[Roboren]

Hi,

Since this morning my pc comes up with 2 things that just seems to be looping over and over.

1)Microsoft Security Essentials - Comes up with alerts like:
Detected: Virtool: Win32/Obfuscator.XZ

2)Bitdefender comes up with: (even selecting "ok" the next bunch just comes up over and over )
Virus name: Gen:Trojan.Heur.LP.Gy7@a0q2.....(can't see the rest)
Accessed by: MsMpEng.exe
Location: C:\widows\Temp\tmp000021c......(can't see the rest)
File was blocked

Virus name: looks same as above, etc

I tried deleting the windows\temp dir, but it does not alow me to delete 2 or 3 folders.
I also tried running TFC.exe, but they just keep coming back

Thanks for any help offered. It is much appreciated!!

OTL Log
OTL logfile created on: 6/13/2011 9:38:32 PM - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Tools
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.99 Gb Total Physical Memory | 3.23 Gb Available Physical Memory | 53.93% Memory free
11.98 Gb Paging File | 9.34 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.56 Gb Total Space | 48.15 Gb Free Space | 49.36% Space Free | Partition Type: NTFS
Drive D: | 833.86 Gb Total Space | 738.96 Gb Free Space | 88.62% Space Free | Partition Type: NTFS
Drive E: | 5.30 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive G: | 37.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: RENNIE-PC | User Name: Rennie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/13 21:18:20 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Tools\OTL.exe
PRC - [2011/05/29 09:11:28 | 000,449,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/03/07 18:50:00 | 000,234,656 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10n_ActiveX.exe
PRC - [2010/11/09 10:12:30 | 000,369,256 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/10/13 08:39:04 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2008/03/13 19:09:10 | 002,060,288 | ---- | M] (Vodafone) -- C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
PRC - [2008/03/13 19:08:58 | 000,024,576 | ---- | M] (Vodafone) -- C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe


========== Modules (SafeList) ==========

MOD - [2011/06/13 21:18:20 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Tools\OTL.exe
MOD - [2011/05/09 22:04:34 | 000,089,600 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\Program Files\BitDefender\BitDefender 2011\Active Virus Control\Midas_00077_002\plugin_net.m32
MOD - [2011/05/09 22:04:33 | 000,166,912 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\Program Files\BitDefender\BitDefender 2011\Active Virus Control\Midas_00077_002\plugin_extra.m32
MOD - [2011/05/09 22:04:24 | 000,276,992 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\Program Files\BitDefender\BitDefender 2011\Active Virus Control\Midas_00077_002\plugin_nt.m32
MOD - [2011/05/09 22:04:22 | 000,136,704 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\Program Files\BitDefender\BitDefender 2011\Active Virus Control\Midas_00077_002\plugin_base.m32
MOD - [2011/05/09 22:04:21 | 000,657,408 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\Program Files\BitDefender\BitDefender 2011\Active Virus Control\Midas_00077_002\plugin_fragments.m32
MOD - [2011/05/09 22:04:17 | 000,120,832 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\Program Files\BitDefender\BitDefender 2011\Active Virus Control\Midas_00077_002\plugin_registry.m32
MOD - [2011/05/09 22:04:15 | 000,232,968 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\Program Files\BitDefender\BitDefender 2011\Active Virus Control\Midas_00077_002\midas32.dll
MOD - [2010/11/20 13:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
MOD - [2009/12/08 19:03:44 | 000,116,224 | ---- | M] (BitDefender SRL) -- C:\Program Files\BitDefender\BitDefender 2011\Active Virus Control\Midas_00077_002\leaktests.m32


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/06/02 21:32:21 | 000,053,224 | ---- | M] (BitDefender S.R.L.) [Auto | Running] -- C:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe -- (Updatesrv)
SRV:64bit: - [2011/06/02 21:21:46 | 002,660,624 | ---- | M] (BitDefender S.R.L.) [Auto | Running] -- C:\Program Files\BitDefender\BitDefender 2011\vsserv.exe -- (VSSERV)
SRV:64bit: - [2010/11/30 06:18:06 | 000,467,248 | ---- | M] (BitDefender) [On_Demand | Stopped] -- C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe -- (Update Server)
SRV:64bit: - [2010/11/11 14:36:38 | 000,282,616 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2010/11/11 14:36:38 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/03/23 07:05:08 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/12/14 16:17:12 | 000,128,928 | ---- | M] (Futuremark Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe -- (Futuremark SystemInfo Service)
SRV - [2010/11/09 10:12:30 | 000,369,256 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/10/13 08:39:04 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/06/10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/03/13 19:08:58 | 000,024,576 | ---- | M] (Vodafone) [Auto | Running] -- C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/05/29 09:11:20 | 000,025,912 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2011/05/09 22:32:55 | 000,431,176 | ---- | M] (BitDefender) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\bdfsfltr.sys -- (bdfsfltr)
DRV:64bit: - [2010/11/29 13:14:36 | 001,186,272 | ---- | M] (BitDefender) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\avckf.sys -- (avckf)
DRV:64bit: - [2010/11/29 13:14:30 | 000,591,968 | ---- | M] (BitDefender) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\avc3.sys -- (avc3)
DRV:64bit: - [2010/11/20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 15:32:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 15:32:46 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010/11/20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/10/24 21:25:38 | 000,072,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2010/09/07 22:08:55 | 000,155,752 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2010/08/20 17:42:04 | 000,099,408 | ---- | M] (BitDefender) [Kernel | System | Running] -- C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdfwfpf.sys -- (bdfwfpf)
DRV:64bit: - [2010/05/13 15:52:08 | 000,162,896 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\bdfm.sys -- (BDFM)
DRV:64bit: - [2010/04/07 10:04:00 | 000,290,008 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1y62x64.sys -- (e1yexpress) Intel®
DRV:64bit: - [2010/01/22 12:22:22 | 000,180,224 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2010/01/22 12:22:18 | 000,077,824 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2009/12/25 09:05:40 | 000,297,512 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv91xx.sys -- (mv91xx)
DRV:64bit: - [2009/10/29 10:14:38 | 000,115,824 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2009/07/16 05:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/19 07:56:08 | 000,712,704 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x)
DRV:64bit: - [2009/06/10 22:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/03/07 13:46:30 | 000,112,512 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ewusbmdm.sys -- (hwdatacard)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 15 D7 4C 65 3B BB CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\BitDefender\BitDefender 2011\bdaphffext\ [2011/05/09 23:57:29 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/06/10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O3:64bit: - HKLM\..\Toolbar: (BitDefender Toolbar) - {381FFDE8-2394-4F90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2011\ietoolbar.dll (BitDefender S.R.L.)
O3 - HKLM\..\Toolbar: (BitDefender Toolbar) - {381FFDE8-2394-4F90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2011\Antispam32\ietoolbar.dll (BitDefender S.R.L.)
O4:64bit: - HKLM..\Run: [BDAgent] C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe (BitDefender S.R.L.)
O4:64bit: - HKLM..\Run: [BitDefender Antiphishing Helper] C:\Program Files\BitDefender\BitDefender 2011\ieshow.exe (BitDefender S.R.L.)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [BitDefender Antiphishing Helper] C:\Program Files\BitDefender\BitDefender 2011\Antispam32\ieshow.exe (BitDefender S.R.L.)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKCU..\Run: [PlayNC Launcher] File not found
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/13 23:39:50 | 000,000,070 | R--- | M] () - G:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{42f687e2-7df3-11e0-8e1b-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{42f687e2-7df3-11e0-8e1b-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{52b545e4-7a87-11e0-81f9-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{52b545e4-7a87-11e0-81f9-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{5c463be0-258a-11e0-8619-001e101f8aaa}\Shell - "" = AutoRun
O33 - MountPoints2\{5c463be0-258a-11e0-8619-001e101f8aaa}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{5f8d5a0d-2585-11e0-940b-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{5f8d5a0d-2585-11e0-940b-20cf304ff262}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{5f8d5a1d-2585-11e0-940b-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{5f8d5a1d-2585-11e0-940b-20cf304ff262}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{643c5f8c-7a74-11e0-8297-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{643c5f8c-7a74-11e0-8297-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{643c5f95-7a74-11e0-8297-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{643c5f95-7a74-11e0-8297-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{6c4ae2e8-7f02-11e0-b35f-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{6c4ae2e8-7f02-11e0-b35f-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{bd8a75a7-7ebf-11e0-8353-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{bd8a75a7-7ebf-11e0-8353-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{bd8a75ab-7ebf-11e0-8353-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{bd8a75ab-7ebf-11e0-8353-20cf304ff262}\Shell\AutoRun\command - "" = G:\setup.exe -- [2008/03/13 21:33:06 | 000,323,584 | R--- | M] (Vodafone)
O33 - MountPoints2\{be8374a9-8006-11e0-8939-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{be8374a9-8006-11e0-8939-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{be8374ab-8006-11e0-8939-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{be8374ab-8006-11e0-8939-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{c5387aa1-8231-11e0-9426-20cf304ff262}\Shell - "" = AutoRun
O33 - MountPoints2\{c5387aa1-8231-11e0-9426-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\setup.exe
O34 - HKLM BootExecute: (bddel.exe) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/13 20:16:02 | 000,000,000 | ---D | C] -- C:\Tools
[2011/06/07 21:51:51 | 000,000,000 | ---D | C] -- C:\Users\Rennie\Documents\LucasArts
[2011/06/07 21:51:51 | 000,000,000 | ---D | C] -- C:\Users\Rennie\AppData\Local\LucasArts
[2011/05/17 18:28:18 | 000,000,000 | ---D | C] -- C:\Users\Rennie\Documents\Witcher 2
[2011/05/17 18:28:18 | 000,000,000 | ---D | C] -- C:\Users\Rennie\AppData\Local\The Witcher 2
[2011/05/17 18:23:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Witcher 2
[2011/05/15 17:03:06 | 000,112,512 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\SysNative\drivers\ewusbmdm.sys
[2011/05/15 17:02:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vodafone
[2011/05/15 17:02:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Vodafone
[2011/05/15 17:02:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Vodafone

========== Files - Modified Within 30 Days ==========

[2011/06/13 21:40:49 | 000,066,150 | ---- | M] () -- C:\Windows\SysNative\bddel.dat
[2011/06/13 21:40:49 | 000,027,136 | ---- | M] () -- C:\Windows\SysNative\bddel.exe
[2011/06/13 21:06:31 | 000,015,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/13 21:06:31 | 000,015,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/13 21:04:03 | 000,729,688 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/06/13 21:04:03 | 000,626,040 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/06/13 21:04:03 | 000,107,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/06/13 20:59:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/13 20:59:08 | 529,879,039 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/13 07:33:31 | 000,001,069 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/12 09:55:57 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\imwords.dat
[2011/06/12 09:55:57 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\im_markovian.dat
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,025,912 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/05/17 18:23:17 | 000,000,559 | ---- | M] () -- C:\Users\Public\Desktop\Start The Witcher 2.lnk
[2011/05/15 17:02:55 | 000,002,767 | ---- | M] () -- C:\Users\Public\Desktop\Vodafone SMS.lnk
[2011/05/15 17:02:55 | 000,002,767 | ---- | M] () -- C:\Users\Public\Desktop\Vodafone Mobile Connect.lnk
[2011/05/14 21:49:18 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\imblacklist.dat

========== Files Created - No Company Name ==========

[2011/06/13 21:08:17 | 000,064,062 | ---- | C] () -- C:\Windows\SysNative\bddel.dat
[2011/06/13 21:08:17 | 000,027,136 | ---- | C] () -- C:\Windows\SysNative\bddel.exe
[2011/06/12 09:55:57 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\imwords.dat
[2011/06/12 09:55:57 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\im_markovian.dat
[2011/05/17 18:23:17 | 000,000,559 | ---- | C] () -- C:\Users\Public\Desktop\Start The Witcher 2.lnk
[2011/05/15 17:02:55 | 000,002,767 | ---- | C] () -- C:\Users\Public\Desktop\Vodafone SMS.lnk
[2011/05/15 17:02:55 | 000,002,767 | ---- | C] () -- C:\Users\Public\Desktop\Vodafone Mobile Connect.lnk
[2011/05/14 21:49:18 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\imblacklist.dat
[2011/05/09 21:46:35 | 000,069,307 | ---- | C] () -- C:\ProgramData\bdinstall.bin
[2011/01/28 17:28:41 | 000,730,638 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/01/08 11:38:06 | 000,000,000 | ---- | C] () -- C:\Users\Rennie\AppData\Roaming\downloads.m3u
[2010/12/26 21:49:49 | 000,000,029 | ---- | C] () -- C:\Users\Rennie\AppData\Roaming\default.rss
[2010/12/14 12:55:47 | 000,790,528 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2010/12/14 12:55:47 | 000,165,376 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2010/12/14 12:55:47 | 000,134,144 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2010/12/14 12:55:47 | 000,108,032 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2010/12/14 12:55:47 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2010/12/13 21:44:09 | 000,036,422 | ---- | C] () -- C:\Windows\Ascd_log.ini
[2010/12/13 21:43:28 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2010/12/13 21:43:25 | 000,026,791 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010/07/08 09:37:14 | 000,101,544 | ---- | C] () -- C:\Program Files\Common Files\LinkInstaller.exe
[2009/11/06 10:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2009/07/14 07:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 04:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 04:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 02:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2009/04/02 14:30:14 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS
[2008/03/07 16:43:56 | 000,084,734 | R--- | C] () -- C:\ProgramData\DeviceManager.xml.rc4
[2008/03/07 13:47:30 | 000,020,270 | ---- | C] () -- C:\ProgramData\DeviceInstaller.xml

========== LOP Check ==========

[2010/12/26 18:23:19 | 000,000,000 | -HSD | M] -- C:\Users\Rennie\AppData\Roaming\.#
[2010/12/18 21:28:16 | 000,000,000 | ---D | M] -- C:\Users\Rennie\AppData\Roaming\BitDefender
[2011/01/22 15:05:28 | 000,000,000 | ---D | M] -- C:\Users\Rennie\AppData\Roaming\GameSave Manager 2
[2011/01/02 19:40:00 | 000,000,000 | ---D | M] -- C:\Users\Rennie\AppData\Roaming\HDRsoft
[2011/05/09 21:47:03 | 000,000,000 | ---D | M] -- C:\Users\Rennie\AppData\Roaming\QuickScan
[2011/05/09 21:44:59 | 000,000,000 | ---D | M] -- C:\Users\Rennie\AppData\Roaming\Vodafone
[2011/03/17 17:25:25 | 000,032,542 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

[Advertisements]

Anybody got some ideas what I can do?

Many thanks

[Roboren]

Anybody got some ideas what I can do?

Many thanks

[maliprog]

Hello Roboren and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

You have more than one antivirus programs on your PC.

Microsoft Security Essentials and BitDefender

Please leave only one antivirus protection on your system and remove all other.

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Step 2

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
  O32 - AutoRun File - [2008/03/13 23:39:50 | 000,000,070 | R--- | M] () - G:\Autorun.inf -- [ CDFS ]
  O33 - MountPoints2\{42f687e2-7df3-11e0-8e1b-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{42f687e2-7df3-11e0-8e1b-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
  O33 - MountPoints2\{52b545e4-7a87-11e0-81f9-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{52b545e4-7a87-11e0-81f9-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
  O33 - MountPoints2\{5c463be0-258a-11e0-8619-001e101f8aaa}\Shell - "" = AutoRun
  O33 - MountPoints2\{5c463be0-258a-11e0-8619-001e101f8aaa}\Shell\AutoRun\command - "" = G:\AutoRun.exe
  O33 - MountPoints2\{5f8d5a0d-2585-11e0-940b-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{5f8d5a0d-2585-11e0-940b-20cf304ff262}\Shell\AutoRun\command - "" = F:\AutoRun.exe
  O33 - MountPoints2\{5f8d5a1d-2585-11e0-940b-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{5f8d5a1d-2585-11e0-940b-20cf304ff262}\Shell\AutoRun\command - "" = F:\AutoRun.exe
  O33 - MountPoints2\{643c5f8c-7a74-11e0-8297-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{643c5f8c-7a74-11e0-8297-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
  O33 - MountPoints2\{643c5f95-7a74-11e0-8297-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{643c5f95-7a74-11e0-8297-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
  O33 - MountPoints2\{6c4ae2e8-7f02-11e0-b35f-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{6c4ae2e8-7f02-11e0-b35f-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
  O33 - MountPoints2\{bd8a75a7-7ebf-11e0-8353-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{bd8a75a7-7ebf-11e0-8353-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
  O33 - MountPoints2\{bd8a75ab-7ebf-11e0-8353-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{bd8a75ab-7ebf-11e0-8353-20cf304ff262}\Shell\AutoRun\command - "" = G:\setup.exe -- [2008/03/13 21:33:06 | 000,323,584 | R--- | M] (Vodafone)
  O33 - MountPoints2\{be8374a9-8006-11e0-8939-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{be8374a9-8006-11e0-8939-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
  O33 - MountPoints2\{be8374ab-8006-11e0-8939-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{be8374ab-8006-11e0-8939-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
  O33 - MountPoints2\{c5387aa1-8231-11e0-9426-20cf304ff262}\Shell - "" = AutoRun
  O33 - MountPoints2\{c5387aa1-8231-11e0-9426-20cf304ff262}\Shell\AutoRun\command - "" = F:\setup.exe
  O33 - MountPoints2\F\Shell - "" = AutoRun
  O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\setup.exe
  O34 - HKLM BootExecute: (bddel.exe) - File not found
  [2011/06/13 21:40:49 | 000,066,150 | ---- | M] () -- C:\Windows\SysNative\bddel.dat
  [2011/06/13 21:40:49 | 000,027,136 | ---- | M] () -- C:\Windows\SysNative\bddel.exe
  [2011/06/12 09:55:57 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\imwords.dat
  [2011/06/12 09:55:57 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\im_markovian.dat
  [2010/12/26 18:23:19 | 000,000,000 | -HSD | M] -- C:\Users\Rennie\AppData\Roaming\.#
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 3

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Confirm deletion to all infection AVP finds
Once it has finished select report and post that.

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Step 4

Please don't forget to include these items in your reply:

• OTL fix log
• AVPTool log

It would be helpful if you could post each log in separate post

[Roboren]

Hi,

Thank you so much for helping

Just a quick question before I get started. Can I uninstall 'Microsoft Security Essential' totally from the control panal or should I just disable it? If I just need to disable it, how do I do this? (probably a stupid question)

I also suppose these Bitdefender pop ups must be ignored for the time being while I go through the steps?

[maliprog]

If you decided to leave BitDefender then uninstall Microsoft Security Essential.

You can ignore BitDeffender for now. To speed things up you can disable it while running AVPTool. Enable it after the scan.

[Roboren]

OTL log so long while I go to step 3

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
File move failed. G:\Autorun.inf scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42f687e2-7df3-11e0-8e1b-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42f687e2-7df3-11e0-8e1b-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42f687e2-7df3-11e0-8e1b-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42f687e2-7df3-11e0-8e1b-20cf304ff262}\ not found.
File F:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52b545e4-7a87-11e0-81f9-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52b545e4-7a87-11e0-81f9-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52b545e4-7a87-11e0-81f9-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52b545e4-7a87-11e0-81f9-20cf304ff262}\ not found.
File F:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c463be0-258a-11e0-8619-001e101f8aaa}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5c463be0-258a-11e0-8619-001e101f8aaa}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c463be0-258a-11e0-8619-001e101f8aaa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5c463be0-258a-11e0-8619-001e101f8aaa}\ not found.
File G:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5f8d5a0d-2585-11e0-940b-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5f8d5a0d-2585-11e0-940b-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5f8d5a0d-2585-11e0-940b-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5f8d5a0d-2585-11e0-940b-20cf304ff262}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5f8d5a1d-2585-11e0-940b-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5f8d5a1d-2585-11e0-940b-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5f8d5a1d-2585-11e0-940b-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5f8d5a1d-2585-11e0-940b-20cf304ff262}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{643c5f8c-7a74-11e0-8297-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643c5f8c-7a74-11e0-8297-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{643c5f8c-7a74-11e0-8297-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643c5f8c-7a74-11e0-8297-20cf304ff262}\ not found.
File F:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{643c5f95-7a74-11e0-8297-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643c5f95-7a74-11e0-8297-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{643c5f95-7a74-11e0-8297-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643c5f95-7a74-11e0-8297-20cf304ff262}\ not found.
File F:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6c4ae2e8-7f02-11e0-b35f-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6c4ae2e8-7f02-11e0-b35f-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6c4ae2e8-7f02-11e0-b35f-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6c4ae2e8-7f02-11e0-b35f-20cf304ff262}\ not found.
File F:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd8a75a7-7ebf-11e0-8353-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bd8a75a7-7ebf-11e0-8353-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd8a75a7-7ebf-11e0-8353-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bd8a75a7-7ebf-11e0-8353-20cf304ff262}\ not found.
File F:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd8a75ab-7ebf-11e0-8353-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bd8a75ab-7ebf-11e0-8353-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd8a75ab-7ebf-11e0-8353-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bd8a75ab-7ebf-11e0-8353-20cf304ff262}\ not found.
File move failed. G:\setup.exe scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{be8374a9-8006-11e0-8939-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{be8374a9-8006-11e0-8939-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{be8374a9-8006-11e0-8939-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{be8374a9-8006-11e0-8939-20cf304ff262}\ not found.
File F:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{be8374ab-8006-11e0-8939-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{be8374ab-8006-11e0-8939-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{be8374ab-8006-11e0-8939-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{be8374ab-8006-11e0-8939-20cf304ff262}\ not found.
File F:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c5387aa1-8231-11e0-9426-20cf304ff262}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c5387aa1-8231-11e0-9426-20cf304ff262}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c5387aa1-8231-11e0-9426-20cf304ff262}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c5387aa1-8231-11e0-9426-20cf304ff262}\ not found.
File F:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
File F:\setup.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:bddel.exe deleted successfully.
C:\Windows\SysNative\bddel.dat moved successfully.
C:\Windows\SysNative\bddel.exe moved successfully.
C:\Windows\SysNative\imwords.dat moved successfully.
C:\Windows\SysNative\im_markovian.dat moved successfully.
C:\Users\Rennie\AppData\Roaming\.# folder moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Tools\cmd.bat deleted successfully.
C:\Tools\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.24.0 log created on 06152011_215136

Files\Folders moved on Reboot...
File move failed. G:\Autorun.inf scheduled to be moved on reboot.
File move failed. G:\setup.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[Roboren]

I think I buggered it up! As I did not know how to disable Bitdefender I just left it. So a list of the following came up:

Bitdefender has blocked multiple viruses!

Virus name: Gen:Trojan.Heur.LP.Gy7@a0q2.....
Accessed by: Kaspersky setup_9.0.0.722......
Location: C:\widows\Temp\tmp000021c......
File access was blocked


This is all I can see on the report?
Autoscan: completed 1 minute ago (events: 2, objects: 408073, time: 01:13:18)
6/15/2011 10:04:15 PM Task started
6/15/2011 11:17:33 PM Task completed

Edited by Roboren, 15 June 2011 - 03:42 PM.

[Roboren]

Ok, I see if I click on all events it shows me a list of things scanned with: result, object, reason.
Should I post that? It is a 64000kb .txt file

[maliprog]

Hi Roboren,

Step 1

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Let's use BitDeffender. Please do one scan with it and post results here.

Step 3

Please don't forget to include these items in your reply:

• OTL fixlog
• BitDefender log

It would be helpful if you could post each log in separate post

[Roboren]

Hi Maliprog,

Here is the OTL Log:

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes

User: Public

User: Rennie
->Temp folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 19829 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 718366478 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50414 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 685.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: Rennie
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.24.0 log created on 06162011_152847

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[Roboren]

BitDefender Log File


Product: BitDefender Antivirus Pro 2011
Scanning task: Deep System Scan
Log date: Thursday, June 16, 2011 4:11:56 PM
Log path: C:\ProgramData\BitDefender\Desktop\Profiles\Logs\dcf483c4-26d0-4e6f-ba28-6a53a00adae1\1308231257_1_01.xml

Scan paths:
Path : C:\
Path : D:\

[-]Scan Results Summary
[-]Not scanned objects:Object Path Reason: Final Status
File: C:\Program Files (x86)\GameSave Manager 2\gs_mngr.cdd=>_proj.dat Password-protected Not scanned (file was password-protected)
File: C:\Users\Rennie\Documents\F1 test.gsba=>$$_archive_info_$$.db Password-protected Not scanned (file was password-protected)
File: C:\Users\Rennie\Documents\F1 test.gsba=>F1 2010.1 Password-protected Not scanned (file was password-protected)
File: C:\Program Files (x86)\GameSave Manager 2\gs_mngr.cdd=>_detect.dat Password-protected Not scanned (file was password-protected)
File: C:\Program Files (x86)\GameSave Manager 2\gs_mngr.cdd=>_fonts.dat Password-protected Not scanned (file was password-protected)

[-]Detailed Scan Summary
[-]Basic
Scanned items: 293146
Infected items: 0 (no infected items have been detected)
Suspect items: 0 (no suspected items have been detected)
Resolved items: 0 (no threats have been detected during this scan)
Unresolved items: 0 (no issues remained unresolved)

[+]Advanced
Scan time: 00: 37: 22
Files per second: 130
Skipped items: 69502
Password-protected items: 5
Over-compressed items: 0
Scanned archives: 74
Input-output errors: 45
Scanned boot sectors: 6
Scanned processes: 2439
Infected processes: 0
Scanned registry keys: 1715
Infected registry keys: 0
Scanned cookies: 0
Infected cookies: 0

[+]Scan Options
[-]Target Threat Types:
Scan for viruses: Yes
Scan for adware: Yes
Scan for spyware: Yes
Scan for applications: Yes
Scan for dialers: Yes
Scan for rootkits: Yes
Scan for keyloggers: Yes

[-]Virus Scanning Options:
Scan registry keys: Yes
Scan cookies: Yes
Scan boot sectors: Yes
Scan memory processes: Yes
Scan archives: Yes
Scan runtime packers: Yes
Scan e-mails: Yes
Scan all files: Yes
Heuristic Scan: Yes
Scanned extensions: not configured
Excluded extensions: not configured

[-]Target Processing:
Default first action for infected objects: Disinfect
Default second action for infected objects: Move files to quarantine
Default first action for suspect objects : Move files to quarantine
Default second action for suspicious objects: None
Default action for hidden objects: None
Default action for password-protected objects: Log only

[-]Scan Engines Summary
Virus signatures: 7561215

[maliprog]

Before we continue tell me what problems do you have now.

[Roboren]

I thought everyting was gone now, but this Bitdefender window just popped up.

Bitdefender has blocked a virus!

Virus name: Gen.Trojan.Heur.LP.Gy7@a0q2yrb
Accessed by: svchost.exe
Location: C:\windows\SoftwareDistribution\DataStore\Logs\tmp.edb

[maliprog]

Hi Roboren,

OK. Let's try some other scans.

Step 1

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\\ComboFix.txt log in your next reply.

Step 2

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.

• Extract the zip file to its own folder.
• Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
• Click Start scan to start scanning.
• If infection is detected, the default setting for "action" should be Cure
  
  • (If suspicious file is detected please click on it and change it to Skip).
• Click Continue button
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 3

Download aswMBR.exe ( 511KB ) to your desktop.

• Double click the aswMBR.exe to run it
• Click the "Scan" button to start scan
• On completion of the scan click save log, save it to your desktop and post in your next reply

Step 4

Please don't forget to include these items in your reply:

• TDSSKiller log
• aswMBR log
• Combofix log

It would be helpful if you could post each log in separate post

[Roboren]

Thanks Maliprog, ok here we go

Combofix Log

ComboFix 11-06-17.02 - Rennie 06/17/2011 20:23:32.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.4489 [GMT 2:00]
Running from: c:\users\Rennie\Desktop\ComboFix.exe
AV: BitDefender Antivirus *Disabled/Updated* {50909708-FF80-02AF-F814-B28405891E92}
FW: BitDefender Firewall *Disabled* {68AB162D-B5EF-03F7-D34B-1BB1FB5A59E9}
SP: BitDefender AntiSpyware *Disabled/Updated* {EBF176EC-D9BA-0D21-C2A4-89F67E0E542F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
/wow section - STAGE 31
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The system cannot find the file LockedB.
The system cannot find the file lockedB.
'.d.a.1.a.3.f.f.' is not recognized as an internal or external command
'.0.\\.' is not recognized as an internal or external command
The system cannot find the file LockedB.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-17 to 2011-06-17 )))))))))))))))))))))))))))))))
.
.
2011-06-17 18:31 . 2011-06-17 18:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-17 18:26 . 2011-06-17 18:26 0 ----a-w- c:\windows\system32\wnlogon.sys
2011-06-17 18:18 . 2011-06-17 18:20 -------- d-----w- C:\32788R22FWJFW
2011-06-17 18:11 . 2011-05-24 17:12 8718160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B24800E5-3772-4327-9F71-F478E1EEAC71}\mpengine.dll
2011-06-17 01:20 . 2011-06-17 01:20 -------- d-----w- c:\programdata\bdch
2011-06-15 20:03 . 2011-06-15 20:03 -------- d-----w- c:\programdata\Kaspersky Lab
2011-06-15 19:51 . 2011-06-15 19:51 -------- d-----w- C:\_OTL
2011-06-13 18:16 . 2011-06-15 19:51 -------- d-----w- C:\Tools
2011-05-24 19:39 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-05-24 19:39 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 07:11 . 2011-01-08 21:24 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 07:11 . 2011-01-08 21:24 25912 ------w- c:\windows\system32\drivers\mbam.sys
2011-05-24 17:14 . 2010-12-14 11:07 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-09 20:32 . 2011-05-09 20:32 431176 ------w- c:\windows\system32\drivers\bdfsfltr.sys
2011-05-09 20:30 . 2011-05-09 20:30 101968 ----a-w- c:\windows\system32\drivers\bdhv.sys
2011-05-09 20:04 . 2011-05-09 19:46 69307 ----a-w- c:\programdata\bdinstall.bin
2011-04-09 07:02 . 2011-05-11 03:56 5562240 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 06:02 . 2011-05-11 03:56 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:02 . 2011-05-11 03:56 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2010-07-08 07:37 . 2010-07-08 07:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2010-12-18 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2011\Antispam32\ieshow.exe" [2011-06-02 92352]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 avc3;avc3;c:\windows\system32\DRIVERS\avc3.sys [x]
R3 avckf;avckf;c:\windows\system32\DRIVERS\avckf.sys [x]
R3 cpuz133;cpuz133;c:\users\Rennie\AppData\Local\Temp\cpuz133\cpuz133_x64.sys [x]
R3 cpuz135;cpuz135;c:\windows\TEMP\cpuz135\cpuz135_x64.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2010-12-14 128928]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [2010-11-30 467248]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\users\Rennie\Desktop\RealTemp_2.70\WinRing0x64.sys [x]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [x]
S1 bdfwfpf;bdfwfpf;c:\program files\Common Files\BitDefender\BitDefender Firewall\bdfwfpf.sys [2010-08-20 99408]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-11-09 369256]
S2 Updatesrv;BitDefender Desktop Update Service;c:\program files\BitDefender\BitDefender 2011\updatesrv.exe [2011-06-02 53224]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-03-13 24576]
S3 BDFM;BDFM;c:\windows\system32\DRIVERS\bdfm.sys [x]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-22 11048040]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2011\ieshow.exe" [2011-06-02 109344]
"BDAgent"="c:\program files\BitDefender\BitDefender 2011\bdagent.exe" [2011-06-02 2026680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: Interfaces\{529989F1-AF68-4B6E-8FAD-BD8B795B4FB5}: NameServer = 196.207.32.83 196.207.32.69
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-PlayNC Launcher - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
.
**************************************************************************
.
Completion time: 2011-06-17 20:40:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-17 18:40
.
Pre-Run: 51,958,448,128 bytes free
Post-Run: 51,727,441,920 bytes free
.
- - End Of File - - 562F5027D87ACBA0ED0ED7A4D7F8FC19