Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Virus won’t allow me to run MBAM and get on internet, also shut down m

Started by happy01 , Aug 25 2011 08:38 AM

Please log in to reply

#1
happy01

Posted 25 August 2011 - 08:38 AM

Member

Member
54 posts

Hello,

Thank you very much for this forum.

My computer will not run MBAM or get on the internet. My antivirus is also shut down and will not start. I noticed a rogue .exe file running in my processes called 297441164:1936213486.exe.

I just ran TFC and then OTL

Below is my OTL log

Thank you,

Happy

OTL logfile created on: 8/25/2011 10:32:09 AM - Run 2
OTL by OldTimer - Version 3.2.26.5 Folder = D:\Documents and Settings\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.42 Mb Total Physical Memory | 626.15 Mb Available Physical Memory | 61.24% Memory free
2.40 Gb Paging File | 2.17 Gb Available in Paging File | 90.21% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30.26 Gb Total Space | 11.07 Gb Free Space | 36.59% Space Free | Partition Type: NTFS
Drive D: | 39.11 Gb Total Space | 5.66 Gb Free Space | 14.48% Space Free | Partition Type: NTFS
Drive F: | 889.75 Mb Total Space | 36.81 Mb Free Space | 4.14% Space Free | Partition Type: FAT

Computer Name: IBM-T43V062 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\297441164:1936213486.exe
PRC - [2011/08/25 10:08:36 | 000,580,096 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Desktop\OTL.exe
PRC - [2009/05/27 12:00:24 | 000,753,664 | ---- | M] (Apple Inc.) -- C:\Program Files\AirPort\APAgent.exe
PRC - [2009/05/13 16:48:22 | 000,109,568 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/14 14:17:28 | 000,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2005/08/08 14:01:40 | 000,086,016 | ---- | M] (IBM Corporation) -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
PRC - [2005/08/02 19:12:44 | 000,081,920 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
PRC - [2005/08/02 19:06:54 | 000,032,768 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
PRC - [2005/08/02 19:02:20 | 001,372,160 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
PRC - [2005/08/02 18:17:30 | 000,722,480 | ---- | M] (IBM) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
PRC - [2005/07/05 15:57:12 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2005/06/06 21:26:22 | 000,040,960 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2004/10/14 09:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (No Company Name) ==========

MOD - [2011/05/28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/11/03 16:51:26 | 000,039,712 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\ASL.dll
MOD - [2009/01/28 16:03:49 | 000,326,401 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2008/06/20 12:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2006/06/12 14:50:24 | 000,136,704 | ---- | M] () -- C:\Program Files\ThinkVantage\SMA\7z\7-zip.dll
MOD - [2006/04/14 12:04:58 | 000,876,544 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\Libeay32.dll
MOD - [2006/04/14 12:04:58 | 000,208,965 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
MOD - [2006/04/14 12:04:58 | 000,053,322 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\IntStngs.dll
MOD - [2005/08/02 19:12:44 | 000,081,920 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
MOD - [2005/08/02 19:06:54 | 000,032,768 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
MOD - [2005/08/02 19:03:56 | 000,139,264 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\CDRecord.dll
MOD - [2005/08/02 19:02:20 | 001,372,160 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
MOD - [2005/08/02 19:01:04 | 000,155,648 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\ui.dll
MOD - [2005/08/02 19:00:58 | 000,069,632 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\zlib.dll
MOD - [2005/08/02 18:58:08 | 000,671,744 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rr_res.dll
MOD - [2005/07/12 11:53:38 | 000,208,896 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\tpfnf7.dll
MOD - [2005/07/05 15:57:12 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
MOD - [2005/06/16 23:23:08 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\tphklock.dll
MOD - [2005/06/06 21:26:22 | 000,040,960 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
MOD - [2005/04/14 01:01:00 | 000,073,728 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL
MOD - [2005/04/14 01:01:00 | 000,032,768 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2003/07/03 23:49:30 | 000,024,576 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_2\tphk_2k.dll
MOD - [2001/10/28 17:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WMConnectCDS)
SRV - File not found [On_Demand | Stopped] -- -- (PsaSrv)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 000,109,568 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2005/09/04 16:18:44 | 000,069,632 | ---- | M] (Macromedia) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2005/08/02 19:12:44 | 000,081,920 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2005/08/02 19:02:20 | 001,372,160 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)
SRV - [2005/08/02 18:17:30 | 000,722,480 | ---- | M] (IBM) [Auto | Running] -- C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe -- (TSSCoreService)
SRV - [2005/06/06 21:26:22 | 000,040,960 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
SRV - [1998/06/06 00:00:00 | 000,034,036 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio\COMMON\Tools\VS-Ent98\Vanalyzr\VARPC.EXE -- (Visual Studio Analyzer RPC bridge)

========== Driver Services (SafeList) ==========

DRV - [2009/07/28 16:33:56 | 000,055,656 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 10:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 10:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 12:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2006/04/27 16:45:00 | 000,014,848 | ---- | M] (Lenovo, Ltd. and IBM Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPDiskPM.sys -- (TPDiskPM)
DRV - [2006/04/14 13:04:08 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/04/05 19:38:22 | 002,208,512 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2006/03/30 15:03:00 | 000,006,784 | ---- | M] (Lenovo, Ltd. and IBM Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TPInput.sys -- (TPInput)
DRV - [2006/03/09 17:20:10 | 000,152,064 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/01/21 22:44:54 | 001,273,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/10/18 17:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/10/18 17:52:38 | 000,242,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/10/18 17:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/09/05 08:55:15 | 000,016,256 | ---- | M] (Lenovo) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2005/08/31 03:40:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2005/08/31 02:50:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005/08/31 02:50:00 | 000,009,340 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005/08/02 18:15:38 | 000,013,184 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2005/08/02 18:00:22 | 000,014,336 | ---- | M] (National Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nsctpm11.sys -- (TPM11)
DRV - [2005/04/14 01:01:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2004/05/19 19:41:26 | 000,013,757 | ---- | M] (National Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NscTpmDD.sys -- (portio)
DRV - [2003/09/19 01:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/08/21 22:25:52 | 000,094,600 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2303: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2361: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1465: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/23 20:45:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/23 20:45:37 | 000,000,000 | ---D | M]

[2008/08/29 02:25:03 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/08/24 20:32:06 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\extensions
[2009/08/22 02:04:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/08/24 20:32:06 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- D:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/07/25 22:21:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/26 22:02:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/08/23 20:45:34 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/08/23 20:45:28 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/06/08 19:19:25 | 000,002,024 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2010/02/06 22:20:59 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BootSkin Startup Jobs] C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe ()
O4 - HKLM..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (IBM Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra Button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe (Lenovo Group Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://fpdownload.ma...are/awswaxd.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=48835 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1125866187999 (MUWebControl Class)
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} https://www.ibm.com/...ntent/AcpIR.cab (IASRunner Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} http://webcsd.sacred...sCamControl.ocx (CamImage Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} https://webmail.factset.com/dwa7W.cab (Domino Web Access 7 Control)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O20 - AppInit_DLLs: (C:\WINDOWS\katrack.dll) - C:\WINDOWS\katrack.dll (Sassafras Software Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINDOWS\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\DefaultBackground.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\DefaultBackground.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/27 18:28:03 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/25 10:20:35 | 000,446,464 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Desktop\TFC.exe
[2011/08/25 10:08:34 | 000,580,096 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Desktop\OTL.exe
[2011/08/24 22:45:33 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/08/24 22:45:33 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/24 22:45:29 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/10 21:31:32 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack
[2011/08/10 21:31:27 | 000,237,568 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\yv12vfw.dll
[2011/08/10 21:31:27 | 000,151,552 | ---- | C] (fccHandler) -- C:\WINDOWS\System32\ac3acm.acm
[2011/08/10 20:54:25 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User\Application Data\Media Player Classic
[2011/08/10 20:48:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2011/08/10 20:47:27 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Media Player Classic - Home Cinema
[2011/08/10 20:47:25 | 000,000,000 | ---D | C] -- C:\Program Files\Media Player Classic - Home Cinema
[2011/08/08 23:02:16 | 000,000,000 | R--D | C] -- D:\Documents and Settings\All Users\Documents\My Music
[2011/07/28 13:33:44 | 000,000,000 | R--D | C] -- D:\Documents and Settings\User\Recent
[2011/07/26 22:07:11 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2011/07/26 22:07:11 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\PDFCreator
[2011/07/26 22:07:11 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Internet Tools
[2011/07/26 22:07:08 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Sony
[2011/07/26 22:07:08 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Sony
[2011/07/26 22:07:05 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User\Application Data\vlc
[2011/07/26 22:07:05 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2011/07/26 22:06:39 | 000,000,000 | ---D | C] -- C:\Program Files\MSDN
[2011/07/26 22:03:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio .NET 2003
[2011/07/26 22:02:13 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator
[2011/07/26 22:02:12 | 000,000,000 | ---D | C] -- C:\Program Files\Software Metrics
[2011/07/26 22:02:10 | 000,000,000 | ---D | C] -- C:\Program Files\PuTTY
[2011/07/26 22:02:09 | 000,000,000 | ---D | C] -- C:\Program Files\Sassafras K2
[2011/07/26 22:02:07 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2011/07/26 22:02:04 | 000,000,000 | ---D | C] -- C:\Program Files\Smart NTFS Recovery
[2011/07/26 22:02:04 | 000,000,000 | ---D | C] -- C:\Program Files\Smart Flash Recovery
[2011/07/26 22:02:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Sonic
[2011/07/26 22:01:02 | 000,000,000 | ---D | C] -- C:\Program Files\Analog Devices
[2011/07/26 21:59:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
[2011/07/26 21:57:41 | 000,000,000 | ---D | C] -- C:\Mikes Torrents
[2011/07/26 21:49:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\(null)
[2011/07/26 21:49:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Lenovo
[2011/07/26 21:48:30 | 000,000,000 | ---D | C] -- C:\DRIVERS
[2011/07/26 21:48:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\save$$updater
[2011/07/26 21:47:29 | 000,000,000 | ---D | C] -- D:\My Documents\Downloads
[1 D:\My Documents\*.tmp files -> D:\My Documents\*.tmp -> ]
[1 D:\Documents and Settings\Desktop\*.tmp files -> D:\Documents and Settings\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/25 10:31:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/25 10:31:27 | 000,002,048 | ---- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/25 10:31:27 | 000,000,000 | ---- | M] () -- C:\WINDOWS\297441164
[2011/08/25 10:31:24 | 1072,156,672 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/25 10:20:36 | 000,446,464 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Desktop\TFC.exe
[2011/08/25 10:08:36 | 000,580,096 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Desktop\OTL.exe
[2011/08/24 23:14:16 | 000,043,408 | ---- | M] () -- C:\WINDOWS\System32\c_74222.nl_
[2011/08/24 22:45:33 | 000,000,672 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/24 22:29:06 | 000,036,864 | ---- | M] () -- D:\Documents and Settings\All Users\Application Data\KeyAccess Audit
[2011/08/24 22:28:58 | 002,469,040 | ---- | M] () -- D:\Documents and Settings\User\Local Settings\Application Data\KeyAccess Offline
[2011/08/24 22:19:04 | 000,087,040 | ---- | M] () -- D:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/22 20:42:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/08/10 21:18:30 | 000,469,086 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/08/10 21:18:30 | 000,076,726 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/08/10 21:15:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/10 20:47:27 | 000,001,728 | ---- | M] () -- D:\Documents and Settings\Desktop\Media Player Classic - Home Cinema.lnk
[2011/08/09 23:10:07 | 000,110,004 | ---- | M] () -- D:\My Documents\DSCN0173.JPG
[2011/08/09 23:09:01 | 000,047,741 | ---- | M] () -- D:\My Documents\DSCN0110.JPG
[2011/08/09 23:07:18 | 000,071,406 | ---- | M] () -- D:\My Documents\DSCN0196.JPG
[2011/08/09 23:06:24 | 000,127,371 | ---- | M] () -- D:\My Documents\Picture 901.jpg
[2011/08/09 23:05:51 | 000,087,708 | ---- | M] () -- D:\My Documents\DSCN0763.JPG
[2011/08/09 23:05:37 | 000,173,381 | ---- | M] () -- D:\My Documents\DSCN0758.JPG
[2011/08/09 23:04:14 | 000,078,112 | ---- | M] () -- D:\My Documents\101.JPG
[2011/08/09 23:03:18 | 000,097,475 | ---- | M] () -- D:\My Documents\085.JPG
[2011/08/09 23:01:22 | 000,099,055 | ---- | M] () -- D:\My Documents\DSC_0069.JPG
[2011/08/09 23:00:54 | 000,129,930 | ---- | M] () -- D:\My Documents\DSCN0133.JPG
[2011/08/09 23:00:18 | 000,075,617 | ---- | M] () -- D:\My Documents\DSCN0152.JPG
[2011/08/09 22:59:08 | 000,177,386 | ---- | M] () -- D:\My Documents\DSCN0142.JPG
[2011/08/09 22:58:49 | 000,151,382 | ---- | M] () -- D:\My Documents\DSCN0137.JPG
[2011/08/08 04:00:00 | 000,074,752 | ---- | M] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/08/08 04:00:00 | 000,000,038 | ---- | M] () -- C:\WINDOWS\avisplitter.ini
[2011/07/26 22:09:24 | 000,375,264 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[1 D:\My Documents\*.tmp files -> D:\My Documents\*.tmp -> ]
[1 D:\Documents and Settings\Desktop\*.tmp files -> D:\Documents and Settings\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/24 23:14:16 | 000,043,408 | ---- | C] () -- C:\WINDOWS\System32\c_74222.nl_
[2011/08/24 23:14:10 | 1072,156,672 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/24 22:45:33 | 000,000,672 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/24 22:29:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\297441164
[2011/08/23 20:45:39 | 000,000,628 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/08/10 21:31:29 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/08/10 21:31:27 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/08/10 21:31:27 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/08/10 21:31:26 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/08/10 20:47:27 | 000,001,728 | ---- | C] () -- D:\Documents and Settings\Desktop\Media Player Classic - Home Cinema.lnk
[2011/08/09 23:10:05 | 000,110,004 | ---- | C] () -- D:\My Documents\DSCN0173.JPG
[2011/08/09 23:09:01 | 000,047,741 | ---- | C] () -- D:\My Documents\DSCN0110.JPG
[2011/08/09 23:07:18 | 000,071,406 | ---- | C] () -- D:\My Documents\DSCN0196.JPG
[2011/08/09 23:06:23 | 000,127,371 | ---- | C] () -- D:\My Documents\Picture 901.jpg
[2011/08/09 23:05:51 | 000,087,708 | ---- | C] () -- D:\My Documents\DSCN0763.JPG
[2011/08/09 23:05:36 | 000,173,381 | ---- | C] () -- D:\My Documents\DSCN0758.JPG
[2011/08/09 23:04:14 | 000,078,112 | ---- | C] () -- D:\My Documents\101.JPG
[2011/08/09 23:03:17 | 000,097,475 | ---- | C] () -- D:\My Documents\085.JPG
[2011/08/09 23:01:21 | 000,099,055 | ---- | C] () -- D:\My Documents\DSC_0069.JPG
[2011/08/09 23:00:53 | 000,129,930 | ---- | C] () -- D:\My Documents\DSCN0133.JPG
[2011/08/09 23:00:17 | 000,075,617 | ---- | C] () -- D:\My Documents\DSCN0152.JPG
[2011/08/09 22:59:07 | 000,177,386 | ---- | C] () -- D:\My Documents\DSCN0142.JPG
[2011/08/09 22:58:48 | 000,151,382 | ---- | C] () -- D:\My Documents\DSCN0137.JPG
[2011/08/08 23:20:30 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/07/26 23:49:34 | 000,036,864 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\KeyAccess Audit
[2010/06/22 21:53:53 | 000,082,260 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/05/27 19:46:18 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2008/02/20 00:52:57 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/11/14 21:24:14 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\wceprv.dll
[2007/11/05 00:51:35 | 000,001,156 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/11/04 12:17:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/10/14 17:55:20 | 000,087,040 | ---- | C] () -- D:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/05 14:32:48 | 000,005,021 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/09/01 09:08:50 | 002,469,040 | ---- | C] () -- D:\Documents and Settings\User\Local Settings\Application Data\KeyAccess Offline
[2006/08/08 13:14:05 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2006/06/12 12:27:00 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2006/01/31 18:00:13 | 000,000,203 | ---- | C] () -- C:\WINDOWS\SpssLM.ini
[2006/01/31 14:55:32 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2005/09/05 08:56:52 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\psasrv.exe
[2005/09/04 16:57:51 | 000,036,939 | ---- | C] () -- C:\WINDOWS\System32\insrepim.exe
[2005/07/06 00:45:08 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\notifyf2.dll
[2005/07/05 12:33:11 | 000,007,357 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2005/07/05 01:32:04 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\SmaSeed.exe
[2005/07/05 00:46:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\TpKmpSvc.exe
[2005/07/05 00:46:12 | 000,009,340 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2005/07/05 00:15:14 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/07/05 00:15:14 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/07/05 00:15:14 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/07/05 00:15:14 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/07/05 00:15:14 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/07/05 00:15:14 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/07/05 00:12:38 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/04 23:15:58 | 000,001,313 | ---- | C] () -- D:\Documents and Settings\User\Application Data\vitalsource KEY Prefs
[2005/06/29 19:16:00 | 000,000,000 | ---- | C] () -- D:\Documents and Settings\User\Application Data\dm.ini
[2005/06/28 12:09:09 | 000,000,127 | ---- | C] () -- D:\Documents and Settings\User\Local Settings\Application Data\fusioncache.dat
[2005/06/28 10:35:37 | 000,000,126 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/06/28 10:26:43 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/06/27 22:52:48 | 000,000,780 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/27 21:13:00 | 000,073,782 | ---- | C] () -- C:\WINDOWS\System32\ibmpmsvc.exe
[2005/06/27 21:12:17 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/06/27 21:12:13 | 000,469,086 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/06/27 21:12:13 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/06/27 21:12:13 | 000,076,726 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/06/27 21:12:13 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/06/27 21:12:12 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/06/27 21:12:10 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/06/27 21:12:09 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/06/27 21:12:01 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/06/27 21:12:01 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/06/27 21:11:52 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/06/27 21:11:42 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/06/27 20:17:19 | 000,000,351 | ---- | C] () -- C:\WINDOWS\TrayServerData.ini
[2005/06/27 20:16:35 | 000,007,840 | ---- | C] () -- C:\WINDOWS\System32\mcdmsg4.dll
[2005/06/27 18:53:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2005/06/27 18:52:28 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2005/06/27 18:52:28 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2005/06/27 18:52:28 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2005/06/27 18:52:27 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2005/06/27 18:52:27 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/06/27 18:49:59 | 000,016,384 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2005/06/27 18:49:59 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2005/06/27 18:49:05 | 000,002,086 | ---- | C] () -- C:\WINDOWS\System32\SMBIOS.bin
[2005/06/27 18:30:31 | 000,002,048 | ---- | C] () -- C:\WINDOWS\bootstat.dat
[2005/06/27 18:25:31 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/06/27 14:19:37 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/06/27 14:18:45 | 000,375,264 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/06/11 11:47:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\fpprintmon.dll
[2005/06/10 17:59:16 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/06/01 13:00:00 | 000,331,776 | ---- | C] () -- C:\WINDOWS\keyacc32.exe
[2005/04/27 09:53:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\pwdmon.dll
[2004/11/08 20:12:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/12 20:11:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[2004/01/09 09:10:32 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\AIBMRUNL.dll
[2003/06/24 14:43:48 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/08 23:28:42 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\TpScrLk.exe
[2002/03/19 18:30:00 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\mag.dll
[2002/03/19 17:30:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\PowerCalc.exe
[2000/09/01 13:00:00 | 000,001,519 | ---- | C] () -- C:\WINDOWS\keyacc.ini
[2000/06/13 14:30:06 | 000,222,720 | ---- | C] () -- C:\WINDOWS\System32\spss_lmd.exe
[1998/12/06 16:56:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\verinst.exe
[1998/06/10 00:00:00 | 000,015,120 | ---- | C] () -- C:\WINDOWS\System32\REPUTIL.DLL
[1998/05/18 00:00:00 | 000,014,017 | ---- | C] () -- C:\WINDOWS\JAUTOEXP.INI

========== LOP Check ==========

[2006/08/09 15:32:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\DyKnow
[2005/07/05 00:10:36 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ibm
[2011/07/26 22:07:08 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sony
[2006/08/09 14:48:23 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sophos
[2010/02/14 18:56:20 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\TEMP
[2005/09/05 09:13:37 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ThinkVantage
[2010/01/04 21:52:43 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/07 16:12:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2006/01/31 11:30:25 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Desktop Sidebar
[2006/01/31 15:12:58 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Dev-Cpp
[2008/03/12 22:42:32 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Flickr
[2007/09/23 16:36:49 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\HorizonWimba
[2005/07/05 00:29:02 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\IBM
[2005/07/05 12:21:44 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\InterVideo
[2005/07/05 00:28:26 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Leadertech
[2010/09/25 14:00:52 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Publish Providers
[2010/09/25 14:00:59 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Sony
[2005/09/05 09:13:40 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\ThinkVantage
[2011/08/25 00:05:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\uTorrent
[2006/01/31 12:52:43 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Vital Source Technologies

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\297441164:1936213486.exe
@Alternate Data Stream - 125 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 110 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

#2
RKinner

Posted 25 August 2011 - 09:21 AM

Malware Expert

Expert
24,624 posts

Copy the text in the code box by highlighting and Ctrl + c


:processes
killallprocesses

:OTL
[2011/08/24 20:32:06 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- D:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[2011/07/26 21:49:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\(null)
[2011/07/26 21:48:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\save$$updater
[2011/08/25 10:31:27 | 000,000,000 | ---- | M] () -- C:\WINDOWS\297441164
@Alternate Data Stream - 816 bytes -> C:\WINDOWS\297441164:1936213486.exe
@Alternate Data Stream - 125 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 110 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2


:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
sc config HidServ start= disabled /c


:Commands
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

You may not need to do this if Avira is still not running:
1. Open Avira AntiVir Personal. (There is likely an icon on your desktop, or in your system tray by the clock.)
2. Click the "Configuration" link on the main screen. This opens the configuration panel.
3. Check the "Expert mode" option.
4. Click on General > Security.
5. *Uncheck* the option titled "Protect files and registry entries from manipulation".
6. Click the "OK" button.
7. Reboot your computer.

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:

OTL Log
MBAM log
Combofix log

Ron

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on Combofix to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply

Ron

#3
happy01

Posted 25 August 2011 - 10:05 AM

Member

Topic Starter
Member
54 posts

Thank you. Performing procedures now.

#4
happy01

Posted 26 August 2011 - 08:40 AM

Member

Topic Starter
Member
54 posts

The first time I ran OTL, my computer was scanning for 10 hours. I manually restarted the computer, and some of my .exe files will not execute including my OTL file on the desktop. I was able to run the OTL programs, but now my mouse and keyboard will not work (I have a laptop IBM thinkpad) I can use an external mouse, but no keyboard.

I did get OTL to run, and below is the log that was generated. I cannot run MBAM, and still cannot get on the net. I seem to be having even worse problems now that my keyboard does not work as well as my mouse.

Log #1
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

--------------------------------------------------------------------------------------------------------------------------------------------

Log #2

========== PROCESSES ==========
All processes killed
========== OTL ==========
Folder D:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
Folder C:\WINDOWS\System32\(null)\ not found.
Folder C:\WINDOWS\System32\save$$updater\ not found.
File C:\WINDOWS\297441164 not found.
Unable to delete ADS C:\WINDOWS\297441164:1936213486.exe .
Unable to delete ADS D:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 .
Unable to delete ADS D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 .
========== FILES ==========
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
D:\Documents and Settings\Desktop\New Folder\cmd.bat deleted successfully.
D:\Documents and Settings\Desktop\New Folder\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
D:\Documents and Settings\Desktop\New Folder\cmd.bat deleted successfully.
D:\Documents and Settings\Desktop\New Folder\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
D:\Documents and Settings\Desktop\New Folder\cmd.bat deleted successfully.
D:\Documents and Settings\Desktop\New Folder\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
D:\Documents and Settings\Desktop\New Folder\cmd.bat deleted successfully.
D:\Documents and Settings\Desktop\New Folder\cmd.txt deleted successfully.
< sc config HidServ start= disabled /c >
[SC] ChangeServiceConfig SUCCESS
D:\Documents and Settings\Desktop\New Folder\cmd.bat deleted successfully.
D:\Documents and Settings\Desktop\New Folder\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.5 log created on 08262011_000725

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#5
happy01

Posted 26 August 2011 - 08:59 AM

Member

Topic Starter
Member
54 posts

I did a system restore and got my mouse and keyboard working. I installed MBAM, but it will not update, can't get online. I am running a quickscan now.

#6
happy01

Posted 26 August 2011 - 09:02 AM

Member

Topic Starter
Member
54 posts

MBAM just quit in the middle of the scan. Tried reinstalling MBAM and it tries to run, but then quits.

#7
happy01

Posted 26 August 2011 - 09:12 AM

Member

Topic Starter
Member
54 posts

I just ran another OTL quickscan. Here is the log

OTL logfile created on: 8/26/2011 11:01:11 AM - Run 3
OTL by OldTimer - Version 3.2.26.5 Folder = D:\Documents and Settings\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.42 Mb Total Physical Memory | 645.88 Mb Available Physical Memory | 63.17% Memory free
2.40 Gb Paging File | 2.16 Gb Available in Paging File | 90.06% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30.26 Gb Total Space | 16.73 Gb Free Space | 55.29% Space Free | Partition Type: NTFS
Drive D: | 39.11 Gb Total Space | 27.89 Gb Free Space | 71.32% Space Free | Partition Type: NTFS

Computer Name: IBM-T43V062 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\297441164:1936213486.exe
PRC - [2011/08/25 10:08:36 | 000,580,096 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Desktop\OTL.exe
PRC - [2009/05/27 12:00:24 | 000,753,664 | ---- | M] (Apple Inc.) -- C:\Program Files\AirPort\APAgent.exe
PRC - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/14 14:17:28 | 000,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2005/08/08 14:01:40 | 000,086,016 | ---- | M] (IBM Corporation) -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
PRC - [2005/08/02 19:12:44 | 000,081,920 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
PRC - [2005/08/02 19:06:54 | 000,032,768 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
PRC - [2005/08/02 19:02:20 | 001,372,160 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
PRC - [2005/08/02 18:17:30 | 000,722,480 | ---- | M] (IBM) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
PRC - [2005/07/05 15:57:12 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2005/06/06 21:26:22 | 000,040,960 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2004/10/14 09:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (No Company Name) ==========

MOD - [2011/05/28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/11/03 16:51:26 | 000,039,712 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\ASL.dll
MOD - [2008/06/20 12:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2006/06/12 14:50:24 | 000,136,704 | ---- | M] () -- C:\Program Files\ThinkVantage\SMA\7z\7-zip.dll
MOD - [2006/04/14 12:04:58 | 000,876,544 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\Libeay32.dll
MOD - [2006/04/14 12:04:58 | 000,208,965 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
MOD - [2006/04/14 12:04:58 | 000,053,322 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\IntStngs.dll
MOD - [2005/08/02 19:12:44 | 000,081,920 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
MOD - [2005/08/02 19:06:54 | 000,032,768 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
MOD - [2005/08/02 19:03:56 | 000,139,264 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\CDRecord.dll
MOD - [2005/08/02 19:02:20 | 001,372,160 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
MOD - [2005/08/02 19:01:04 | 000,155,648 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\ui.dll
MOD - [2005/08/02 19:00:58 | 000,069,632 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\zlib.dll
MOD - [2005/08/02 18:58:08 | 000,671,744 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rr_res.dll
MOD - [2005/07/12 11:53:38 | 000,208,896 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\tpfnf7.dll
MOD - [2005/07/05 15:57:12 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
MOD - [2005/06/16 23:23:08 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\tphklock.dll
MOD - [2005/06/06 21:26:22 | 000,040,960 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
MOD - [2005/04/14 01:01:00 | 000,073,728 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL
MOD - [2005/04/14 01:01:00 | 000,032,768 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2003/07/03 23:49:30 | 000,024,576 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_2\tphk_2k.dll
MOD - [2001/10/28 17:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WMConnectCDS)
SRV - File not found [On_Demand | Stopped] -- -- (PsaSrv)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 000,109,568 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2005/09/04 16:18:44 | 000,069,632 | ---- | M] (Macromedia) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2005/08/02 19:12:44 | 000,081,920 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2005/08/02 19:02:20 | 001,372,160 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)
SRV - [2005/08/02 18:17:30 | 000,722,480 | ---- | M] (IBM) [Auto | Running] -- C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe -- (TSSCoreService)
SRV - [2005/06/06 21:26:22 | 000,040,960 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
SRV - [1998/06/06 00:00:00 | 000,034,036 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio\COMMON\Tools\VS-Ent98\Vanalyzr\VARPC.EXE -- (Visual Studio Analyzer RPC bridge)

========== Driver Services (SafeList) ==========

DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | Disabled | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/07/28 16:33:56 | 000,055,656 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 10:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 10:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 12:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2006/04/27 16:45:00 | 000,014,848 | ---- | M] (Lenovo, Ltd. and IBM Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPDiskPM.sys -- (TPDiskPM)
DRV - [2006/04/14 13:04:08 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/04/05 19:38:22 | 002,208,512 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2006/03/30 15:03:00 | 000,006,784 | ---- | M] (Lenovo, Ltd. and IBM Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TPInput.sys -- (TPInput)
DRV - [2006/03/09 17:20:10 | 000,152,064 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/01/21 22:44:54 | 001,273,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/10/18 17:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/10/18 17:52:38 | 000,242,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/10/18 17:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/09/05 08:55:15 | 000,016,256 | ---- | M] (Lenovo) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2005/08/31 03:40:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2005/08/31 02:50:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005/08/31 02:50:00 | 000,009,340 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005/08/02 18:15:38 | 000,013,184 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2005/08/02 18:00:22 | 000,014,336 | ---- | M] (National Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nsctpm11.sys -- (TPM11)
DRV - [2005/04/14 01:01:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2004/05/19 19:41:26 | 000,013,757 | ---- | M] (National Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NscTpmDD.sys -- (portio)
DRV - [2003/09/19 01:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/08/21 22:25:52 | 000,094,600 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2303: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2361: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1465: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/23 20:45:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/23 20:45:37 | 000,000,000 | ---D | M]

[2008/08/29 02:25:03 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/08/24 20:32:06 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\extensions
[2009/08/22 02:04:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/08/26 10:42:39 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/07/25 22:21:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/26 22:02:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/08/23 20:45:34 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/08/23 20:45:28 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/06/08 19:19:25 | 000,002,024 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2011/08/26 00:07:29 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BootSkin Startup Jobs] C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe ()
O4 - HKLM..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (IBM Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra Button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe (Lenovo Group Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://fpdownload.ma...are/awswaxd.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=48835 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1125866187999 (MUWebControl Class)
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} https://www.ibm.com/...ntent/AcpIR.cab (IASRunner Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} http://webcsd.sacred...sCamControl.ocx (CamImage Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} https://webmail.factset.com/dwa7W.cab (Domino Web Access 7 Control)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O20 - AppInit_DLLs: (C:\WINDOWS\katrack.dll) - C:\WINDOWS\katrack.dll (Sassafras Software Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINDOWS\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\DefaultBackground.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\DefaultBackground.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/27 18:28:03 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/26 10:42:35 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/08/26 10:42:35 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Avira
[2011/08/26 10:42:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\save$$updater
[2011/08/26 10:42:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\(null)
[2011/08/26 10:42:24 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/08/25 10:20:35 | 000,446,464 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Desktop\TFC.exe
[2011/08/25 10:08:34 | 000,580,096 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Desktop\OTL.exe
[2011/08/24 22:45:33 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/08/24 22:45:33 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/24 22:45:29 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/10 21:31:32 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack
[2011/08/10 21:31:27 | 000,237,568 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\yv12vfw.dll
[2011/08/10 21:31:27 | 000,151,552 | ---- | C] (fccHandler) -- C:\WINDOWS\System32\ac3acm.acm
[2011/08/10 20:54:25 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User\Application Data\Media Player Classic
[2011/08/10 20:48:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2011/08/10 20:47:27 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Media Player Classic - Home Cinema
[2011/08/10 20:47:25 | 000,000,000 | ---D | C] -- C:\Program Files\Media Player Classic - Home Cinema
[2011/08/08 23:02:16 | 000,000,000 | R--D | C] -- D:\Documents and Settings\All Users\Documents\My Music
[2011/07/28 13:33:44 | 000,000,000 | R--D | C] -- D:\Documents and Settings\User\Recent

========== Files - Modified Within 30 Days ==========

[2011/08/26 10:55:23 | 000,000,672 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/26 10:45:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/26 10:45:03 | 000,000,000 | ---- | M] () -- C:\WINDOWS\297441164
[2011/08/26 10:45:01 | 000,002,048 | ---- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/26 10:44:58 | 1072,156,672 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/26 00:07:29 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/08/25 23:19:45 | 000,043,408 | -HS- | M] () -- C:\WINDOWS\System32\c_74222.nl_
[2011/08/25 10:20:36 | 000,446,464 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Desktop\TFC.exe
[2011/08/25 10:08:36 | 000,580,096 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Desktop\OTL.exe
[2011/08/24 22:29:06 | 000,036,864 | ---- | M] () -- D:\Documents and Settings\All Users\Application Data\KeyAccess Audit
[2011/08/24 22:28:58 | 002,469,040 | ---- | M] () -- D:\Documents and Settings\User\Local Settings\Application Data\KeyAccess Offline
[2011/08/24 22:19:04 | 000,087,040 | ---- | M] () -- D:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/22 20:42:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/08/10 21:18:30 | 000,469,086 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/08/10 21:18:30 | 000,076,726 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/08/10 21:15:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/10 20:47:27 | 000,001,728 | ---- | M] () -- D:\Documents and Settings\Desktop\Media Player Classic - Home Cinema.lnk
[2011/08/08 04:00:00 | 000,074,752 | ---- | M] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/08/08 04:00:00 | 000,000,038 | ---- | M] () -- C:\WINDOWS\avisplitter.ini

========== Files Created - No Company Name ==========

[2011/08/26 10:45:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\297441164
[2011/08/25 23:22:19 | 1072,156,672 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/24 23:14:16 | 000,043,408 | -HS- | C] () -- C:\WINDOWS\System32\c_74222.nl_
[2011/08/24 22:45:33 | 000,000,672 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/23 20:45:39 | 000,000,628 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/08/10 21:31:29 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/08/10 21:31:27 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/08/10 21:31:27 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/08/10 21:31:26 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/08/10 20:47:27 | 000,001,728 | ---- | C] () -- D:\Documents and Settings\Desktop\Media Player Classic - Home Cinema.lnk
[2011/08/08 23:20:30 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/07/26 23:49:34 | 000,036,864 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\KeyAccess Audit
[2010/06/22 21:53:53 | 000,082,260 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/05/27 19:46:18 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2008/02/20 00:52:57 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/11/14 21:24:14 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\wceprv.dll
[2007/11/05 00:51:35 | 000,001,156 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/11/04 12:17:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/10/14 17:55:20 | 000,087,040 | ---- | C] () -- D:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/05 14:32:48 | 000,005,021 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/09/01 09:08:50 | 002,469,040 | ---- | C] () -- D:\Documents and Settings\User\Local Settings\Application Data\KeyAccess Offline
[2006/08/08 13:14:05 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2006/06/12 12:27:00 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2006/01/31 18:00:13 | 000,000,203 | ---- | C] () -- C:\WINDOWS\SpssLM.ini
[2006/01/31 14:55:32 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2005/09/05 08:56:52 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\psasrv.exe
[2005/09/04 16:57:51 | 000,036,939 | ---- | C] () -- C:\WINDOWS\System32\insrepim.exe
[2005/07/06 00:45:08 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\notifyf2.dll
[2005/07/05 12:33:11 | 000,007,357 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2005/07/05 01:32:04 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\SmaSeed.exe
[2005/07/05 00:46:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\TpKmpSvc.exe
[2005/07/05 00:46:12 | 000,009,340 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2005/07/05 00:15:14 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/07/05 00:15:14 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/07/05 00:15:14 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/07/05 00:15:14 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/07/05 00:15:14 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/07/05 00:15:14 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/07/05 00:12:38 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/04 23:15:58 | 000,001,313 | ---- | C] () -- D:\Documents and Settings\User\Application Data\vitalsource KEY Prefs
[2005/06/29 19:16:00 | 000,000,000 | ---- | C] () -- D:\Documents and Settings\User\Application Data\dm.ini
[2005/06/28 12:09:09 | 000,000,127 | ---- | C] () -- D:\Documents and Settings\User\Local Settings\Application Data\fusioncache.dat
[2005/06/28 10:35:37 | 000,000,126 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/06/28 10:26:43 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/06/27 22:52:48 | 000,000,780 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/27 21:13:00 | 000,073,782 | ---- | C] () -- C:\WINDOWS\System32\ibmpmsvc.exe
[2005/06/27 21:12:17 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/06/27 21:12:13 | 000,469,086 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/06/27 21:12:13 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/06/27 21:12:13 | 000,076,726 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/06/27 21:12:13 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/06/27 21:12:12 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/06/27 21:12:10 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/06/27 21:12:09 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/06/27 21:12:01 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/06/27 21:12:01 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/06/27 21:11:52 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/06/27 21:11:42 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/06/27 20:17:19 | 000,000,351 | ---- | C] () -- C:\WINDOWS\TrayServerData.ini
[2005/06/27 20:16:35 | 000,007,840 | ---- | C] () -- C:\WINDOWS\System32\mcdmsg4.dll
[2005/06/27 18:53:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2005/06/27 18:52:28 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2005/06/27 18:52:28 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2005/06/27 18:52:28 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2005/06/27 18:52:27 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2005/06/27 18:52:27 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/06/27 18:49:59 | 000,016,384 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2005/06/27 18:49:59 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2005/06/27 18:49:05 | 000,002,086 | ---- | C] () -- C:\WINDOWS\System32\SMBIOS.bin
[2005/06/27 18:30:31 | 000,002,048 | ---- | C] () -- C:\WINDOWS\bootstat.dat
[2005/06/27 18:25:31 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/06/27 14:19:37 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/06/27 14:18:45 | 000,375,264 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/06/11 11:47:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\fpprintmon.dll
[2005/06/10 17:59:16 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/06/01 13:00:00 | 000,331,776 | ---- | C] () -- C:\WINDOWS\keyacc32.exe
[2005/04/27 09:53:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\pwdmon.dll
[2004/11/08 20:12:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/12 20:11:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[2004/01/09 09:10:32 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\AIBMRUNL.dll
[2003/06/24 14:43:48 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/08 23:28:42 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\TpScrLk.exe
[2002/03/19 18:30:00 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\mag.dll
[2002/03/19 17:30:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\PowerCalc.exe
[2000/09/01 13:00:00 | 000,001,519 | ---- | C] () -- C:\WINDOWS\keyacc.ini
[2000/06/13 14:30:06 | 000,222,720 | ---- | C] () -- C:\WINDOWS\System32\spss_lmd.exe
[1998/12/06 16:56:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\verinst.exe
[1998/06/10 00:00:00 | 000,015,120 | ---- | C] () -- C:\WINDOWS\System32\REPUTIL.DLL
[1998/05/18 00:00:00 | 000,014,017 | ---- | C] () -- C:\WINDOWS\JAUTOEXP.INI

========== LOP Check ==========

[2006/08/09 15:32:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\DyKnow
[2005/07/05 00:10:36 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ibm
[2011/07/26 22:07:08 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sony
[2006/08/09 14:48:23 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sophos
[2010/02/14 18:56:20 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\TEMP
[2005/09/05 09:13:37 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ThinkVantage
[2010/01/04 21:52:43 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/07 16:12:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2006/01/31 11:30:25 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Desktop Sidebar
[2006/01/31 15:12:58 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Dev-Cpp
[2008/03/12 22:42:32 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Flickr
[2007/09/23 16:36:49 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\HorizonWimba
[2005/07/05 00:29:02 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\IBM
[2005/07/05 12:21:44 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\InterVideo
[2005/07/05 00:28:26 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Leadertech
[2010/09/25 14:00:52 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Publish Providers
[2010/09/25 14:00:59 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Sony
[2005/09/05 09:13:40 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\ThinkVantage
[2011/08/26 10:54:07 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\uTorrent
[2006/01/31 12:52:43 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User\Application Data\Vital Source Technologies

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\297441164:1936213486.exe

< End of report >

#8
RKinner

Posted 26 August 2011 - 10:41 AM

Malware Expert

Expert
24,624 posts

See if you can run Combofix. Make sure the anti-virus is off. You might try it in Safe Mode. (Reboot and when you hear the beep, see the maker's logo or it mentions F8, start tapping the F8 key slowy. Keep tapping until it gets to the safe mode menu. Choose Safe Mode with Networking and login with your regular login.)

If that fails then try rebooting into the Safe Mode menu but choose Command Prompt. When you get to the prompt type:

cd  \windows

del  297441164

mkdir  297441164

exit

#9
happy01

Posted 26 August 2011 - 11:48 AM

Member

Topic Starter
Member
54 posts

I ran combofix in safe mode. It said I was infected, and to run combofix again if I cannot get on the internet. I am running combofix again in normal mode now. I still cannot get on the net.

ComboFix 11-08-26.04 - User 08/26/2011 13:29:04.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.681 [GMT -4:00]
Running from: d:\documents and settings\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled* {9EFC479D-082C-471E-BB2E-DB50CFB21926}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB51577$
c:\windows\$NtUninstallKB51577$\2358753809\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB51577$\2358753809\L\iosaepys
c:\windows\$NtUninstallKB51577$\2358753809\loader.tlb
c:\windows\$NtUninstallKB51577$\2358753809\U\@00000001
c:\windows\$NtUninstallKB51577$\2358753809\U\@000000c0
c:\windows\$NtUninstallKB51577$\2358753809\U\@000000cb
c:\windows\$NtUninstallKB51577$\2358753809\U\@000000cf
c:\windows\$NtUninstallKB51577$\2358753809\U\@80000000
c:\windows\$NtUninstallKB51577$\2358753809\U\@800000c0
c:\windows\$NtUninstallKB51577$\2358753809\U\@800000cb
c:\windows\$NtUninstallKB51577$\2358753809\U\@800000cf
c:\windows\$NtUninstallKB51577$\3210891230
c:\windows\297441164
c:\windows\system32\c_74222.nl_
c:\windows\system32\c_74222.nls
c:\windows\system32\comct332.ocx
d:\documents and settings\Default User\WINDOWS
d:\documents and settings\Desktop\ComboFix.exe
d:\documents and settings\Desktop\OTL.exe
d:\documents and settings\Desktop\TFC.exe
.
Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - The cat found it

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
Infected copy of c:\windows\system32\DRIVERS\netbt.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netbt.sys
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe . . . is infected!!
.
Infected copy of c:\windows\system32\Ati2evxx.exe was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati2evxx.exe
.
c:\program files\Bonjour\mDNSResponder.exe . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe . . . is infected!!
.
c:\windows\system32\ibmpmsvc.exe . . . is infected!!
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\RegSrvc.exe . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe . . . is infected!!
.
c:\program files\Analog Devices\SoundMAX\SMAgent.exe . . . is infected!!
.
c:\windows\system32\TPHDEXLG.EXE . . . is infected!!
.
c:\windows\system32\TpKmpSVC.exe . . . is infected!!
.
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe . . . is infected!!
.
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_8c97ba11
.
.
((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))
.
.
2011-08-26 17:23 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-26 14:45 . 2011-08-26 14:45 -------- d-sh--w- d:\documents and settings\LocalService.NT AUTHORITY.000
2011-08-26 14:45 . 2011-08-26 14:45 -------- d-sh--w- d:\documents and settings\NetworkService.NT AUTHORITY.000
2011-08-26 14:43 . 2011-08-26 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- c:\windows\system32\save$$updater
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- c:\windows\system32\(null)
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- c:\program files\Avira
2011-08-25 02:45 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-25 02:45 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 00:45 . 2011-08-24 00:45 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-24 00:45 . 2011-08-24 00:45 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-24 00:45 . 2011-08-24 00:45 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-24 00:45 . 2011-08-24 00:45 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-24 00:45 . 2011-08-24 00:45 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-24 00:45 . 2011-08-24 00:45 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-24 00:45 . 2011-08-24 00:45 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-24 00:45 . 2011-08-24 00:45 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-15 01:05 . 2011-08-15 01:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 01:31 . 2006-10-18 18:05 232448 ----a-w- c:\windows\system32\mp3fhg.acm
2011-08-11 01:31 . 2011-07-16 14:17 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-08-11 01:31 . 2011-06-24 14:44 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2011-08-11 01:31 . 2011-06-24 14:28 650752 ----a-w- c:\windows\system32\xvidcore.dll
2011-08-11 01:31 . 2010-11-03 18:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-08-11 01:31 . 2011-08-08 08:00 74752 ----a-w- c:\windows\system32\ff_vfw.dll
2011-08-11 00:54 . 2011-08-11 00:54 -------- d-----w- d:\documents and settings\User\Application Data\Media Player Classic
2011-08-11 00:50 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2011-08-11 00:48 . 2011-08-11 00:48 -------- d-----w- c:\windows\Logs
2011-08-11 00:47 . 2011-08-11 00:47 -------- d-----w- c:\program files\Media Player Classic - Home Cinema
2011-08-10 18:49 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 18:49 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 03:20 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
2011-08-02 00:42 . 2011-08-02 00:42 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-21 04:00 . 2005-04-27 13:16 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-07-15 13:29 . 2005-06-28 01:12 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-06-28 01:12 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2005-06-27 22:24 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2005-06-28 01:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2005-06-28 01:12 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2005-06-28 01:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2005-06-28 01:11 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2005-06-28 01:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2005-06-28 01:12 1858944 ------w- c:\windows\system32\win32k.sys
2011-08-24 00:45 . 2011-08-24 00:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"KeyAccess"="c:\windows\keyacc32.exe" [2005-06-01 331776]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2007-04-19 25440]
"IMJPMIG9.0"="c:\progra~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792]
"IMSCMig"="c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-03 17248]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45 28672 ------w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 03:23 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0090404]
IME File REG_SZ MSTCICJA.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0080404]
IME File REG_SZ MSTCIPHA.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200412]
Ime File REG_SZ IMEKR70.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0100804]
IME File REG_SZ WINWB86.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0110804]
IME File REG_SZ WINWB98.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e00e0804]
IME File REG_SZ IMSC40A.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200411]
Ime File REG_SZ IMJP9.IME
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\inetsrv\\inetinfo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:Bonjour
.
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/27/2005 6:49 PM 14848]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/2/2005 5:47 PM 3968]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/27/2005 6:49 PM 6784]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [8/2/2005 6:00 PM 14336]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Sacred Heart University
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.10.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-SyncBack_is1 - c:\program files\2BrightSparks\SyncBack\unins000.exe
AddRemove-Sun Download Manager 2.0 (web) - c:\windows\system32\javaws.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-26 13:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(3016)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Pro Imaging Powertoys\Microsoft RAW Image Thumbnailer and Viewer for Windows XP\CRawViewerExtension.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
.
**************************************************************************
.
Completion time: 2011-08-26 13:45:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-26 17:45
.
Pre-Run: 17,784,025,088 bytes free
Post-Run: 17,735,278,592 bytes free
.
- - End Of File - - A7B15B9C6F5061C0843A753ED84F9930

#10
happy01

Posted 26 August 2011 - 12:05 PM

Member

Topic Starter
Member
54 posts

I just ran combofix again in normal mode. Here is the log. I am running MBAM now, but can't update as I still cannot get on the net. It is still scanning and has not shut down yet.

ComboFix 11-08-26.04 - User 08/26/2011 13:51:08.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.633 [GMT -4:00]
Running from: d:\documents and settings\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled* {9EFC479D-082C-471E-BB2E-DB50CFB21926}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\documents and settings\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))
.
.
2011-08-26 14:45 . 2011-08-26 14:45 -------- d-sh--w- d:\documents and settings\LocalService.NT AUTHORITY.000
2011-08-26 14:45 . 2011-08-26 14:45 -------- d-sh--w- d:\documents and settings\NetworkService.NT AUTHORITY.000
2011-08-26 14:43 . 2011-08-26 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- c:\windows\system32\save$$updater
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- c:\windows\system32\(null)
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- c:\program files\Avira
2011-08-25 02:45 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-25 02:45 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 00:45 . 2011-08-24 00:45 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-24 00:45 . 2011-08-24 00:45 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-24 00:45 . 2011-08-24 00:45 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-24 00:45 . 2011-08-24 00:45 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-24 00:45 . 2011-08-24 00:45 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-24 00:45 . 2011-08-24 00:45 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-24 00:45 . 2011-08-24 00:45 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-24 00:45 . 2011-08-24 00:45 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-15 01:05 . 2011-08-15 01:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 01:31 . 2006-10-18 18:05 232448 ----a-w- c:\windows\system32\mp3fhg.acm
2011-08-11 01:31 . 2011-07-16 14:17 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-08-11 01:31 . 2011-06-24 14:44 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2011-08-11 01:31 . 2011-06-24 14:28 650752 ----a-w- c:\windows\system32\xvidcore.dll
2011-08-11 01:31 . 2010-11-03 18:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-08-11 01:31 . 2011-08-08 08:00 74752 ----a-w- c:\windows\system32\ff_vfw.dll
2011-08-11 00:54 . 2011-08-11 00:54 -------- d-----w- d:\documents and settings\User\Application Data\Media Player Classic
2011-08-11 00:50 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2011-08-11 00:48 . 2011-08-11 00:48 -------- d-----w- c:\windows\Logs
2011-08-11 00:47 . 2011-08-11 00:47 -------- d-----w- c:\program files\Media Player Classic - Home Cinema
2011-08-10 18:49 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 18:49 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 03:20 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
2011-08-02 00:42 . 2011-08-02 00:42 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-21 04:00 . 2005-04-27 13:16 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-07-15 13:29 . 2005-06-28 01:12 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-06-28 01:12 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2005-06-27 22:24 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2005-06-28 01:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2005-06-28 01:12 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2005-06-28 01:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2005-06-28 01:11 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2005-06-28 01:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2005-06-28 01:12 1858944 ------w- c:\windows\system32\win32k.sys
2011-08-24 00:45 . 2011-08-24 00:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"KeyAccess"="c:\windows\keyacc32.exe" [2005-06-01 331776]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2007-04-19 25440]
"IMJPMIG9.0"="c:\progra~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792]
"IMSCMig"="c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-03 17248]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45 28672 ------w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 03:23 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0090404]
IME File REG_SZ MSTCICJA.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0080404]
IME File REG_SZ MSTCIPHA.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200412]
Ime File REG_SZ IMEKR70.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0100804]
IME File REG_SZ WINWB86.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0110804]
IME File REG_SZ WINWB98.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e00e0804]
IME File REG_SZ IMSC40A.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200411]
Ime File REG_SZ IMJP9.IME
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\inetsrv\\inetinfo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:Bonjour
.
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/27/2005 6:49 PM 14848]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/2/2005 5:47 PM 3968]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/27/2005 6:49 PM 6784]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [8/2/2005 6:00 PM 14336]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Sacred Heart University
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.10.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-26 13:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2011-08-26 14:00:50
ComboFix-quarantined-files.txt 2011-08-26 18:00
ComboFix2.txt 2011-08-26 17:45
.
Pre-Run: 17,745,391,616 bytes free
Post-Run: 17,724,190,720 bytes free
.
- - End Of File - - 11E9194885AFF4C759FB14C0274B63DA

#11
happy01

Posted 26 August 2011 - 12:11 PM

Member

Topic Starter
Member
54 posts

I was able to Run MBAM (Quick Scan), but it found no viruses. Again, I cannot update MBAM because my computer cannot find a network address.

Here is the MBAM log

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7035

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/26/2011 2:07:20 PM
mbam-log-2011-08-26 (14-07-20).txt

Scan type: Quick scan
Objects scanned: 213343
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12
RKinner

Posted 26 August 2011 - 12:39 PM

Malware Expert

Expert
24,624 posts

Judging by the number of infected files I think you had better stay in Safe Mode. This looks like zeroaccess to me. Let's see if the zeroaccess tool will work:

http://anywhere.webr...izeroaccess.exe

The last time I had one of these it claimed we didn't have zeroaccess even tho CF said we did. Perhaps CF has already removed the key parts of it?

I would get Autoruns from
http://live.sysinter...om/autoruns.exe

and use it to keep the files CF has identified as infected from running. (The ones it says it fixed are probably OK.)
Then run CF again => You should download the latest version and move it to the sick PC's desktop. I would rename it to george.exe

Also download the file: http://www.microsoft...&displaylang=en
and move it to the sick PC's desktop. Then drag it over to george.exe and let go. CF should install the Recovery Console. CF is a bit more powerful with the Recovery Console installed so run it one more time.

If this is the thing I think it is it replaces your antivirus with itself. Anything you run on it that touches a "sacrificial goat" process gets its permissions changed so that it can't run again. If that happens you can supposedly get the program to run again by using inherit.exe per the instructions here:
http://forums.majorg...ad.php?t=198272

Ron

#13
happy01

Posted 26 August 2011 - 12:49 PM

Member

Topic Starter
Member
54 posts

Cannot download this: Problem loading page

Also download the file: http://www.microsoft...&displaylang=en
and move it to the sick PC's desktop. Then drag it over to george.exe and let go. CF should install the Recovery Console. CF is a bit more powerful with the Recovery Console installed so run it one more time.

Doing the rest now

#14
happy01

Posted 26 August 2011 - 01:21 PM

Member

Topic Starter
Member
54 posts

I ran antizeroaccess…and it said I did not have zeroaccess on my computer.

I ran autoruns and let it finish, I kept autoruns open, then ran combofix.

I could not download the following as the link was bad: Also download the file: http://www.microsoft...&displaylang=en
and move it to the sick PC's desktop….

I believe I have the recovery console installed (I see it upon boot)

I will use Inherit for future problems opening .exe files (thank you)

I cannot get the computer to run in safemode with networking still…

Below is my latest Combofix log:

ComboFix 11-08-26.04 - User 08/26/2011 14:58:12.7.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.774 [GMT -4:00]
Running from: d:\documents and settings\Desktop\george.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled* {9EFC479D-082C-471E-BB2E-DB50CFB21926}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\documents and settings\Desktop\antizeroaccess.exe
d:\documents and settings\Desktop\autoruns.exe
d:\documents and settings\Desktop\george.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))
.
.
2011-08-26 17:23 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-26 14:45 . 2011-08-26 14:45 -------- d-sh--w- d:\documents and settings\LocalService.NT AUTHORITY.000
2011-08-26 14:45 . 2011-08-26 14:45 -------- d-sh--w- d:\documents and settings\NetworkService.NT AUTHORITY.000
2011-08-26 14:43 . 2011-08-26 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- c:\windows\system32\save$$updater
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- c:\windows\system32\(null)
2011-08-26 14:42 . 2011-08-26 14:42 -------- d-----w- c:\program files\Avira
2011-08-25 02:45 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-25 02:45 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 00:45 . 2011-08-24 00:45 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-24 00:45 . 2011-08-24 00:45 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-24 00:45 . 2011-08-24 00:45 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-24 00:45 . 2011-08-24 00:45 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-24 00:45 . 2011-08-24 00:45 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-24 00:45 . 2011-08-24 00:45 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-24 00:45 . 2011-08-24 00:45 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-24 00:45 . 2011-08-24 00:45 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-15 01:05 . 2011-08-15 01:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 01:31 . 2006-10-18 18:05 232448 ----a-w- c:\windows\system32\mp3fhg.acm
2011-08-11 01:31 . 2011-07-16 14:17 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-08-11 01:31 . 2011-06-24 14:44 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2011-08-11 01:31 . 2011-06-24 14:28 650752 ----a-w- c:\windows\system32\xvidcore.dll
2011-08-11 01:31 . 2010-11-03 18:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-08-11 01:31 . 2011-08-08 08:00 74752 ----a-w- c:\windows\system32\ff_vfw.dll
2011-08-11 00:54 . 2011-08-11 00:54 -------- d-----w- d:\documents and settings\User\Application Data\Media Player Classic
2011-08-11 00:50 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2011-08-11 00:48 . 2011-08-11 00:48 -------- d-----w- c:\windows\Logs
2011-08-11 00:47 . 2011-08-11 00:47 -------- d-----w- c:\program files\Media Player Classic - Home Cinema
2011-08-10 18:49 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 18:49 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 03:20 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
2011-08-02 00:42 . 2011-08-02 00:42 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-21 04:00 . 2005-04-27 13:16 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-07-15 13:29 . 2005-06-28 01:12 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-06-28 01:12 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2005-06-27 22:24 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2005-06-28 01:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2005-06-28 01:12 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2005-06-28 01:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2005-06-28 01:11 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2005-06-28 01:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2005-06-28 01:12 1858944 ------w- c:\windows\system32\win32k.sys
2011-08-24 00:45 . 2011-08-24 00:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-26_17.39.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-25 14:53 . 2011-08-26 18:12 214449 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"KeyAccess"="c:\windows\keyacc32.exe" [2005-06-01 331776]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2007-04-19 25440]
"IMJPMIG9.0"="c:\progra~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792]
"IMSCMig"="c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-03 17248]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45 28672 ------w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 03:23 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0090404]
IME File REG_SZ MSTCICJA.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0080404]
IME File REG_SZ MSTCIPHA.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200412]
Ime File REG_SZ IMEKR70.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0100804]
IME File REG_SZ WINWB86.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0110804]
IME File REG_SZ WINWB98.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e00e0804]
IME File REG_SZ IMSC40A.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200411]
Ime File REG_SZ IMJP9.IME
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\inetsrv\\inetinfo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:Bonjour
.
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/27/2005 6:49 PM 14848]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/27/2005 6:49 PM 6784]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [8/2/2005 6:00 PM 14336]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/2/2005 5:47 PM 3968]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Sacred Heart University
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.10.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2x311ay5.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-26 15:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(268)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2011-08-26 15:15:11
ComboFix-quarantined-files.txt 2011-08-26 19:14
ComboFix2.txt 2011-08-26 18:00
ComboFix3.txt 2011-08-26 17:45
.
Pre-Run: 18,805,567,488 bytes free
Post-Run: 18,778,804,224 bytes free
.
- - End Of File - - A4E2ED71249ECB33BBB3AC9142D4B94F

#15
RKinner

Posted 26 August 2011 - 01:46 PM

Malware Expert

Expert
24,624 posts

The link works for me OK. I think you probably copied and pasted the link. The forum likes to shorten links. You have to right click on them and Copy Link Location.
Here it is again in an unshortened version:
[code=auto:0]
http://www.microsoft...lang=en&id=1000
[/code}

CF is acting a bit strange. It claims it deleted george.exe, autoruns.exe and antizeroaccess.exe from the desktop. Did it?

When I said use Autoruns to stop the infected files from running I meant these:

c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe . . . is infected!!
.
c:\program files\Bonjour\mDNSResponder.exe . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe . . . is infected!!
.
c:\windows\system32\ibmpmsvc.exe . . . is infected!!
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\RegSrvc.exe . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe . . . is infected!!
.
c:\program files\Analog Devices\SoundMAX\SMAgent.exe . . . is infected!!
.
c:\windows\system32\TPHDEXLG.EXE . . . is infected!!
.
c:\windows\system32\TpKmpSVC.exe . . . is infected!!
.
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe . . . is infected!!
.
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe . . . is infected!!
.

Are you trying to connect via an Ethernet cable or wirelessly? What kind of PC is this (make and model and service tag if it has one)

let's see if you can get into the Recovery Console. Start, Settings, Control Panel, System, Advanced, Startup and Recovery -Settings, and change the Time to Display the List of Operating Systems from two to 10 seconds. OK

Now Reboot. When it gives you a choice between your regular XP and the Recovery Console, hit the down arrow to select the Recovery Console then Enter. You should get a black screen with a C:\> prompt. (If it asks you which Windows you want then we want C:\ which usually means hit the 1 key.) Type with an Enter after each line:

map

(What does it say? If it shows more than one partition then please copy down all details.))

(you can leave it there until you hear back from me or you can type exit and boot back into Safe Mode.)

Ron