Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help with removing stubborn infection (OTL included)

Started by Robbie Hoffman , Sep 07 2011 08:59 PM

  • This topic is locked This topic is locked

#1
Robbie Hoffman
Posted 07 September 2011 - 08:59 PM

Robbie Hoffman

    New Member

  • Member
  • Pip
  • 5 posts
I'm trying to remove an infection(s) from my sisters computer. I am not sure how she got it, but she did mention clicking on an attachment in an email she got from someone whose email was compromised.
I've booted into safe mode and ran Malwarebytes, CCleaner, Avast Anti virus, and I've also manually removed some files.

Whatever the infection is, it is starting up on boot, and I could not find the file in any start up programs or anything and it's making the CPU run at 100% shortly after logging on. The name of the process in the process list is "956804881:3998283974.exe". I removed multiple other .exe files related to this same infection (I believe) whose file names were just a bunch of numbers (9295272.exe for example was one). I also deleted files such as playpickle32.exe, sysdriver32.exe, sysdriver32_.exe and l1reserv.exe. I am not sure if these are all related to the same infection or not.

Now for the OTL:

OTL logfile created on: 9/7/2011 9:42:40 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = E:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.87 Gb Available Physical Memory | 70.15% Memory free
2.96 Gb Paging File | 2.73 Gb Available in Paging File | 92.04% Paging File free
Paging file location(s): C:\pagefile.sys 1908 3816 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.70 Gb Total Space | 28.32 Gb Free Space | 79.34% Space Free | Partition Type: NTFS
Drive E: | 14.91 Gb Total Space | 14.32 Gb Free Space | 96.03% Space Free | Partition Type: FAT32

Computer Name: B2B8384C599244B | User Name: Rob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\956804881:3998283974.exe
PRC - [2011/09/07 21:31:42 | 000,581,120 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2011/09/01 16:43:09 | 000,386,560 | ---- | M] () -- C:\WINDOWS\update.7.1\svchostdriver.exe
PRC - [2011/08/23 08:04:14 | 000,359,936 | ---- | M] () -- C:\WINDOWS\update.5.0\svchost.exe
PRC - [2011/08/23 08:04:14 | 000,359,936 | ---- | M] () -- C:\WINDOWS\update.5.0\svchost.exe
PRC - [2011/05/19 20:48:36 | 000,890,200 | ---- | M] (LULU Software) -- C:\Program Files\Soda PDF\ConversionService.exe
PRC - [2011/05/10 07:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2009/09/11 15:06:30 | 000,563,024 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
PRC - [2009/09/11 15:06:28 | 006,788,944 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
PRC - [2009/09/10 14:31:30 | 000,044,032 | ---- | M] () -- C:\Program Files\Belkin\Router Setup and Monitor\ndis_events.exe
PRC - [2009/09/10 14:26:30 | 000,086,016 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe
PRC - [2009/04/07 19:27:30 | 001,511,424 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2009/03/28 00:10:56 | 000,015,872 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2006/02/28 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/28 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\userinit.exe
PRC - [2003/12/25 21:53:08 | 000,270,336 | ---- | M] () -- C:\Program Files\NETGEAR GA311 Adapter\GA311.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/01 16:43:09 | 000,386,560 | ---- | M] () -- C:\WINDOWS\update.7.1\svchostdriver.exe
MOD - [2011/08/23 08:04:14 | 000,359,936 | ---- | M] () -- C:\WINDOWS\update.5.0\svchost.exe
MOD - [2009/09/11 15:06:32 | 000,021,328 | ---- | M] () -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinServicePS.dll
MOD - [2009/09/11 14:48:44 | 000,557,056 | ---- | M] () -- C:\Program Files\Belkin\Router Setup and Monitor\gateways\GenericBelkinGatewayLOC.dll
MOD - [2009/09/10 14:31:30 | 000,044,032 | ---- | M] () -- C:\Program Files\Belkin\Router Setup and Monitor\ndis_events.exe
MOD - [2009/09/10 14:26:30 | 000,057,395 | ---- | M] () -- C:\WINDOWS\system32\pthreadVC.dll
MOD - [2008/06/20 12:41:10 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2003/12/25 21:53:08 | 000,270,336 | ---- | M] () -- C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
MOD - [2003/12/25 21:53:08 | 000,049,152 | ---- | M] () -- C:\Program Files\NETGEAR GA311 Adapter\Rtl8169LibC.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (srvsysdriver32)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/09/01 16:43:09 | 000,386,560 | ---- | M] () [Auto | Running] -- C:\WINDOWS\update.7.1\svchostdriver.exe -- (ddservice)
SRV - [2011/08/24 10:00:23 | 000,369,152 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\update.4.1\svchost.exe -- (srvbtc1)
SRV - [2011/08/23 08:04:14 | 000,359,936 | ---- | M] () [Auto | Running] -- C:\WINDOWS\update.5.0\svchost.exe -- (srvbtcclient)
SRV - [2011/05/19 20:48:38 | 000,814,936 | ---- | M] (LULU Software) [On_Demand | Stopped] -- C:\Program Files\Soda PDF\HelperService.exe -- (Soda PDF Helper Service)
SRV - [2011/05/19 20:48:36 | 000,890,200 | ---- | M] (LULU Software) [Auto | Running] -- C:\Program Files\Soda PDF\ConversionService.exe -- (Soda PDF Service)
SRV - [2009/09/11 15:06:30 | 000,563,024 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe -- (AffinegyService)
SRV - [2009/09/10 14:26:30 | 000,086,016 | ---- | M] (CACE Technologies) [Auto | Running] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/05/04 14:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/04/17 14:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2009/03/28 00:10:56 | 000,015,872 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - [2009/09/10 14:48:20 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2009/09/10 14:26:30 | 000,032,512 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/08/13 17:07:12 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/10/01 12:24:00 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/12/25 21:53:10 | 000,067,456 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GA311ND5.SYS -- (RTL8023)
DRV - [2003/12/25 21:53:10 | 000,011,237 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\diag69xp.sys -- (Diag69xp)
DRV - [2003/12/25 21:53:10 | 000,008,440 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LANPkt.sys -- (LANPkt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Update\1.3.21.68\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Update\1.3.21.68\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Rob\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/09/07 20:33:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/02 14:41:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/05/31 21:23:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Rob\Application Data\Mozilla\Extensions
[2011/09/02 14:42:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\0jvq04vb.default\extensions
[2011/09/02 14:42:16 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\0jvq04vb.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/09/02 14:41:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/02 14:41:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2011/09/02 14:41:22 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/05/30 19:39:15 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/06/03 05:08:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/06/15 23:17:34 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/09/01 16:43:47 | 000,000,000 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (Soda PDF Helper) - {5CFCAFF6-5BB0-4864-B626-021C99ED82E5} - C:\Program Files\Soda PDF\PDFIEHelper.dll (LULU Software)
O3 - HKLM\..\Toolbar: (Soda PDF Toolbar) - {980EB9EC-6EB5-4258-BDDB-EFE25C5F99EF} - C:\Program Files\Soda PDF\PDFIEPlugin.dll (LULU Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [InstaLAN] C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe (Affinegy, Inc.)
O4 - HKLM..\Run: [wxpdrv] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1306609463531 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.209.36 97.64.168.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C31C6292-552F-4A08-90F7-98F692421A5E}: DhcpNameServer = 97.64.209.36 97.64.168.13
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O31 - SafeBoot: AlternateShell - services32.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/05/27 21:03:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/07 21:22:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/09/07 21:03:18 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rob\Recent
[2011/09/07 20:33:40 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/09/07 20:33:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/09/07 20:33:39 | 000,307,928 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/09/07 20:33:37 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/09/07 20:33:36 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/09/07 20:33:35 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/09/07 20:33:34 | 000,102,616 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/09/07 20:33:34 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/09/07 20:33:33 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/09/07 20:33:08 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/09/07 20:33:07 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/09/07 20:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Start Menu\Programs\CCleaner
[2011/09/07 19:37:42 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/09/07 19:37:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2011/09/07 17:25:07 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/09/07 16:57:20 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/09/07 16:57:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/09/03 11:12:07 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/02 14:41:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\Mozilla
[2011/09/02 14:41:19 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/09/01 21:51:19 | 005,559,024 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Rob\Desktop\avg_free_stb_all_2011_1375_cnet.exe
[2011/09/01 21:47:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/01 21:47:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/01 21:47:04 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/01 21:31:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Malwarebytes
[2011/09/01 21:31:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/01 21:31:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/01 16:43:10 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.7.1
[2011/09/01 16:41:58 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.8.1
[2011/09/01 16:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\Unused Desktop Shortcuts
[2011/08/24 14:23:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/08/23 08:06:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ufa
[2011/08/23 08:06:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\rpcminer
[2011/08/23 08:06:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\phoenix
[2011/08/23 08:06:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Bitcoin
[2011/08/23 08:05:09 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.4.1
[2011/08/23 08:04:16 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.5.0
[2011/08/23 08:02:09 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.3
[2011/08/23 08:01:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\WinRAR
[2011/08/23 08:01:12 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.2
[2011/08/23 07:59:24 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.1
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/07 21:45:20 | 000,001,172 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/07 21:41:37 | 000,000,000 | ---- | M] () -- C:\WINDOWS\956804881
[2011/09/07 21:41:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/07 21:40:45 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/09/07 20:33:40 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/09/07 20:33:35 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/09/07 20:28:14 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\CCleaner.lnk
[2011/09/07 19:14:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-2111687655-682003330-1004UA1cc627829a8792a.job
[2011/09/07 17:26:33 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/06 11:14:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-2111687655-682003330-1004Core.job
[2011/09/04 15:15:54 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\Google Chrome.lnk
[2011/09/04 15:15:54 | 000,002,246 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/09/03 11:12:07 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/02 14:42:07 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2011/09/02 14:41:26 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/09/02 14:41:26 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/09/01 21:34:35 | 000,043,408 | -HS- | M] () -- C:\WINDOWS\System32\c_46301.nl_
[2011/09/01 16:43:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/01 16:43:10 | 000,000,246 | ---- | M] () -- C:\WINDOWS\info1
[2011/09/01 16:42:56 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hīsts
[2011/09/01 16:36:02 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/08/23 08:06:19 | 005,589,370 | ---- | M] () -- C:\WINDOWS\phoenix.rar
[2011/08/23 08:06:19 | 000,246,272 | ---- | M] () -- C:\WINDOWS\unrar.exe
[2011/08/23 08:06:19 | 000,182,617 | ---- | M] () -- C:\WINDOWS\ufa.rar
[2011/08/23 08:06:17 | 001,075,284 | ---- | M] () -- C:\WINDOWS\rpcminer.rar
[2011/08/23 08:01:39 | 000,904,792 | ---- | M] () -- C:\WINDOWS\geoiplist.rar
[2011/08/23 08:00:35 | 000,000,000 | ---- | M] () -- C:\WINDOWS\loader2.exe_ok
[2011/08/23 07:59:18 | 001,211,904 | ---- | M] () -- C:\WINDOWS\services32.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/07 21:40:40 | 000,001,710 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk
[2011/09/07 21:07:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\956804881
[2011/09/07 20:33:40 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/09/07 20:28:13 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\CCleaner.lnk
[2011/09/02 14:42:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/09/02 14:41:26 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/09/02 14:41:26 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/09/02 14:41:26 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/09/01 21:47:12 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/01 21:34:35 | 000,043,408 | -HS- | C] () -- C:\WINDOWS\System32\c_46301.nl_
[2011/09/01 16:36:02 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/08/24 11:09:12 | 000,000,970 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-2111687655-682003330-1004UA1cc627829a8792a.job
[2011/08/23 08:06:19 | 005,589,370 | ---- | C] () -- C:\WINDOWS\phoenix.rar
[2011/08/23 08:06:19 | 000,182,617 | ---- | C] () -- C:\WINDOWS\ufa.rar
[2011/08/23 08:06:17 | 001,075,284 | ---- | C] () -- C:\WINDOWS\rpcminer.rar
[2011/08/23 08:01:40 | 004,636,907 | ---- | C] () -- C:\WINDOWS\geoiplist
[2011/08/23 08:01:39 | 000,904,792 | ---- | C] () -- C:\WINDOWS\geoiplist.rar
[2011/08/23 08:01:39 | 000,246,272 | ---- | C] () -- C:\WINDOWS\unrar.exe
[2011/08/23 08:01:11 | 000,000,246 | ---- | C] () -- C:\WINDOWS\info1
[2011/08/23 08:00:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\loader2.exe_ok
[2011/08/23 07:59:24 | 001,211,904 | ---- | C] () -- C:\WINDOWS\services32.exe
[2011/06/03 01:59:27 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/30 18:58:54 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2011/05/30 17:58:32 | 000,057,395 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2011/05/28 13:51:06 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2011/05/28 13:51:06 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2011/05/27 21:06:20 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/05/27 21:00:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/05/27 13:53:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/05/27 13:52:11 | 000,093,480 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/28 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 07:00:00 | 000,441,124 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 07:00:00 | 000,071,060 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 07:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2006/02/28 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 07:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2006/02/28 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\956804881:3998283974.exe

< End of report >
  • 0

Advertisements

#2
maliprog
Posted 08 September 2011 - 12:04 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello Robbie Hoffman and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

We need to disable malware processes on your system first
  • Download TheKiller to your Desktop
  • Note that TheKiller is renamed as explorer.exe
  • Run it by double click (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
  • Press OK button after program finish
  • Do not restart your system after this step
NOTE: If malware blocks TheKiller from running please try to run it several more times

Step 2

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    MOD - [2011/09/01 16:43:09 | 000,386,560 | ---- | M] () -- C:\WINDOWS\update.7.1\svchostdriver.exe
    MOD - [2011/08/23 08:04:14 | 000,359,936 | ---- | M] () -- C:\WINDOWS\update.5.0\svchost.exe
    MOD - [2009/09/10 14:26:30 | 000,057,395 | ---- | M] () -- C:\WINDOWS\system32\pthreadVC.dll
    SRV - File not found [Auto | Stopped] -- -- (srvsysdriver32)
    SRV - [2011/09/01 16:43:09 | 000,386,560 | ---- | M] () [Auto | Running] -- C:\WINDOWS\update.7.1\svchostdriver.exe -- (ddservice)
    SRV - [2011/08/24 10:00:23 | 000,369,152 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\update.4.1\svchost.exe -- (srvbtc1)
    SRV - [2011/08/23 08:04:14 | 000,359,936 | ---- | M] () [Auto | Running] -- C:\WINDOWS\update.5.0\svchost.exe -- (srvbtcclient)
    O4 - HKLM..\Run: [wxpdrv] File not found
    O31 - SafeBoot: AlternateShell - services32.exe
    [2011/09/01 16:43:10 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.7.1
    [2011/09/01 16:41:58 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.8.1
    [2011/08/23 08:05:09 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.4.1
    [2011/08/23 08:04:16 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.5.0
    [2011/08/23 08:02:09 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.3
    [2011/08/23 08:01:12 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.2
    [2011/08/23 07:59:24 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.1
    [2011/09/07 21:41:37 | 000,000,000 | ---- | M] () -- C:\WINDOWS\956804881
    [2011/09/01 21:34:35 | 000,043,408 | -HS- | M] () -- C:\WINDOWS\System32\c_46301.nl_
    [2011/09/01 16:42:56 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hīsts
    [2011/08/23 08:00:35 | 000,000,000 | ---- | M] () -- C:\WINDOWS\loader2.exe_ok
    [2011/08/23 07:59:18 | 001,211,904 | ---- | M] () -- C:\WINDOWS\services32.exe
    [2011/05/30 17:58:32 | 000,057,395 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
    @Alternate Data Stream - 816 bytes -> C:\WINDOWS\956804881:3998283974.exe

    :Files
    ipconfig /flushdns /c
    C:\WINDOWS\update.7.1\svchostdriver.exe
    C:\WINDOWS\update.5.0\svchost.exe
    C:\WINDOWS\956804881:3998283974.exe

    :Commands
    [purity]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 3

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 4

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

Step 5

Please don't forget to include these items in your reply:

  • OTL fix log
  • aswMBR log
  • TDSSKiller log
It would be helpful if you could post each log in separate post
  • 0

#3
Robbie Hoffman
Posted 08 September 2011 - 06:58 PM

Robbie Hoffman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I completed steps 1 and 2, and when I rebooted my PC my mouse and keyboard both stopped working. They are the old Ps/2 style connection and not USB. Could either of the things in steps one and two have caused this?
  • 0

#4
maliprog
Posted 08 September 2011 - 11:27 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Robbie Hoffman,

Could either of the things in steps one and two have caused this?


No...as far as I can see.

Could be that some of malware doesn't like to be touched so it shut down mouse and keyboard. We'll find what happed...

Please try to enter safe mode and see if your mouse and keyboard works there.

To restart in safe mode:
  • If the computer is running, shut down Windows, and then turn off the power
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.

  • 0

#5
Robbie Hoffman
Posted 09 September 2011 - 05:04 PM

Robbie Hoffman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I have already tried booting into safe mode with no luck.
  • 0

#6
maliprog
Posted 10 September 2011 - 07:34 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
We will need clean PC, blank CD and USB memory stick for this step. After you burn OTLPE on CD use it on your infected system to get scan log.

Please print these instruction out so that you know what you are doing.

  • Download OTLPEStd.exe to your desktop
  • Ensure that you have a blank CD in the drive
  • Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
  • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Drag and drop this attached scan.txt into the Custom scans and fixes box
    Attached File  scan.txt   254bytes   97 downloads
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\\OTL.txt file in your reply.

  • 0

#7
Robbie Hoffman
Posted 10 September 2011 - 02:36 PM

Robbie Hoffman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OTL logfile created on: 9/10/2011 5:30:39 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 82.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 1908 3816 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.70 Gb Total Space | 28.30 Gb Free Space | 79.28% Space Free | Partition Type: NTFS
Drive D: | 14.91 Gb Total Space | 14.31 Gb Free Space | 95.99% Space Free | Partition Type: FAT32
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (srvsysdriver32)
SRV - File not found [Auto] -- -- (srvbtcclient)
SRV - File not found [Auto] -- -- (srvbtc1)
SRV - File not found [Auto] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - File not found [Auto] -- -- (ddservice)
SRV - File not found [On_Demand] -- -- (AppMgmt)
SRV - [2011/05/19 21:48:38 | 000,814,936 | ---- | M] (LULU Software) [On_Demand] -- C:\Program Files\Soda PDF\HelperService.exe -- (Soda PDF Helper Service)
SRV - [2011/05/19 21:48:36 | 000,890,200 | ---- | M] (LULU Software) [Auto] -- C:\Program Files\Soda PDF\ConversionService.exe -- (Soda PDF Service)
SRV - [2009/09/11 16:06:30 | 000,563,024 | ---- | M] (Affinegy, Inc.) [Auto] -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe -- (AffinegyService)
SRV - [2009/04/17 15:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2009/03/28 01:10:56 | 000,015,872 | ---- | M] (LSI Corporation) [Auto] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (AFGMp50)
DRV - File not found [Kernel | On_Demand] -- -- (11af0739)
DRV - [2009/09/10 15:48:20 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2009/09/10 15:26:30 | 000,032,512 | ---- | M] (CACE Technologies) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/08/13 18:07:12 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/02/28 08:00:00 | 000,162,816 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2006/02/28 08:00:00 | 000,052,736 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2006/02/28 08:00:00 | 000,041,856 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\imapi.sys -- (Imapi)
DRV - [2004/10/01 13:24:00 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/12/25 22:53:10 | 000,067,456 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\GA311ND5.SYS -- (RTL8023)
DRV - [2003/12/25 22:53:10 | 000,011,237 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\diag69xp.sys -- (Diag69xp)
DRV - [2003/12/25 22:53:10 | 000,008,440 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\LANPkt.sys -- (LANPkt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\Rob_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/09/07 21:33:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/02 15:41:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/09/02 15:41:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/02 15:41:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2011/09/02 15:41:22 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/06/16 00:17:34 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/09/01 17:43:47 | 000,000,000 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (Soda PDF Helper) - {5CFCAFF6-5BB0-4864-B626-021C99ED82E5} - C:\Program Files\Soda PDF\PDFIEHelper.dll (LULU Software)
O3 - HKLM\..\Toolbar: (Soda PDF Toolbar) - {980EB9EC-6EB5-4258-BDDB-EFE25C5F99EF} - C:\Program Files\Soda PDF\PDFIEPlugin.dll (LULU Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [InstaLAN] C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe (Affinegy, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Rob_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1306609463531 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.209.36 97.64.168.13
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O31 - SafeBoot: AlternateShell - services32.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/05/27 22:03:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: BITS - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/09/07 22:22:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/09/07 22:03:18 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rob\Recent
[2011/09/07 21:33:40 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/09/07 21:33:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/09/07 21:33:39 | 000,307,928 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/09/07 21:33:37 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/09/07 21:33:36 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/09/07 21:33:35 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/09/07 21:33:34 | 000,102,616 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/09/07 21:33:34 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/09/07 21:33:33 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/09/07 21:33:08 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/09/07 21:33:07 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/09/07 21:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Start Menu\Programs\CCleaner
[2011/09/07 21:23:06 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/09/07 20:37:42 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/09/07 20:37:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2011/09/07 18:26:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/09/07 18:25:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\CCleaner
[2011/09/07 18:25:07 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/09/07 17:57:20 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/09/07 17:57:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/09/07 17:56:08 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2011/09/07 17:56:08 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Cookies
[2011/09/07 17:56:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2011/09/07 17:56:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2011/09/07 17:56:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
[2011/09/07 17:56:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2011/09/07 17:56:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
[2011/09/07 17:56:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2011/09/07 17:56:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2011/09/07 17:56:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2011/09/07 17:56:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2011/09/07 17:56:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2011/09/07 17:56:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2011/09/07 17:56:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2011/09/07 17:56:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2011/09/03 12:12:07 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/02 15:41:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\Mozilla
[2011/09/02 15:41:19 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/09/01 22:51:19 | 005,559,024 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Rob\Desktop\avg_free_stb_all_2011_1375_cnet.exe
[2011/09/01 22:47:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/01 22:47:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/01 22:47:04 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/01 22:31:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Malwarebytes
[2011/09/01 22:31:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/01 22:31:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/01 17:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\Unused Desktop Shortcuts
[2011/08/24 15:23:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/08/23 09:06:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ufa
[2011/08/23 09:06:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\rpcminer
[2011/08/23 09:06:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\phoenix
[2011/08/23 09:06:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Bitcoin
[2011/08/23 09:01:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\WinRAR
[2011/08/23 08:59:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Start Menu
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/10 14:47:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/10 14:14:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-2111687655-682003330-1004UA1cc627829a8792a.job
[2011/09/07 22:45:20 | 000,001,172 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/07 22:40:45 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/09/07 22:40:40 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2011/09/07 21:33:40 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/09/07 21:33:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/09/07 21:33:35 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/09/07 21:28:14 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\CCleaner.lnk
[2011/09/07 18:26:33 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/07 18:26:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/07 18:25:09 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2011/09/06 12:14:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-2111687655-682003330-1004Core.job
[2011/09/04 16:15:54 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\Google Chrome.lnk
[2011/09/04 16:15:54 | 000,002,246 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/09/03 12:12:07 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/02 15:42:07 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2011/09/02 15:41:26 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/09/02 15:41:26 | 000,000,730 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/09/02 15:41:26 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/09/01 17:43:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/01 17:43:10 | 000,000,246 | ---- | M] () -- C:\WINDOWS\info1
[2011/09/01 17:36:02 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/09/01 17:36:02 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/08/23 09:06:19 | 005,589,370 | ---- | M] () -- C:\WINDOWS\phoenix.rar
[2011/08/23 09:06:19 | 000,246,272 | ---- | M] () -- C:\WINDOWS\unrar.exe
[2011/08/23 09:06:19 | 000,182,617 | ---- | M] () -- C:\WINDOWS\ufa.rar
[2011/08/23 09:06:17 | 001,075,284 | ---- | M] () -- C:\WINDOWS\rpcminer.rar
[2011/08/23 09:01:39 | 000,904,792 | ---- | M] () -- C:\WINDOWS\geoiplist.rar
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/07 22:40:40 | 000,001,710 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk
[2011/09/07 21:33:40 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/09/07 21:28:13 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\CCleaner.lnk
[2011/09/07 18:25:09 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2011/09/07 17:56:08 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
[2011/09/07 17:56:08 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
[2011/09/02 15:42:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/09/02 15:41:26 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/09/02 15:41:26 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/09/02 15:41:26 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/09/01 22:47:12 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/01 17:36:02 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/08/24 12:09:12 | 000,000,970 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-2111687655-682003330-1004UA1cc627829a8792a.job
[2011/08/23 09:06:19 | 005,589,370 | ---- | C] () -- C:\WINDOWS\phoenix.rar
[2011/08/23 09:06:19 | 000,182,617 | ---- | C] () -- C:\WINDOWS\ufa.rar
[2011/08/23 09:06:17 | 001,075,284 | ---- | C] () -- C:\WINDOWS\rpcminer.rar
[2011/08/23 09:01:40 | 004,636,907 | ---- | C] () -- C:\WINDOWS\geoiplist
[2011/08/23 09:01:39 | 000,904,792 | ---- | C] () -- C:\WINDOWS\geoiplist.rar
[2011/08/23 09:01:39 | 000,246,272 | ---- | C] () -- C:\WINDOWS\unrar.exe
[2011/08/23 09:01:11 | 000,000,246 | ---- | C] () -- C:\WINDOWS\info1
[2011/06/03 02:59:27 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/30 19:58:54 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2011/05/28 14:51:06 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2011/05/28 14:51:06 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2011/05/27 22:06:20 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/05/27 22:00:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/05/27 14:53:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/05/27 14:52:11 | 000,093,480 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 08:00:00 | 000,441,124 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 08:00:00 | 000,162,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\netbt.sys
[2006/02/28 08:00:00 | 000,071,060 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,052,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\i8042prt.sys
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 08:00:00 | 000,041,856 | ---- | C] () -- C:\WINDOWS\System32\drivers\imapi.sys
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/08/23 09:06:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Bitcoin
[2011/09/07 22:41:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\PDF Software
[2011/09/07 21:08:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\E-centives
[2011/09/04 19:42:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\PDF Software
[2011/05/30 20:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Temp
[2011/05/28 14:54:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\WinBatch
[2011/05/30 18:58:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Affinegy
[2011/09/07 21:32:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/05/28 15:01:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/05/30 20:00:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2011/05/31 18:09:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2011/09/04 16:12:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/05/28 16:28:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{B7A015B7-4802-4678-8CEC-700380BA9AFD}

========== Purity Check ==========



========== Custom Scans ==========


< c:\_OTL\*.* /s >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[2006/02/28 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\explorer.exe
[2006/02/28 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
[2006/02/28 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2006/02/28 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2006/02/28 08:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\dllcache\userinit.exe
[2006/02/28 08:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\userinit.exe

< MD5 for: WINLOGON.EXE >
[2006/02/28 08:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2006/02/28 08:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/06/16 00:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/06/16 00:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/06/16 00:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/06/16 00:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/06/16 00:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/06/16 00:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2006/02/28 08:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2006/02/28 08:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2006/02/28 08:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2006/02/28 08:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/06/16 00:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/06/16 00:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/06/16 00:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/06/16 00:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/06/16 00:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/06/16 00:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/09/03 08:28:25 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2006/02/28 08:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2006/02/28 08:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2006/02/28 08:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2006/02/28 08:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation)

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB59753$] -> -> Unknown point type
< End of report >
  • 0

#8
maliprog
Posted 11 September 2011 - 11:18 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
I still see malware related services and drivers. After this fix restart your system and see if mouse and keyboard works. If not, then restart one more time then report here to me.

Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB

Attached File  Fix.txt   944bytes   107 downloads

  • Insert your USB drive with fix.txt on it
  • Start OTLPE
  • Drag and drop fix.txt into the Custom scans and fixes box
    • If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done to normal mode if possible

  • 0

#9
Robbie Hoffman
Posted 12 September 2011 - 08:50 AM

Robbie Hoffman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
They are still not working.
  • 0

#10
maliprog
Posted 12 September 2011 - 11:28 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Robbie Hoffman,

Can you try to find mouse with USB connector and try to attach it to your system. I would like to see what would happened.

Start OTLPE as you did previously from CD
Copy the attached scan.txt to a USB

Attached File  scan.txt   72bytes   92 downloads

  • Insert your USB drive with scan.txt on it
  • Start OTLPE
  • Drag and drop scan.txt into the Custom scans and fixes box
  • Then click the Run Scan button at the top
  • Let the program run unhindered
  • When finished, the file will be saved in drive C:\\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it

  • 0

#11
maliprog
Posted 18 September 2011 - 11:07 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP