioncache.dat
[2007/01/28 19:03:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/02 22:36:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/01/02 22:35:19 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/01/02 22:35:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2007/01/02 22:35:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2007/01/02 22:35:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2007/01/02 22:35:12 | 000,053,248 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2007/01/02 22:35:12 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2007/01/02 22:35:11 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56brz.dll
[2007/01/02 22:35:11 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2006/02/13 18:11:03 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/02/13 17:55:28 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/02/13 17:53:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/02/13 17:47:13 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/02/13 17:40:57 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/02/13 17:39:56 | 000,272,576 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/13 16:33:23 | 000,000,976 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/02/13 16:32:52 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/13 16:32:49 | 000,476,890 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/13 16:32:49 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/13 16:32:49 | 000,085,700 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/13 16:32:49 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/13 16:32:46 | 000,004,711 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/13 16:32:45 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/13 16:32:43 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/02/13 16:32:38 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/13 16:32:38 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/13 16:32:31 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/13 16:32:20 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/08/07 14:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/03/24 04:03:00 | 000,279,552 | ---- | C] () -- C:\WINDOWS\System32\FGWVB32.DLL
[2000/06/22 06:09:24 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2000/05/11 06:52:22 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\Indounin.dll
[1998/03/25 23:12:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

< End of report >

Back to Virus, Spyware, Malware Removal

Share this topic:

3 Pages
1
2
3
→

Please log in to reply

Win32/Zbot.G - Geeks to Go Forums

Win32/Zbot.G Help This is taking over my laptop

#1 owainb

#2 michaelg9

#3 owainb

#4 michaelg9

#5 owainb

#6 michaelg9

#7 owainb

#8 michaelg9

#9 owainb

#10 michaelg9

#11 owainb

Attached File(s)

#12 michaelg9

#13 owainb

Attached File(s)

#14 michaelg9

#15 owainb

Share this topic:

Related Topics: