Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Autorun.inf, Usb_run.exe, Desktop.ini - These files are causing havoc.


  • Please log in to reply

#1
Sribashyam

Sribashyam

    New Member

  • Member
  • Pip
  • 4 posts
Hello,

I am using a Windows XP SP3 PC with Bitdefender Internet Security 2010 Anti-Virus Application. I also have a external HDD - Seagate FreeAgent 1 TB loaded with all my important data connected to the same PC. This is a office computer connected to a LAN.

Since few months i have been having issues like files called "Autorun.inf, Usb_run.exe & Desktop.ini" and every time the Bit Defender clears it, they come back i dunno how??? Suddenly my external HDD starts crashing while accessing image files for my office purpose kindly help me, after having a deep scan run by the anti-virus package found some virus cleaned mostly by some 20 to 30 items were not cleaned, the anti-virus said not able to disinfect or delete or quarentine.

I hope you will be able to help me with cleaning my PC. Await your help and thanks very much in advance.

FYI - I am not able to go into Safe Mode while booting, hence cannot scan in Safe Mode.

Thanks again. Appreciate your work at this forum, Hats Off!!!
Sribashyam.
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************************************
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f

**********************************************************************

Start, Run, cmd, OK to bring up a new Command Prompt window. Rightclick and select Paste and the above text should appear. Make sure you got it all and then hit Enter.

Close the Command Prompt window.

Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
Also want to install AutoRun Eater v2.5
http://download.cnet...4-10752777.html
It will stay resident and prevent USB drives from infecting your PC.

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.

Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply



Ron
  • 0

#3
Sribashyam

Sribashyam

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello RKinner,

Thank you for your prompt help, sorry was bit busy to post my reply. All the logs are posted below for your reference, await your advise. Please note i have extrenal HDD also connected to this PC, I hope that HDD will also be cleared in our process..

BitDefender is starting to sense something called Win32.Viking.AU virus affecteing some .exe files. Thought it will be useful for you to advise accordingly.

OTL Log 1:
OTL logfile created on: 7/27/2011 11:21:31 AM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\WORKS01\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.23 Mb Total Physical Memory | 604.35 Mb Available Physical Memory | 59.53% Memory free
2.39 Gb Paging File | 1.98 Gb Available in Paging File | 82.98% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 78.13 Gb Total Space | 66.27 Gb Free Space | 84.82% Space Free | Partition Type: NTFS
Drive D: | 70.92 Gb Total Space | 50.56 Gb Free Space | 71.29% Space Free | Partition Type: NTFS
Drive G: | 931.28 Gb Total Space | 901.35 Gb Free Space | 96.79% Space Free | Partition Type: FAT32
Drive H: | 5.58 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 971.91 Mb Total Space | 388.74 Mb Free Space | 40.00% Space Free | Partition Type: FAT32

Computer Name: WORKS | User Name: WORKS01 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/27 11:10:39 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WORKS01\Desktop\OTL.exe
PRC - [2010/05/06 19:09:06 | 000,415,638 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\billy.exe
PRC - [2010/05/06 18:59:36 | 000,516,216 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\oldmcdonald.exe
PRC - [2009/11/20 11:12:22 | 000,335,344 | ---- | M] (BitDefender S.R.L.) -- C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
PRC - [2009/11/11 17:08:14 | 001,622,320 | ---- | M] (BitDefender S.R.L.) -- C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
PRC - [2009/10/22 21:24:28 | 001,085,720 | ---- | M] (BitDefender S.R.L.) -- C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
PRC - [2009/10/22 21:24:16 | 001,118,144 | ---- | M] (BitDefender S.R.L.) -- C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
PRC - [2008/11/10 02:18:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 17:30:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/04 14:20:22 | 004,595,712 | ---- | M] () -- C:\Documents and Settings\WORKS01\Application Data\U3\000015D1A9628AFF\LaunchPad.exe
PRC - [1998/02/06 00:46:18 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\NILaunch.exe


========== Modules (SafeList) ==========

MOD - [2011/07/27 11:10:39 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WORKS01\Desktop\OTL.exe
MOD - [2011/07/15 13:09:05 | 000,232,968 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\Program Files\BitDefender\BitDefender 2010\Active Virus Control\midas32-v2_93\midas32.dll
MOD - [2008/04/14 17:30:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/22 12:52:59 | 000,274,432 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE -- (Visual Studio Analyzer RPC bridge)
SRV - [2009/11/20 11:12:22 | 000,335,344 | ---- | M] (BitDefender S.R.L.) [Auto | Running] -- C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe -- (LIVESRV)
SRV - [2009/11/11 17:08:14 | 001,622,320 | ---- | M] (BitDefender S.R.L.) [Auto | Running] -- C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe -- (VSSERV)
SRV - [2009/10/23 14:45:26 | 000,311,296 | ---- | M] (S.C. BitDefender S.R.L) [On_Demand | Stopped] -- C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll -- (scan)
SRV - [2009/10/19 16:06:10 | 000,183,880 | ---- | M] (BitDefender S.R.L. http://www.bitdefender.com) [On_Demand | Stopped] -- C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe -- (Arrakis3)
SRV - [2008/11/10 02:18:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/04/14 17:30:00 | 000,248,832 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2008/04/14 17:30:00 | 000,248,832 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\appmgmts.dll -- (AppMgmt)


========== Driver Services (SafeList) ==========

DRV - [2009/11/10 17:04:14 | 000,152,456 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bdfm.sys -- (bdfm)
DRV - [2009/10/28 18:02:34 | 000,054,656 | ---- | M] (BitDefender) [Kernel | System | Running] -- C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys -- (BDSelfPr)
DRV - [2009/10/19 16:04:00 | 000,119,048 | ---- | M] (BitDefender LLC) [Kernel | System | Running] -- C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys -- (bdftdif)
DRV - [2009/10/19 16:04:00 | 000,110,984 | ---- | M] (BitDefender LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bdfndisf.sys -- (Bdfndisf)
DRV - [2009/09/22 08:22:06 | 000,083,208 | ---- | M] (BitDefender) [Kernel | Auto | Running] -- C:\Program Files\BitDefender\BitDefender 2010\bdvedisk.sys -- (BDVEDISK)
DRV - [2009/08/27 16:28:44 | 000,014,720 | ---- | M] (BitDefender S.R.L.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys -- (Profos)
DRV - [2009/07/23 15:41:20 | 000,282,768 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bdfsfltr.sys -- (bdfsfltr)
DRV - [2009/05/07 03:22:06 | 000,039,808 | ---- | M] (BitDefender S.R.L.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys -- (Trufos)
DRV - [2009/03/24 14:24:24 | 000,006,144 | ---- | M] (BITDEFENDER LLC) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bdrawpr.sys -- (BdRawPr)
DRV - [2006/02/27 04:46:20 | 000,081,408 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://in.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2011/07/27 10:12:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (BitDefender Toolbar) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\ietoolbar.dll (BitDefender S.R.L.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
O4 - HKLM..\Run: [BDAgent] C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe (BitDefender S.R.L.)
O4 - HKLM..\Run: [BitDefender Antiphishing Helper] C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe (BitDefender S.R.L.)
O4 - HKLM..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe ()
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.100 192.168.1.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-2820402105-6805472487-401406774-5631\mwau.exe) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\WORKS01\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\WORKS01\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O27 - HKLM IFEO\360hotfix.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360rp.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360rpt.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360safe.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360safebox.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360sd.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360se.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360SoftMgrSvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360speedld.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360tray.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\ast.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avcenter.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avgnt.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avguard.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avmailc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avp.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avwebgrd.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\CCenter.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\ccSvcHst.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\修复工具.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\egui.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\ekrn.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kavstart.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kissvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kmailmon.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kpfw32.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kpfwsvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\krnl360svc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kswebshield.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\KVMonXP.kxp: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\KVSrvXP.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kwatch.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\Mcagent.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\mcmscsvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\McNASvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\Mcods.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\McProxy.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\McSACore.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\Mcshield.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\mcsysmon.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\mcvsshld.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MpfSrv.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MPMon.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MPSVC.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MPSVC1.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MPSVC2.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\msksrver.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\qutmserv.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\RavMonD.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\RavTask.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\RsAgent.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\rsnetsvr.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\RsTray.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\safeboxTray.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\ScanFrm.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\sched.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\SfCtlCom.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\TMBMSRV.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\TmProxy.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\UfSeAgnt.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\zhudongfangyu.exe: Debugger - ntsd -d (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/03/17 10:42:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/07/27 11:17:04 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/07/27 11:17:04 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/07/27 11:17:06 | 000,000,000 | RHSD | M] - G:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2006/10/05 02:32:54 | 000,000,279 | R--- | M] () - H:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/27 11:20:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Autorun Eater
[2011/07/27 11:20:06 | 000,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[2011/07/27 11:17:04 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2011/07/27 11:15:14 | 009,466,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\WORKS01\Desktop\mbam-setup-1.51.1.1800.exe
[2011/07/27 11:13:48 | 001,915,904 | ---- | C] (AVAST Software) -- C:\Documents and Settings\WORKS01\Desktop\aswMBR.exe
[2011/07/27 11:10:39 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\WORKS01\Desktop\OTL.exe
[2011/07/25 10:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Yahoo
[2011/07/24 17:42:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS01\Application Data\Macromedia
[2011/07/24 17:15:14 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\WORKS01\PrivacIE
[2011/07/24 17:15:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS01\Local Settings\Application Data\Yahoo
[2011/07/24 17:14:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2011/07/24 17:14:09 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\WORKS01\IETldCache
[2011/07/24 17:11:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2011/07/24 17:11:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2011/07/24 17:11:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS01\Application Data\Yahoo!
[2011/07/24 17:11:31 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2011/07/24 17:11:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2011/07/24 17:09:34 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2011/07/24 17:09:29 | 000,026,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe
[2011/07/24 17:08:35 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2011/07/22 12:54:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS01\Local Settings\Application Data\Adobe
[2011/07/22 12:53:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2011/07/11 11:40:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\BitDefender 2010
[2011/07/11 11:39:21 | 000,000,000 | ---D | C] -- C:\Program Files\BitDefender
[2011/07/11 11:39:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS01\Application Data\BitDefender
[2011/07/11 11:39:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2011/07/11 11:29:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BitDefender
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/27 11:19:42 | 001,364,101 | ---- | M] () -- C:\Documents and Settings\WORKS01\Desktop\aesetup2.5.zip
[2011/07/27 11:15:14 | 009,466,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\WORKS01\Desktop\mbam-setup-1.51.1.1800.exe
[2011/07/27 11:13:48 | 001,915,904 | ---- | M] (AVAST Software) -- C:\Documents and Settings\WORKS01\Desktop\aswMBR.exe
[2011/07/27 11:10:39 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WORKS01\Desktop\OTL.exe
[2011/07/27 11:09:24 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\WORKS01\Desktop\Flash_Disinfector.exe
[2011/07/27 10:13:38 | 000,000,000 | ---- | M] () -- C:\WINDOWS\WindowsUpdata7.jpg
[2011/07/27 10:12:04 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/07/27 10:09:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/27 10:08:12 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/25 23:20:13 | 000,000,223 | ---- | M] () -- C:\WINDOWS\HP PrecisionScan Pro.INI
[2011/07/25 19:09:32 | 000,083,018 | ---- | M] () -- C:\Documents and Settings\WORKS01\Desktop\JET USA.jpg
[2011/07/24 17:14:13 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\WORKS01\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/07/16 21:07:03 | 000,000,132 | ---- | M] () -- C:\WINDOWS\System32\rezumatenoi.dat
[2011/07/15 13:10:30 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\ab_bl.sig
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\wsbl.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\ph_white.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\ph_summ.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\ph_spoof.sig
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\ph_sign.slf
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\ph_fuzzy.sig
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\ph_black.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\pcwords2.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\pcwords.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\pc_sign.slf
[2011/07/15 13:10:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\ab_sbl.sig
[2011/07/14 11:13:20 | 000,000,564 | ---- | M] () -- C:\Documents and Settings\WORKS01\Desktop\Free Commander.lnk
[2011/07/13 10:15:31 | 000,000,385 | ---- | M] () -- C:\WINDOWS\System32\user_gensett.xml
[2011/07/11 11:40:08 | 000,001,869 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BitDefender Internet Security 2010.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/27 11:19:34 | 001,364,101 | ---- | C] () -- C:\Documents and Settings\WORKS01\Desktop\aesetup2.5.zip
[2011/07/27 11:09:24 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\WORKS01\Desktop\Flash_Disinfector.exe
[2011/07/27 10:13:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WindowsUpdata7.jpg
[2011/07/25 19:09:28 | 000,083,018 | ---- | C] () -- C:\Documents and Settings\WORKS01\Desktop\JET USA.jpg
[2011/07/22 12:53:56 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/07/15 13:10:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ab_bl.sig
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\wsbl.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ph_white.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ph_summ.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ph_spoof.sig
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ph_sign.slf
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ph_fuzzy.sig
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ph_black.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pcwords2.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pcwords.dat
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_sign.slf
[2011/07/15 13:10:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ab_sbl.sig
[2011/07/14 11:13:20 | 000,000,564 | ---- | C] () -- C:\Documents and Settings\WORKS01\Desktop\Free Commander.lnk
[2011/07/13 10:15:31 | 000,000,385 | ---- | C] () -- C:\WINDOWS\System32\user_gensett.xml
[2011/07/11 17:50:04 | 000,000,132 | ---- | C] () -- C:\WINDOWS\System32\rezumatenoi.dat
[2011/07/11 11:40:08 | 000,001,869 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\BitDefender Internet Security 2010.lnk
[2011/03/21 13:04:07 | 000,000,223 | ---- | C] () -- C:\WINDOWS\HP PrecisionScan Pro.INI
[2011/03/17 16:46:21 | 000,008,867 | ---- | C] () -- C:\WINDOWS\hpdj3500.ini
[2011/03/17 16:03:12 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/03/17 16:01:50 | 000,146,808 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/17 12:19:08 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\WORKS01\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/17 11:59:16 | 000,000,126 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2011/03/17 11:53:12 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2011/03/17 11:39:03 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4885.dll
[2011/03/17 11:31:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Net-It Now! SE.INI
[2011/03/17 11:31:37 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\NIUninstall.exe
[2011/03/17 11:31:37 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\NILaunch.exe
[2011/03/17 11:31:31 | 000,000,038 | ---- | C] () -- C:\WINDOWS\Approach.ini
[2011/03/17 11:30:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\winhelp.ini
[2011/03/17 10:56:37 | 000,000,636 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/03/17 10:45:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/03/17 10:39:06 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/01/15 12:45:34 | 000,181,248 | ---- | C] () -- C:\WINDOWS\System32\txmlutil.dll
[2008/04/14 17:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 17:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 17:30:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 17:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 17:30:00 | 000,248,832 | ---- | C] () -- C:\WINDOWS\System32\appmgmts.dll
[2008/04/14 17:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 17:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 17:30:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 17:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 17:30:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 17:30:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 17:30:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 17:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/01/31 13:50:32 | 000,913,408 | ---- | C] () -- C:\WINDOWS\System32\xreglib.dll
[2001/08/07 18:59:54 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HPNVRRes.dll
[2001/01/24 13:01:18 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\prntfix.exe
[2000/04/14 16:50:02 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[1998/06/11 14:08:06 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[1998/06/10 00:00:00 | 000,015,120 | ---- | C] () -- C:\WINDOWS\System32\REPUTIL.DLL
[1998/05/18 00:00:00 | 000,014,017 | ---- | C] () -- C:\WINDOWS\JAUTOEXP.INI
[1997/11/14 14:37:54 | 000,031,008 | ---- | C] () -- C:\WINDOWS\System32\ivtrn09.dll
[1996/02/22 14:37:54 | 000,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
[1996/01/15 14:37:54 | 000,334,016 | ---- | C] () -- C:\WINDOWS\System32\loflt09.dll
[1995/09/25 14:38:00 | 000,014,928 | ---- | C] () -- C:\WINDOWS\System32\wingen.drv
[1994/04/07 14:37:52 | 000,000,462 | ---- | C] () -- C:\WINDOWS\lodbf09.ini

< End of report >

OTL Log 2: Extras.txt
OTL Extras logfile created on: 7/27/2011 11:21:31 AM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\WORKS01\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.23 Mb Total Physical Memory | 604.35 Mb Available Physical Memory | 59.53% Memory free
2.39 Gb Paging File | 1.98 Gb Available in Paging File | 82.98% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 78.13 Gb Total Space | 66.27 Gb Free Space | 84.82% Space Free | Partition Type: NTFS
Drive D: | 70.92 Gb Total Space | 50.56 Gb Free Space | 71.29% Space Free | Partition Type: NTFS
Drive G: | 931.28 Gb Total Space | 901.35 Gb Free Space | 96.79% Space Free | Partition Type: FAT32
Drive H: | 5.58 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 971.91 Mb Total Space | 388.74 Mb Free Space | 40.00% Space Free | Partition Type: FAT32

Computer Name: WORKS | User Name: WORKS01 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE" = C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE:*:Enabled:Microsoft ® Visual Studio VSA RPC Event Creator -- (Microsoft Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4664D722-33D1-4B4A-A317-1E64178B7A97}" = BitDefender Internet Security 2010
"{6B36DEBF-27D0-4B1E-858D-D397091C6C7D}" = HP Precisionscan Pro 3.1
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{748F4870-8350-11D3-B0BF-080009FB4A19}" = HP Share-to-Web
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.5
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Autorun Eater_is1" = Autorun Eater v2.5
"FreeCommander_is1" = FreeCommander 2009.02b
"HDMI" = Intel® Graphics Media Accelerator Driver
"hp deskjet 3500 series_Driver" = hp deskjet 3500 series
"ie8" = Windows Internet Explorer 8
"MsJavaVM" = Microsoft VM for Java
"SmartSuite V98.0" = Lotus SmartSuite Release 9
"Visual Studio 6.0 Enterprise Edition" = Microsoft Visual Studio 6.0 Enterprise Edition
"WebPost" = Microsoft Web Publishing Wizard 1.53
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/20/2011 8:16:55 AM | Computer Name = WORKS | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 7/21/2011 2:33:08 AM | Computer Name = WORKS | Source = Application Hang | ID = 1002
Description = Hanging application Photoshop.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/21/2011 2:34:41 AM | Computer Name = WORKS | Source = Application Hang | ID = 1002
Description = Hanging application Photoshop.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/21/2011 2:34:41 AM | Computer Name = WORKS | Source = Application Hang | ID = 1002
Description = Hanging application Photoshop.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/21/2011 4:22:33 AM | Computer Name = WORKS | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module gdiplus.dll, version 5.1.3102.5512, fault address 0x001576a4.

Error - 7/21/2011 4:24:00 AM | Computer Name = WORKS | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module gdiplus.dll, version 5.1.3102.5512, fault address 0x001575e5.

Error - 7/22/2011 4:31:13 AM | Computer Name = WORKS | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module gdiplus.dll, version 5.1.3102.5512, fault address 0x001576a4.

Error - 7/24/2011 12:35:22 AM | Computer Name = WORKS | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 7/24/2011 4:07:56 AM | Computer Name = WORKS | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module gdiplus.dll, version 5.1.3102.5512, fault address 0x001575e5.

Error - 7/24/2011 5:29:52 AM | Computer Name = WORKS | Source = Application Error | ID = 1000
Description = Faulting application freecommander.exe, version 2009.2.0.417, faulting
module , version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 7/27/2011 12:40:08 AM | Computer Name = WORKS | Source = System Error | ID = 1003
Description = Error code 1000007f, parameter1 00000008, parameter2 f7818d70, parameter3
00000000, parameter4 00000000.

Error - 7/27/2011 12:40:13 AM | Computer Name = WORKS | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/27/2011 12:40:13 AM | Computer Name = WORKS | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 7/27/2011 12:40:14 AM | Computer Name = WORKS | Source = Service Control Manager | ID = 7023
Description = The Background Intelligent Transfer Service service terminated with
the following error: %%127

Error - 7/27/2011 12:40:29 AM | Computer Name = WORKS | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/27/2011 12:40:29 AM | Computer Name = WORKS | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 7/27/2011 12:40:44 AM | Computer Name = WORKS | Source = DCOM | ID = 10010
Description = The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register
with DCOM within the required timeout.

Error - 7/27/2011 1:17:07 AM | Computer Name = WORKS | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
AJ-IMAC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{25B4F68D-82CE-4C57-9. The master browser is stopping or an election
is being forced.

Error - 7/27/2011 1:20:21 AM | Computer Name = WORKS | Source = Service Control Manager | ID = 7034
Description = The BitDefender Virus Shield service terminated unexpectedly. It
has done this 1 time(s).

Error - 7/27/2011 1:35:31 AM | Computer Name = WORKS | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4CD40054-9865-47B2-A16C-1BD17DA4AAD9}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
-Embedding


< End of report >


MBAM Log:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7294

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/27/2011 11:48:52 AM
mbam-log-2011-07-27 (11-48-52).txt

Scan type: Quick scan
Objects scanned: 142567
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 59
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\修复工具.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Trojan.Agent) -> Value: Taskman -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\appmgmts.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\windowsupdata7.jpg (Trojan.Traces) -> Quarantined and deleted successfully.


aswMBR Log:
aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-27 11:51:50
-----------------------------
11:51:50.359 OS Version: Windows 5.1.2600 Service Pack 3
11:51:50.359 Number of processors: 2 586 0x1C02
11:51:50.359 ComputerName: WORKS UserName:
11:52:06.171 Initialize success
11:52:39.984 AVAST engine download error: 0
11:52:54.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
11:52:54.843 Disk 0 Vendor: ST3160815AS 3.CHJ Size: 152627MB BusType: 3
11:52:54.859 Disk 0 MBR read successfully
11:52:54.859 Disk 0 MBR scan
11:52:54.859 Disk 0 Windows XP default MBR code
11:52:54.875 Disk 0 scanning sectors +312576705
11:52:54.937 Disk 0 scanning C:\WINDOWS\system32\drivers
11:52:57.671 Service scanning
11:52:57.953 Service Bdfndisf C:\WINDOWS\system32\DRIVERS\bdfndisf.sys **LOCKED** 32
11:52:58.859 Modules scanning
11:53:18.734 Disk 0 trace - called modules:
11:53:18.750 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:53:18.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86588ab8]
11:53:18.765 3 CLASSPNP.SYS[f75d8fd7] -> nt!IofCallDriver -> \Device\0000005f[0x865caf18]
11:53:18.765 5 ACPI.sys[f745f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86572d98]
11:53:18.765 Scan finished successfully
11:53:43.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\WORKS01\Desktop\MBR.dat"
11:53:43.000 The log file has been saved successfully to "C:\Documents and Settings\WORKS01\Desktop\aswMBR.txt"


aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-27 11:54:14
-----------------------------
11:54:14.515 OS Version: Windows 5.1.2600 Service Pack 3
11:54:14.515 Number of processors: 2 586 0x1C02
11:54:14.515 ComputerName: WORKS UserName:
11:54:14.765 Initialize success
12:06:59.613 AVAST engine defs: 11072601
12:09:37.753 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
12:09:37.753 Disk 0 Vendor: ST3160815AS 3.CHJ Size: 152627MB BusType: 3
12:09:37.785 Disk 0 MBR read successfully
12:09:37.785 Disk 0 MBR scan
12:09:37.800 Disk 0 Windows XP default MBR code
12:09:37.816 Disk 0 scanning sectors +312576705
12:09:37.878 Disk 0 scanning C:\WINDOWS\system32\drivers
12:09:44.738 Service scanning
12:09:44.972 Service Bdfndisf C:\WINDOWS\system32\DRIVERS\bdfndisf.sys **LOCKED** 32
12:09:45.800 Modules scanning
12:09:49.285 Disk 0 trace - called modules:
12:09:49.300 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:09:49.316 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86588ab8]
12:09:49.316 3 CLASSPNP.SYS[f75d8fd7] -> nt!IofCallDriver -> \Device\0000005f[0x865caf18]
12:09:49.316 5 ACPI.sys[f745f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86572d98]
12:09:49.597 AVAST engine scan C:\WINDOWS
12:09:53.378 AVAST engine scan C:\WINDOWS\system32
12:11:50.628 AVAST engine scan C:\WINDOWS\system32\drivers
12:12:09.831 AVAST engine scan C:\Documents and Settings\WORKS01
12:13:23.191 AVAST engine scan C:\Documents and Settings\All Users
12:13:57.566 Scan finished successfully
12:14:15.128 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\WORKS01\Desktop\MBR.dat"
12:14:15.144 The log file has been saved successfully to "C:\Documents and Settings\WORKS01\Desktop\aswMBR.txt"

Await your reply.
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Uninstall:
Yahoo! Toolbar
Yahoo! Software Update


Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:OTL
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] File not found
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-2820402105-6805472487-401406774-5631\mwau.exe) - File not found
O27 - HKLM IFEO\360hotfix.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360rp.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360rpt.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360safe.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360safebox.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360sd.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360se.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360SoftMgrSvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360speedld.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\360tray.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\ast.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avcenter.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avgnt.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avguard.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avmailc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avp.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\avwebgrd.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\CCenter.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\ccSvcHst.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\修复工具.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\egui.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\ekrn.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kavstart.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kissvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kmailmon.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kpfw32.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kpfwsvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\krnl360svc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kswebshield.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\KVMonXP.kxp: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\KVSrvXP.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\kwatch.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\Mcagent.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\mcmscsvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\McNASvc.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\Mcods.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\McProxy.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\McSACore.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\Mcshield.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\mcsysmon.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\mcvsshld.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MpfSrv.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MPMon.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MPSVC.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MPSVC1.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\MPSVC2.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\msksrver.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\qutmserv.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\RavMonD.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\RavTask.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\RsAgent.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\rsnetsvr.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\RsTray.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\safeboxTray.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\ScanFrm.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\sched.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\SfCtlCom.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\TMBMSRV.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\TmProxy.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\UfSeAgnt.exe: Debugger - ntsd -d (Microsoft Corporation)
O27 - HKLM IFEO\zhudongfangyu.exe: Debugger - ntsd -d (Microsoft Corporation)


:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"
     
:Commands
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Ron
  • 0

#5
Sribashyam

Sribashyam

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello... Did both the Custom Scan in OTL and a ComboFix scan. Find below the log reports of the both the scan instances.

OTL Log Report:

��=
  • 0

#6
Sribashyam

Sribashyam

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Something happened in the previous reply... Please find below the log reports..

OTL Log Report:

========== PROCESSES ==========
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Share-to-Web Namespace Daemon not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan:C:\RECYCLER\S-1-5-21-2820402105-6805472487-401406774-5631\mwau.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\ not found.
C:\WINDOWS\System32\ntsd.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\修复工具.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe\ not found.
File ntsd -d not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe\ not found.
File ntsd -d not found.
========== FILES ==========
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\WORKS01\Desktop\Geekstogo Files\cmd.bat deleted successfully.
C:\Documents and Settings\WORKS01\Desktop\Geekstogo Files\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\WORKS01\Desktop\Geekstogo Files\cmd.bat deleted successfully.
C:\Documents and Settings\WORKS01\Desktop\Geekstogo Files\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\WORKS01\Desktop\Geekstogo Files\cmd.bat deleted successfully.
C:\Documents and Settings\WORKS01\Desktop\Geekstogo Files\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\WORKS01\Desktop\Geekstogo Files\cmd.bat deleted successfully.
C:\Documents and Settings\WORKS01\Desktop\Geekstogo Files\cmd.txt deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.1 log created on 07282011_122827

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


COMBOFIX Log Report
ComboFix 11-07-28.01 - WORKS01 07/28/2011 12:36:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.505 [GMT 5.5:30]
Running from: c:\documents and settings\WORKS01\Desktop\Geekstogo Files\ComboFix.exe
AV: BitDefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *Enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\WORKS01\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\WORKS01\WINDOWS
c:\windows\system32\c_30218.nls
c:\windows\system32\Thumbs.db
c:\windows\winhelp.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FORTER
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
.
.
2011-07-28 06:24 . 2011-07-28 06:24 -------- d-----w- C:\_OTL
2011-07-27 06:04 . 2011-07-27 06:04 -------- d-----w- c:\documents and settings\WORKS01\Application Data\Malwarebytes
2011-07-27 06:03 . 2011-07-06 14:22 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-27 06:03 . 2011-07-27 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-27 06:03 . 2011-07-27 06:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-27 06:03 . 2011-07-06 14:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-27 05:50 . 2011-07-27 05:50 -------- d-----w- c:\program files\Autorun Eater
2011-07-25 04:33 . 2011-07-25 04:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2011-07-24 11:45 . 2011-07-24 11:45 -------- d-sh--w- c:\documents and settings\WORKS01\PrivacIE
2011-07-24 11:45 . 2011-07-24 11:45 -------- d-----w- c:\documents and settings\WORKS01\Local Settings\Application Data\Yahoo
2011-07-24 11:44 . 2011-07-24 11:44 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2011-07-24 11:44 . 2011-07-24 11:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-24 11:44 . 2011-07-24 11:44 -------- d-sh--w- c:\documents and settings\WORKS01\IETldCache
2011-07-24 11:41 . 2011-07-24 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2011-07-24 11:41 . 2011-07-24 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2011-07-24 11:41 . 2011-07-24 11:41 -------- d-----w- c:\documents and settings\WORKS01\Application Data\Yahoo!
2011-07-24 11:41 . 2011-07-24 11:41 -------- d-----w- c:\program files\Yahoo!
2011-07-24 11:39 . 2009-01-07 12:51 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-07-24 11:38 . 2011-07-24 11:41 -------- dc-h--w- c:\windows\ie8
2011-07-24 11:37 . 2011-07-24 11:41 -------- d--h--w- c:\windows\msdownld.tmp
2011-07-22 07:24 . 2011-07-22 07:27 -------- d-----w- c:\documents and settings\WORKS01\Local Settings\Application Data\Adobe
2011-07-11 06:09 . 2011-07-11 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2011-07-11 06:09 . 2011-07-11 06:10 -------- d-----w- c:\documents and settings\WORKS01\Application Data\BitDefender
2011-07-11 06:09 . 2011-07-11 06:09 -------- d-----w- c:\program files\BitDefender
2011-07-11 05:59 . 2011-07-11 06:09 -------- d-----w- c:\program files\Common Files\BitDefender
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-04-14 . 030DC4D48CC2B894FEE2F390D8E66AD5 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
.
.
c:\windows\System32\ksuser.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Net-It Launcher"="c:\windows\system32\NILaunch.exe" [1998-02-05 24576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-16 137752]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2009-10-22 1118144]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2010-05-06 516216]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-3-17 113664]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
.
R0 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [3/24/2009 2:24 PM 6144]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/27/2011 11:33 AM 366640]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [11/10/2009 5:04 PM 152456]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/27/2011 11:33 AM 22712]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/27/2011 11:33 AM 41272]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-07 23:02 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://in.yahoo.com/?fr=fp-yie8
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.100 192.168.1.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-28 12:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2884)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Autorun Eater\billy.exe
.
**************************************************************************
.
Completion time: 2011-07-28 12:50:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-28 07:20
.
Pre-Run: 70,888,534,016 bytes free
Post-Run: 71,001,907,200 bytes free
.
- - End Of File - - B75EF62E33A97BFBDAEDA8F38D00DA33

Await your further advise..
  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

MIA::
c:\windows\System32\ksuser.dll

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP