Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help removing remants of Alureon-G rootkit

Started by Aiand , Aug 29 2011 02:40 PM

  • This topic is locked This topic is locked

#1
Aiand
Posted 29 August 2011 - 02:40 PM

Aiand

    New Member

  • Member
  • Pip
  • 6 posts
Hi-

Recently my son was surfing the web and our PC (Windows Vista 32 bit) became infected with the Alureon-G rootkit. I have Avast installed and it notified me of the virus/rootkit but it didn't prevent it. Since last Wednesday I have been trying to remove this virus but remnants keep appearing. I noticed odd behavior in DNS resolution yesterday where traffic was being redirected to alternate, non-related sites, when I clicked on a link in Google.

I have performed multiple Avast scans (both through the GUI and boot level), run AVG, MBR, MWB and I still can't get rid of it even though the applications state they have removed it. The latest scan/detection found issue in the Java cache on the system. I have pulled the system off the network but I need help in "rooting" out this nasty little rootkit.

The good thing is that all of the files appear to be created only under my son's profile and no other. However, I am concerned there may be data be leaked out through a trojan or other Malware. I am usually pretty good at this stuff but I am at the end of my skills and need help.

I have run OTL and have the logs available. Thanks in advance for any assistance you can provide.
  • 0

Advertisements

#2
Essexboy
Posted 29 August 2011 - 03:47 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi could you post the OTL log please and run the following programme

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

#3
Aiand
Posted 29 August 2011 - 04:02 PM

Aiand

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I am posting the logs now. I had already run the aswMBR so this log is included as well. The OTL log is > 1 Mb so it will not upload but I have loaded the extras.txt log

Thx

Attached File  aswMBR-08292011.txt   2.01KB   101 downloads
Attached File  mbam-log-2011-08-28 (23-05-01).txt   928bytes   101 downloads
Attached File  Extras.Txt   64.63KB   80 downloads
  • 0

#4
Aiand
Posted 29 August 2011 - 04:08 PM

Aiand

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I am posting the logs now. I had already run the aswMBR so this log is included as well. The OTL log is > 1 Mb so it will not upload but I have loaded the extras.txt log

Thx

Attached File  aswMBR-08292011.txt   2.01KB   101 downloads
Attached File  mbam-log-2011-08-28 (23-05-01).txt   928bytes   101 downloads
Attached File  Extras.Txt   64.63KB   80 downloads

PS-Wasn't thinking. Attached the OTL log as a zip

Attached File  OTL.zip   135.67KB   203 downloads
  • 0

#5
Essexboy
Posted 30 August 2011 - 11:32 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets remove what I can see - I also have suspicion for a rootkit

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    SRV - File not found [On_Demand | Stopped] -- -- (X)
    SRV - File not found [On_Demand | Stopped] -- -- (V)
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 5D FA 85 00 F0 54 A8 41 A0 B9 1B D1 9B 49 AD 11 [binary data]
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 5D FA 85 00 F0 54 A8 41 A0 B9 1B D1 9B 49 AD 11 [binary data]
    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 5D FA 85 00 F0 54 A8 41 A0 B9 1B D1 9B 49 AD 11 [binary data]
    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 5D FA 85 00 F0 54 A8 41 A0 B9 1B D1 9B 49 AD 11 [binary data]
    IE - HKU\S-1-5-21-3452593512-2370901467-3437361607-1001\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 68 D8 90 00 DA 97 10 4A A5 DF CF AA A4 15 D8 F1 [binary data]
    FF - prefs.js..extensions.enabledItems: {875623a4-14f4-4c6f-b91d-a11a658815bb}:1.0
    [2011/08/23 00:55:30 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\f3xp57k0.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}
    O2 - BHO: (no name) - {00889DAA-C9F5-4D25-B103-31095CB7F1Bb} - File not found
    O2 - BHO: (no name) - {0090D868-97DA-4A10-A5DF-CFAAA415D8F1} - File not found
    O2 - BHO: (no name) - {01113B54-C9F5-4D25-B103-31095CB7F1Bb} - File not found
    O2 - BHO: (no name) - {0217E976-54F0-41A8-A0B9-1BD19B49AD11} - File not found
    [2011/08/22 15:59:13 | 000,000,098 | ---- | M] () -- C:\Windows\System32\2087621955
    [2011/04/21 13:47:23 | 000,012,684 | -HS- | M] () -- C:\ProgramData\43l045680n245135g2l1jetcg6r0ukq8

    :Reg
    [HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-
    [HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-
    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-
    [HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-
    [HKU\S-1-5-21-3452593512-2370901467-3437361607-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#6
Aiand
Posted 30 August 2011 - 08:46 PM

Aiand

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I've tried to run the OTL with the above custom scan but it always stalls at the following:

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

I tried removing the "IE - " from the scan but it still stalled.

I performed a regedit to verify this value is blank and it is (as is the the next entry [HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-"

The next entry, "[HKU\S-1-5-21-3452593512-2370901467-3437361607-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-" does not contain the string "XMLHTTP_UUID_Default=-" at all.

I ran the Quick Scan even though the Run Fix failed and I am attaching the log.

Attached File  OTL-08302011.Txt   68.77KB   90 downloads

I have not run ComboFix yet...my next task ;-)

Thanks again for taking the time to assist me with this.

OTL logfile created on: 8/30/2011 10:38:39 PM - Run 2
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Users\John\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19120)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.77 Gb Available Physical Memory | 58.91% Memory free
6.22 Gb Paging File | 4.79 Gb Available in Paging File | 77.04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 289.04 Gb Total Space | 83.17 Gb Free Space | 28.77% Space Free | Partition Type: NTFS
Drive D: | 9.05 Gb Total Space | 1.23 Gb Free Space | 13.61% Space Free | Partition Type: NTFS
Drive E: | 298.09 Gb Total Space | 229.71 Gb Free Space | 77.06% Space Free | Partition Type: NTFS

Computer Name: HOME-2 | User Name: John | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/23 10:35:18 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\John\Desktop\OTL.exe
PRC - [2011/08/20 10:22:47 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/02 23:19:56 | 001,242,448 | ---- | M] (Valve Corporation) -- E:\Program Files\Steam\steam.exe
PRC - [2011/07/06 00:13:59 | 001,708,544 | ---- | M] (Curse) -- C:\Users\John\AppData\Local\Apps\2.0\VOJ11VGC.JP0\GNQJ01MX.WHR\curs..tion_eee711038731a406_0004.0000_0d453ed5fea2fe48\CurseClient.exe
PRC - [2011/07/04 07:43:54 | 003,493,720 | ---- | M] (AVAST Software) -- E:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] (AVAST Software) -- E:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2011/05/24 23:03:54 | 000,401,408 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2011/05/24 23:03:26 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2011/04/14 11:48:32 | 001,758,208 | ---- | M] () -- C:\Program Files\Razer\DeathAdder\vdDaemon.exe
PRC - [2011/03/21 11:06:08 | 000,248,320 | ---- | M] () -- C:\Program Files\Razer\DeathAdder\razerhid.exe
PRC - [2010/04/27 14:41:26 | 000,218,112 | ---- | M] () -- C:\Program Files\Razer\DeathAdder\razertra.exe
PRC - [2009/04/10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/19 03:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/01/19 03:33:27 | 000,151,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe
PRC - [2008/01/15 11:26:18 | 004,874,240 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/07 13:28:02 | 000,143,360 | ---- | M] () -- C:\Program Files\Razer\Lycosa\razertra.exe
PRC - [2007/12/19 11:58:24 | 000,163,840 | ---- | M] (Razer Inc.) -- C:\Program Files\Razer\DeathAdder\razerofa.exe
PRC - [2007/11/22 11:49:08 | 000,385,024 | ---- | M] (Sony Corporation) -- E:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
PRC - [2007/11/20 16:53:36 | 000,147,456 | ---- | M] (Razer USA Ltd.) -- C:\Program Files\Razer\Lycosa\razerhid.exe
PRC - [2007/10/29 14:27:04 | 000,587,096 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2007/05/29 11:19:08 | 000,198,240 | ---- | M] () -- c:\hp\HPEZBTN\HPBtnSrv.exe
PRC - [2007/04/18 11:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
PRC - [2007/03/09 12:09:58 | 000,063,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
PRC - [2007/02/15 07:59:00 | 000,118,784 | ---- | M] (OsdMaestro) -- C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
PRC - [2006/09/03 13:32:28 | 000,208,896 | ---- | M] () -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/20 10:22:47 | 001,000,920 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2011/08/10 21:47:30 | 000,240,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\64e6bc21d6554252e53e87c04a70a04d\WindowsFormsIntegration.ni.dll
MOD - [2011/08/10 21:45:58 | 001,711,616 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7785435dab38ed94b6a0a608e91c6cda\Microsoft.VisualBasic.ni.dll
MOD - [2011/08/10 21:45:09 | 002,346,496 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9ea6cff5cccb649eb8ad7cc6e3f03c88\System.Runtime.Serialization.ni.dll
MOD - [2011/08/10 21:45:06 | 017,404,416 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\beab37721e12fef7fc1e8f2ff130fa31\System.ServiceModel.ni.dll
MOD - [2011/08/10 21:45:06 | 000,256,000 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\ca54e016986a14796591228eaa80cce1\SMDiagnostics.ni.dll
MOD - [2011/08/10 21:44:47 | 001,801,216 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\dc9e5e32218f8a3d2f21d89511335713\System.Deployment.ni.dll
MOD - [2011/08/10 21:44:43 | 011,804,672 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\5aa9131000876de66160ff713b543d99\System.Web.ni.dll
MOD - [2011/08/10 21:44:36 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\a6d889aa69fd51c100352f23c7cebd22\System.Runtime.Remoting.ni.dll
MOD - [2011/08/10 21:44:17 | 000,679,936 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\ccd064df52eb5479bf745ec2a7b74952\System.Security.ni.dll
MOD - [2011/08/10 21:44:14 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\29c6ef7f07d89496c72a1bbf718aed5d\System.Configuration.ni.dll
MOD - [2011/08/10 21:32:56 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\4c3cda96b8f12220da20f2f8d1b9439c\System.Xml.ni.dll
MOD - [2011/08/10 21:32:30 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c50d9d540acecdef29c31201e203a331\System.Windows.Forms.ni.dll
MOD - [2011/08/10 21:32:21 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\d8d83838f9840bde901df516ba3de588\System.Drawing.ni.dll
MOD - [2011/08/10 21:31:43 | 002,295,296 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\5f0189c3cfa13a549dea4f897b980b9f\System.Core.ni.dll
MOD - [2011/08/10 21:31:37 | 006,277,280 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2011/08/10 21:31:14 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\6a38f370d4e68b65106d1065d0b77067\PresentationFramework.Aero.ni.dll
MOD - [2011/08/10 21:30:34 | 014,328,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\180849cb54aab0bc77a229c41f967c90\PresentationFramework.ni.dll
MOD - [2011/08/10 21:30:10 | 012,216,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\cbe5fbb2e20534d89c0588cc05418840\PresentationCore.ni.dll
MOD - [2011/08/10 21:29:57 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\9afe86eee3ddf79c5f6cf5d85873c464\WindowsBase.ni.dll
MOD - [2011/08/10 21:29:48 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\b9ea0d414c4861120bfb7365d8ec0939\System.ni.dll
MOD - [2011/08/03 20:18:05 | 014,401,832 | ---- | M] () -- E:\Program Files\Steam\bin\libcef.dll
MOD - [2011/08/03 20:17:35 | 000,190,248 | ---- | M] () -- E:\Program Files\Steam\bin\chromehtml.dll
MOD - [2011/08/03 20:17:35 | 000,091,432 | ---- | M] () -- E:\Program Files\Steam\bin\avutil-50.dll
MOD - [2011/08/03 20:17:34 | 000,914,216 | ---- | M] () -- E:\Program Files\Steam\bin\avcodec-52.dll
MOD - [2011/08/03 20:17:34 | 000,155,432 | ---- | M] () -- E:\Program Files\Steam\bin\avformat-52.dll
MOD - [2011/06/20 19:50:16 | 000,060,928 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\a6485a160959fbed092dc2ddbed3509e\UIAutomationProvider.ni.dll
MOD - [2011/06/20 19:45:07 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f6deb187f24bb3185841092b89fbfdbb\mscorlib.ni.dll
MOD - [2011/05/24 23:50:44 | 000,243,712 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
MOD - [2011/05/24 22:24:16 | 000,037,376 | ---- | M] () -- C:\Windows\System32\atitmpxx.dll
MOD - [2011/04/14 11:48:32 | 001,758,208 | ---- | M] () -- C:\Program Files\Razer\DeathAdder\vdDaemon.exe
MOD - [2011/03/21 11:06:08 | 000,248,320 | ---- | M] () -- C:\Program Files\Razer\DeathAdder\razerhid.exe
MOD - [2010/04/27 14:41:26 | 000,218,112 | ---- | M] () -- C:\Program Files\Razer\DeathAdder\razertra.exe
MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2008/01/07 13:28:02 | 000,143,360 | ---- | M] () -- C:\Program Files\Razer\Lycosa\razertra.exe


========== Win32 Services (SafeList) ==========

SRV - [2011/07/04 07:43:51 | 000,121,000 | ---- | M] (AVAST Software) [Auto | Stopped] -- E:\Program Files\Alwil Software\Avast5\afwServ.exe -- (avast! Firewall)
SRV - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- E:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/05/24 23:03:26 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/11/01 23:42:47 | 000,320,760 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/10/29 14:27:04 | 000,587,096 | ---- | M] (Lavasoft AB) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2007/05/29 11:19:08 | 000,198,240 | ---- | M] () [Auto | Running] -- c:\hp\HPEZBTN\HPBtnSrv.exe -- (HPBtnSrv)
SRV - [2006/09/11 19:02:44 | 000,544,256 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe -- (Remote UI Service) Intel®
SRV - [2006/09/11 19:01:04 | 000,167,936 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe -- (MCLServiceATL) Intel®
SRV - [2006/09/11 18:56:32 | 000,075,264 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe -- (ISSM) Intel®
SRV - [2006/09/11 18:56:20 | 000,188,416 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe -- (AlertService) Intel®
SRV - [2006/09/03 13:32:28 | 000,208,896 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe -- (DQLWinService)
SRV - [2006/09/01 02:47:56 | 000,026,624 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe -- (M1 Server) Intel® Viiv™
SRV - [2006/05/10 12:13:52 | 000,029,696 | R--- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe -- (IntelDHSvcConf)


========== Driver Services (SafeList) ==========

DRV - [2011/07/04 07:37:33 | 000,103,384 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswFW.sys -- (aswFW)
DRV - [2011/07/04 07:36:43 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/07/04 07:36:32 | 000,309,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/07/04 07:36:18 | 000,194,264 | ---- | M] (AVAST Software) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswNdis2.sys -- (aswNdis2)
DRV - [2011/07/04 07:35:23 | 000,043,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/07/04 07:32:32 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/07/04 07:32:20 | 000,054,104 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/07/04 07:32:12 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/05/25 00:25:48 | 007,800,832 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2011/05/25 00:25:48 | 007,800,832 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2011/05/24 22:25:20 | 000,245,760 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2011/03/30 14:46:24 | 000,097,808 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtihdLH3.sys -- (AtiHDAudioService)
DRV - [2010/10/01 00:16:40 | 000,010,240 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VKbms.sys -- (VKbms)
DRV - [2010/09/25 12:55:46 | 000,006,656 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\hidkmdf.sys -- (hidkmdf)
DRV - [2010/01/09 17:22:02 | 000,012,112 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\aswNdis.sys -- (aswNdis)
DRV - [2009/08/10 15:25:36 | 000,039,936 | ---- | M] (Cypress Semiconductor) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CYUSB.sys -- (CYUSB)
DRV - [2009/07/15 20:24:37 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/02/20 01:17:50 | 000,095,760 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008/12/03 22:20:16 | 001,426,304 | ---- | M] (Hauppauge Computer Works) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HCW85BDA.sys -- (HCW85BDA)
DRV - [2008/05/08 05:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 05:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2008/02/26 10:17:30 | 000,493,568 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr73.sys -- (netr73)
DRV - [2008/01/18 14:43:16 | 000,016,128 | ---- | M] (Razer USA Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Lycosa.sys -- (LycoFltr)
DRV - [2008/01/15 01:56:30 | 000,218,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/08/02 17:32:26 | 000,022,784 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dadder.sys -- (DAdderFltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.3.0.7550

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/20 10:22:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/29 16:46:56 | 000,000,000 | ---D | M]

[2009/01/14 01:04:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\John\AppData\Roaming\Mozilla\Extensions
[2011/08/30 22:29:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\f3xp57k0.default\extensions
[2010/09/18 01:00:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\f3xp57k0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/07/04 22:40:42 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\f3xp57k0.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/08/30 22:29:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/15 14:56:38 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2010/06/30 04:34:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2009/03/31 22:47:26 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2010/06/30 04:34:27 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [avast5] E:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CCUTRAYICON] File not found
O4 - HKLM..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe ()
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [Lycosa] C:\Program Files\Razer\Lycosa\razerhid.exe (Razer USA Ltd.)
O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateReg] C:\Windows\System32\jureg.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Steam] E:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
O4 - Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk = E:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.s...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.4.8.cab (DLM Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\John\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\John\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/23 09:01:29 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/30 21:47:36 | 004,190,333 | ---- | C] (Swearware) -- C:\Users\John\Desktop\ComboFix.exe
[2011/08/30 19:18:38 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/08/29 18:17:00 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2011/08/29 12:11:53 | 000,000,000 | ---D | C] -- C:\Users\John\Desktop\tdsskiller
[2011/08/29 11:05:21 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Users\John\Desktop\OTL.exe
[2011/08/29 11:05:09 | 001,915,904 | ---- | C] (AVAST Software) -- C:\Users\John\Desktop\aswMBR.exe
[2011/08/20 14:48:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2011/08/20 00:51:39 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Roaming\Razer
[2011/08/20 00:21:51 | 000,010,240 | ---- | C] (Windows ® Win 7 DDK provider) -- C:\Windows\System32\drivers\VKbms.sys
[2011/08/20 00:21:51 | 000,006,656 | ---- | C] (Windows ® Win 7 DDK provider) -- C:\Windows\System32\drivers\hidkmdf.sys
[2011/08/20 00:21:49 | 000,073,728 | ---- | C] (Razer Inc.) -- C:\Windows\System32\DeathAdder.cpl
[2011/08/20 00:03:38 | 000,039,936 | ---- | C] (Cypress Semiconductor) -- C:\Windows\System32\drivers\CYUSB.sys
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/30 22:37:59 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{6819AB56-5BC4-490F-8676-176A5595540A}.job
[2011/08/30 22:00:51 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/30 22:00:51 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/30 22:00:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/08/30 22:00:43 | 3218,411,520 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/30 21:47:37 | 004,190,333 | ---- | M] (Swearware) -- C:\Users\John\Desktop\ComboFix.exe
[2011/08/29 23:46:15 | 000,000,751 | ---- | M] () -- C:\Users\Public\Desktop\World of Warcraft.lnk
[2011/08/29 23:43:01 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/08/29 23:43:01 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/08/29 23:07:28 | 000,000,426 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{6460C8A4-CB79-4BC5-B2FD-3F698354478A}.job
[2011/08/29 20:00:00 | 000,000,544 | ---- | M] () -- C:\Windows\tasks\Norton Internet Security - Run Full System Scan - John.job
[2011/08/29 12:11:16 | 000,000,512 | ---- | M] () -- C:\Users\John\Desktop\MBR.dat
[2011/08/23 23:28:14 | 591,239,341 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/08/23 11:13:28 | 000,089,088 | ---- | M] () -- C:\Users\John\Desktop\mbr.exe
[2011/08/23 11:11:02 | 000,294,216 | ---- | M] () -- C:\Users\John\Desktop\gmer.zip
[2011/08/23 10:35:18 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\John\Desktop\OTL.exe
[2011/08/23 10:32:30 | 001,915,904 | ---- | M] (AVAST Software) -- C:\Users\John\Desktop\aswMBR.exe
[2011/08/23 10:31:14 | 001,390,139 | ---- | M] () -- C:\Users\John\Desktop\tdsskiller.zip
[2011/08/20 14:48:31 | 000,001,878 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2011/08/20 00:26:20 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_VKbms_01009.Wdf
[2011/08/20 00:26:17 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2011/08/19 22:22:06 | 000,000,338 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForJohn-Carl.job
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/29 12:11:16 | 000,000,512 | ---- | C] () -- C:\Users\John\Desktop\MBR.dat
[2011/08/29 11:05:33 | 000,089,088 | ---- | C] () -- C:\Users\John\Desktop\mbr.exe
[2011/08/29 11:05:28 | 000,294,216 | ---- | C] () -- C:\Users\John\Desktop\gmer.zip
[2011/08/29 11:05:16 | 001,390,139 | ---- | C] () -- C:\Users\John\Desktop\tdsskiller.zip
[2011/08/22 20:48:31 | 3218,411,520 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/20 14:48:31 | 000,001,878 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2011/08/20 00:26:20 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_VKbms_01009.Wdf
[2011/08/20 00:26:17 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2011/08/20 00:25:44 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
[2011/07/09 17:05:15 | 000,160,836 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2011/05/24 23:44:26 | 000,059,904 | ---- | C] () -- C:\Windows\System32\OVDecode.dll
[2011/04/20 12:30:06 | 000,233,765 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011/03/17 13:51:44 | 000,003,929 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2011/01/05 18:51:19 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/08/25 21:19:36 | 000,037,376 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2010/05/19 12:43:16 | 000,000,600 | ---- | C] () -- C:\Users\John\AppData\Roaming\winscp.rnd
[2010/04/11 21:26:19 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/04/11 21:24:07 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/12/16 21:17:47 | 000,000,048 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2009/09/10 00:24:18 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/04/15 22:51:30 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/04/15 22:43:57 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2009/04/15 22:30:26 | 000,001,356 | ---- | C] () -- C:\Users\John\AppData\Local\d3d9caps.dat
[2009/03/10 23:09:12 | 000,111,928 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2009/03/10 23:09:04 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2009/03/10 21:08:19 | 000,794,408 | ---- | C] () -- C:\Windows\System32\pbsvc.exe
[2009/02/03 00:13:23 | 000,138,784 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2009/02/03 00:13:23 | 000,022,328 | ---- | C] () -- C:\Users\John\AppData\Roaming\PnkBstrK.sys
[2009/01/14 01:27:29 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/02/17 21:52:01 | 000,000,329 | ---- | C] () -- C:\Windows\doom3.ini
[2008/02/14 18:24:56 | 000,068,608 | ---- | C] () -- C:\Users\John\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/19 17:19:43 | 000,000,316 | ---- | C] () -- C:\Windows\game.ini
[2007/12/30 15:08:56 | 000,000,868 | ---- | C] () -- C:\Windows\CoD.ini
[2007/12/25 01:14:17 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2007/08/23 08:51:11 | 000,107,026 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/08/23 08:38:34 | 000,066,048 | ---- | C] () -- C:\Windows\System32\hcwxds.dll
[2007/08/23 08:33:26 | 000,061,440 | ---- | C] () -- C:\Windows\System32\OsdRemove.exe
[2007/08/23 08:25:09 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom25.dll
[2007/08/23 08:25:09 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes25.dll
[2007/05/14 08:28:10 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2007/04/13 15:19:52 | 000,007,680 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2006/12/14 02:01:36 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/12/14 02:01:36 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,359,368 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,595,446 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,101,144 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/06/23 13:09:34 | 000,019,968 | R--- | C] () -- C:\Windows\System32\cpuinf32.dll
[1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/08/04 21:40:43 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\Leadertech
[2008/10/03 20:23:08 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\My Battle for Middle-earth Files
[2010/10/02 14:59:58 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\My Battle for Middle-earth™ II Files
[2007/12/26 22:27:32 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\My Games
[2009/12/06 17:38:47 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\PictureMover
[2011/08/20 00:51:39 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\Razer
[2009/12/06 17:36:18 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\Snapfish
[2010/05/20 01:15:32 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\SSH
[2008/03/12 00:32:53 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\WildTangent
[2008/10/19 17:53:27 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\WinBatch
[2011/08/30 21:59:25 | 000,032,654 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/08/29 23:07:28 | 000,000,426 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{6460C8A4-CB79-4BC5-B2FD-3F698354478A}.job
[2011/08/30 22:37:59 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{6819AB56-5BC4-490F-8676-176A5595540A}.job

========== Purity Check ==========



< End of report >
  • 0

#7
Essexboy
Posted 31 August 2011 - 11:09 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
We will revisit that area on completion of the Combofix run :)
  • 0

#8
Aiand
Posted 31 August 2011 - 10:16 PM

Aiand

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Attaching 2 combofix logs-one run on my profile, the other my son's (just to be sure).

Thanks again for your help!

Attached File  ComboFix-08302011-John.txt   16.96KB   117 downloads
Attached File  ComboFix.txt   13.35KB   90 downloads
  • 0

#9
Essexboy
Posted 01 September 2011 - 11:18 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Lets have another bash at removing the reg entries, on completion of these runs can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Reg
    [HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-
    [HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-
    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-
    [HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-
    [HKU\S-1-5-21-3452593512-2370901467-3437361607-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
    XMLHTTP_UUID_Default=-

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#10
Aiand
Posted 03 September 2011 - 01:55 PM

Aiand

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I ran OTL with your mods but it stopped in the same place.

I also ran MWB and it didn't find anything.

Is their a manual edit I can do to the registry that will effect the change you are looking to do?

Let me know.

Thanks
  • 0

#11
Essexboy
Posted 03 September 2011 - 02:01 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I have created a registry batch that will do the same thing


Download the attached zip file
Extract the .reg file to your desktop
Right click the .reg file and select merge
Accept the warning
And you are done

The reg entries are currently inert but it is best to be shot of them

Any further problems ?
  • 0

#12
Essexboy
Posted 07 September 2011 - 01:22 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP