Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

System Check Virus? [Closed]

Started by adam80 , Mar 17 2012 01:19 PM

This topic is locked

#1
adam80

Posted 17 March 2012 - 01:19 PM

Member

Member
54 posts

Windows are popping up claiming to be system checks, I'm told that my PC has numerous errors, and I have multiple windows opening claiming that: "Windows - Delayed Write Failed. Failed to save all the components for the file \\system32\\000049dd. The file is corrupted or unreadable. This error may be caused by a PC hardware problem." My taskmanager will not open and my desktop icons are hidden. I did manage to run Malwarebytes Anti-Malware, found some items in the registry and quarantined and removed them (I've included my MBAM log below). I ran my disk cleanup for C:\ and cleaned up the temp files. My OTL log is below as well. Any help is much appreciated.

Thanks,
Adam

MBAM log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.18.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Valued Customer :: VALUED-0D5227D4 [administrator]

3/16/2012 9:47:01 PM
mbam-log-2012-03-16 (21-47-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181903
Time elapsed: 7 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 9
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
**********

OTL log:

OTL logfile created on: 3/17/2012 1:22:43 PM - Run 2
OTL by OldTimer - Version 3.2.39.1 Folder = C:\Documents and Settings\Valued Customer\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

253.51 Mb Total Physical Memory | 147.02 Mb Available Physical Memory | 57.99% Memory free
624.58 Mb Paging File | 499.24 Mb Available in Paging File | 79.93% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.14 Gb Total Space | 2.50 Gb Free Space | 13.04% Space Free | Partition Type: NTFS

Computer Name: VALUED-0D5227D4 | User Name: Valued Customer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Valued Customer\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\WINDOWS\system32\BrmfBAgS.exe (Brother Industries, Ltd.)

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV - (LiveUpdate) -- C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE File not found
SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (LeapFrog Connect Device Service) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (brmfbags) -- C:\WINDOWS\system32\BrmfBAgS.exe (Brother Industries, Ltd.)

========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (Cdralw2k) -- File not found
DRV - (Cdr4_2K) -- File not found
DRV - (SCTDriverV1011) -- C:\WINDOWS\system32\drivers\SCTDriverV1011.sys (Jungo)
DRV - (slabser) -- C:\WINDOWS\system32\drivers\slabser.sys (MCCI Corporation)
DRV - (slabbus) Edge Products USB Device driver (WDM) -- C:\WINDOWS\system32\drivers\slabbus.sys (MCCI Corporation)
DRV - (mf) -- C:\WINDOWS\system32\drivers\mf.sys (Microsoft Corporation)
DRV - (FlyUsb) -- C:\WINDOWS\system32\drivers\FlyUsb.sys (LeapFrog)
DRV - (iAimFP4) -- C:\WINDOWS\system32\drivers\wVchNTxx.sys (Intel® Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\system32\drivers\wSiINTxx.sys (Intel® Corporation)
DRV - (iAimTV5) -- C:\WINDOWS\system32\drivers\wATV10nt.sys (Intel® Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys (Intel® Corporation)
DRV - (iAimTV6) -- C:\WINDOWS\system32\drivers\wATV06nt.sys (Intel® Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\system32\drivers\wATV04nt.sys (Intel® Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\system32\drivers\wATV02NT.sys (Intel® Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\system32\drivers\wATV01nt.sys (Intel® Corporation)
DRV - (iAimFP7) -- C:\WINDOWS\system32\drivers\wADV09NT.sys (Intel® Corporation)
DRV - (iAimFP5) -- C:\WINDOWS\system32\drivers\wADV07nt.sys (Intel® Corporation)
DRV - (iAimFP6) -- C:\WINDOWS\system32\drivers\wADV08NT.sys (Intel® Corporation)
DRV - (i81x) -- C:\WINDOWS\system32\drivers\i81xnt5.sys (Intel® Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\system32\drivers\wADV01nt.sys (Intel® Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\system32\drivers\wADV02NT.sys (Intel® Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\system32\drivers\wADV05NT.sys (Intel® Corporation)
DRV - (brparimg) -- C:\WINDOWS\system32\drivers\BrParImg.sys (Brother Industries Ltd.)
DRV - (BrParWdm) -- C:\WINDOWS\system32\drivers\BrParwdm.sys (Brother Industries Ltd.)
DRV - (brfilt) -- C:\WINDOWS\system32\drivers\BrFilt.sys (Brother Industries Ltd.)
DRV - (EL90XBC) -- C:\WINDOWS\system32\drivers\el90xbc5.sys (3Com Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapp.../search/ie.html
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\SearchScopes,DefaultScope = {ADCD4153-DF7D-424A-8540-152D600E55E9}
IE - HKCU\..\SearchScopes\{ADCD4153-DF7D-424A-8540-152D600E55E9}: "URL" = http://www.google.co...age={startPage}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

O1 HOSTS File: ([2012/02/18 00:28:03 | 000,610,008 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost #[IPv6]
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 abcstats.com
O1 - Hosts: 127.0.0.1 a.abv.bg
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 ca.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ad2games.com
O1 - Hosts: 16254 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyMusic = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyMusic = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 1
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: uploaded.to ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: utsa.edu ([]* in Trusted sites)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll (Installation Support)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.s...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1170368816796 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.h...tDetection2.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.h...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9FC23261-05FD-4681-A8B5-123B43FCA55A}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/02/01 16:47:54 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9b09ecb0-a632-11df-865e-00065b71ebb3}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/17 12:54:59 | 000,594,432 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Valued Customer\Desktop\OTL.exe
[2012/03/17 12:36:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Valued Customer\Recent
[2012/03/16 21:12:31 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Valued Customer\Start Menu\Programs\System Check
[2012/02/26 12:02:50 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\H&R Block 2011
[2012/02/26 12:01:54 | 000,000,000 | -H-D | C] -- C:\Program Files\PDF995
[2012/02/26 12:01:54 | 000,000,000 | -H-D | C] -- C:\Program Files\HRBlock2011
[1 C:\Documents and Settings\Valued Customer\*.tmp files -> C:\Documents and Settings\Valued Customer\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/17 12:55:02 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Valued Customer\Desktop\OTL.exe
[2012/03/17 12:37:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/17 12:37:03 | 265,895,936 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/17 12:36:14 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2012/03/16 21:19:51 | 000,000,853 | -H-- | M] () -- C:\Documents and Settings\Valued Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/16 21:13:39 | 000,000,456 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\29Rz2VPhvzv9Q6
[2012/03/16 21:12:37 | 000,000,272 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~29Rz2VPhvzv9Q6
[2012/03/16 21:12:37 | 000,000,192 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~29Rz2VPhvzv9Q6r
[2012/03/16 21:12:31 | 000,000,835 | -H-- | M] () -- C:\Documents and Settings\Valued Customer\Desktop\System Check.lnk
[2012/03/16 21:12:19 | 000,346,624 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\29Rz2VPhvzv9Q6.exe
[2012/03/16 21:04:18 | 000,442,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\qvPKttoujdWOABX.exe
[2012/03/13 23:58:39 | 000,641,128 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/13 23:50:58 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/12 22:47:55 | 000,002,547 | -H-- | M] () -- C:\Documents and Settings\Valued Customer\Desktop\OpenOffice.org Writer.lnk
[2012/03/11 18:09:27 | 000,441,552 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/11 18:09:27 | 000,071,488 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/27 21:59:42 | 000,037,904 | -H-- | M] () -- C:\Documents and Settings\Valued Customer\My Documents\Charles Adamson 2011 Tax Return.T11
[2012/02/26 19:55:58 | 001,483,108 | -H-- | M] () -- C:\Documents and Settings\Valued Customer\My Documents\Amendment[1].jpg
[2012/02/18 00:28:03 | 000,610,008 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[1 C:\Documents and Settings\Valued Customer\*.tmp files -> C:\Documents and Settings\Valued Customer\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/17 00:34:33 | 265,895,936 | -HS- | C] () -- C:\hiberfil.sys
[2012/03/16 21:19:50 | 000,000,853 | -H-- | C] () -- C:\Documents and Settings\Valued Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/16 21:12:37 | 000,000,192 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~29Rz2VPhvzv9Q6r
[2012/03/16 21:12:36 | 000,000,272 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~29Rz2VPhvzv9Q6
[2012/03/16 21:12:31 | 000,000,835 | -H-- | C] () -- C:\Documents and Settings\Valued Customer\Desktop\System Check.lnk
[2012/03/16 21:12:24 | 000,000,456 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\29Rz2VPhvzv9Q6
[2012/03/16 21:12:18 | 000,346,624 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\29Rz2VPhvzv9Q6.exe
[2012/03/16 21:07:22 | 000,442,368 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\qvPKttoujdWOABX.exe
[2012/02/27 21:59:41 | 000,037,904 | -H-- | C] () -- C:\Documents and Settings\Valued Customer\My Documents\Charles Adamson 2011 Tax Return.T11
[2012/02/26 20:04:09 | 001,483,108 | -H-- | C] () -- C:\Documents and Settings\Valued Customer\My Documents\Amendment[1].jpg
[2012/02/14 13:38:57 | 000,003,072 | -H-- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/12/24 18:46:27 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2010/11/07 08:06:18 | 000,633,568 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/29 14:07:22 | 000,019,696 | -H-- | C] () -- C:\WINDOWS\hpomdl05.dat
[2010/05/29 13:53:55 | 000,000,046 | -H-- | C] () -- C:\WINDOWS\hpqscr01.dat
[2010/05/29 13:52:00 | 000,000,046 | -H-- | C] () -- C:\WINDOWS\hposcr05.dat

========== LOP Check ==========

[2009/08/27 01:14:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Grid
[2010/12/29 14:33:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2009/05/03 12:10:41 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2012/02/26 11:59:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2007/12/15 20:18:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/09/07 15:41:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\com.zipeg
[2011/12/24 23:38:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Emse
[2012/02/26 21:40:29 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Image Zone Express
[2007/12/16 15:26:05 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\MSNInstaller
[2011/12/24 23:33:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Ojahfa
[2011/05/22 23:57:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\RadioCatch Web Radio Recorder
[2012/02/26 12:04:35 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\TaxCut
[2007/12/16 15:49:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Uniblue
[2009/04/25 22:21:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\WinPatrol
[2010/07/02 22:38:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Zipeg

========== Purity Check ==========

< End of report >

#2
Nedklaw

Posted 17 March 2012 - 03:40 PM

Trusted Helper

Malware Removal
1,652 posts

Hello, adam80! :wave:

I'm Nedklaw and I'll be glad to help you with your malware issues.

I am currently still in training and my posts have to be approved by an expert so please expect a delay between my posts.

These instructions are specifically designed for adam80 only. No one else should follow these instructions because it can cause serious damage to your computer.

Before we start to clean your computer of malware, please read through the following points to help me and you, and prevent damage to your computer:

Please completely read through all of the instructions given to you before attempting to follow them. Reading too lightly will cause you to miss important steps, which could have DESTRUCTIVE effects. If you can't perform a certain step or you are unsure about what to do, let me know!
Don't be afraid to ask questions! If you are unsure about anything, ask me! No question is considered stupid here!
Be patient with me, logs can take some time to research and my life can mean that I'm busy.
Please copy and paste all logs into your reply. Do not attach logs to a post unless I tell you to or if they don't fit in the post.
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
NEVER fix anything in OTL or other programs on your own! This can be very dangerous and cause harm to your system.
Refrain from running any other tools apart from the ones I tell you to.

Note: You should save or print out my instructions for easy reference, as part of the fix may be in Safe Mode and you won't be able to access GeeksToGo.

I am currently reviewing your log and I will post back soon.

#3
Nedklaw

Posted 18 March 2012 - 03:31 AM

Trusted Helper

Malware Removal
1,652 posts

Hi.

Drive C: | 19.14 Gb Total Space | 2.50 Gb Free Space | 13.04% Space Free | Partition Type: NTFS

To ensure our tools run properly, the minimum free disk space required is 15%. I advise that you free some space up on drive C by uninstalling unwanted programs and deleting any personal files you don't want.

Step 1

Download RogueKiller and save it on your desktop.
Quit all programs.
Start RogueKiller.exe.
Note: If RogueKiller has been blocked, do not hesitate to try several times. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again.
Wait until the Prescan has finished.
Click on Scan.
Wait for the end of the scan.
The report has been created on the desktop.
Click on the Delete button.
The report has been created on the desktop.
Next click on ShortcutsFix.
The report has been created on the desktop.

Step 2

If you have Malwarebytes 1.6 or later installed, please disable it for the duration of this run.

Run OTL.

Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL 
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 1
[2012/03/16 21:12:31 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Valued Customer\Start Menu\Programs\System Check
[2012/03/16 21:19:51 | 000,000,853 | -H-- | M] () -- C:\Documents and Settings\Valued Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/16 21:13:39 | 000,000,456 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\29Rz2VPhvzv9Q6
[2012/03/16 21:12:37 | 000,000,272 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~29Rz2VPhvzv9Q6
[2012/03/16 21:12:37 | 000,000,192 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~29Rz2VPhvzv9Q6r
[2012/03/16 21:12:31 | 000,000,835 | -H-- | M] () -- C:\Documents and Settings\Valued Customer\Desktop\System Check.lnk
[2012/03/16 21:04:18 | 000,442,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\qvPKttoujdWOABX.exe
[2012/03/16 21:12:18 | 000,346,624 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\29Rz2VPhvzv9Q6.exe
[2011/12/24 23:38:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Emse
[2011/12/24 23:33:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Ojahfa
[1 C:\Documents and Settings\Valued Customer\*.tmp files -> C:\Documents and Settings\Valued Customer\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[CREATERESTOREPOINT] 
[Reboot]

Then click the Run Fix button at the top.
Let the program run unhindered, reboot the PC when it is done.
Post the log that appears upon reboot in your next reply.
If no log appears upon reboot, the OTL Fix log should be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.
Open OTL again and select the "Scan All Users" box.
Click the Quick Scan button. Post the log it produces in your next reply.

Step 3

Download aswMBR.exe (1.8mb) to your desktop.

Double click aswMBR.exe to run it.

Click the "Scan" button to start the scan.
If Avast asks to download definitions, please say Yes.

Posted Image

On completion of the scan click save log, save it to your desktop and post it in your next reply.

Posted Image

Step 4

The minimum amount of RAM recommended for Windows XP is 512MB but I suggest at least 1GB.

Please visit Crucial System Scanner.
Check the box to agree with the Terms and Conditions and click Download the Scanner.
Run the scanner and it will suggest RAM modules which you can consider buying to increase the amount of RAM you have.

I recommend you invest in a RAM module in the near future becuase it can help increase your computer speed.

Things I want to see in your next reply

All RKreport.txt files
OTL Fix Log
OTL.txt
aswMBR.txt

#4
adam80

Posted 18 March 2012 - 01:30 PM

Member

Topic Starter
Member
54 posts

In the Roguekiller logs below, should I be concerned about the Particular Files/Folders listing that says:
[FAKED] imagesrv.sys : c:\windows\system32\drivers\imagesrv.sys --> CANNOT FIX
[FAKED] nwlnknb.sys : c:\windows\system32\drivers\nwlnknb.sys --> CANNOT FIX

Thanks,
Adam

RogueKiller #1:

RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Valued Customer [Admin rights]
Mode: Scan -- Date: 03/18/2012 13:09:02

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 15 ¤¤¤
[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[FAKED] imagesrv.sys : c:\windows\system32\drivers\imagesrv.sys --> CANNOT FIX
[FAKED] nwlnknb.sys : c:\windows\system32\drivers\nwlnknb.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost #[IPv6]
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 abcstats.com
127.0.0.1 a.abv.bg
127.0.0.1 adserver.abv.bg
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 ca.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 www.accuserveadsystem.com
127.0.0.1 achmedia.com
127.0.0.1 aconti.net
127.0.0.1 secure.aconti.net
127.0.0.1 www.aconti.net #[Dialer.Aconti]
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: MAXTOR 6L020L1 +++++
--- User ---
[MBR] 01a1ed006c6e7cbda7c7dd005cda3d59
[BSP] 14b2ff8f78f5d89704598a17af2936a8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 19594 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 40130370 | Size: 1 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller #2:

RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Valued Customer [Admin rights]
Mode: Remove -- Date: 03/18/2012 13:11:30

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 15 ¤¤¤
[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> DELETED
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤
[FAKED] imagesrv.sys : c:\windows\system32\drivers\imagesrv.sys --> CANNOT FIX
[FAKED] nwlnknb.sys : c:\windows\system32\drivers\nwlnknb.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost #[IPv6]
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 abcstats.com
127.0.0.1 a.abv.bg
127.0.0.1 adserver.abv.bg
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 ca.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 www.accuserveadsystem.com
127.0.0.1 achmedia.com
127.0.0.1 aconti.net
127.0.0.1 secure.aconti.net
127.0.0.1 www.aconti.net #[Dialer.Aconti]
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: MAXTOR 6L020L1 +++++
--- User ---
[MBR] 01a1ed006c6e7cbda7c7dd005cda3d59
[BSP] 14b2ff8f78f5d89704598a17af2936a8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 19594 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 40130370 | Size: 1 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

RogueKiller #3:

RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Valued Customer [Admin rights]
Mode: Shortcuts HJfix -- Date: 03/18/2012 13:18:02

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 25 / Fail 0
Quick launch: Success 6 / Fail 0
Programs: Success 12581 / Fail 0
Start menu: Success 195 / Fail 0
User folder: Success 1896 / Fail 0
My documents: Success 285 / Fail 0
My favorites: Success 3376 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 40441 / Fail 0
Backup: [FOUND] Success 128 / Fail 1

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\CdRom1 -- 0x5 --> Skipped

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

OTL #1:

========== OTL ==========
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDesktop not found.
C:\Documents and Settings\Valued Customer\Start Menu\Programs\System Check folder moved successfully.
C:\Documents and Settings\Valued Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk moved successfully.
C:\Documents and Settings\All Users\Application Data\29Rz2VPhvzv9Q6 moved successfully.
C:\Documents and Settings\All Users\Application Data\~29Rz2VPhvzv9Q6 moved successfully.
C:\Documents and Settings\All Users\Application Data\~29Rz2VPhvzv9Q6r moved successfully.
C:\Documents and Settings\Valued Customer\Desktop\System Check.lnk moved successfully.
C:\Documents and Settings\All Users\Application Data\qvPKttoujdWOABX.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\29Rz2VPhvzv9Q6.exe moved successfully.
C:\Documents and Settings\Valued Customer\Application Data\Emse folder moved successfully.
C:\Documents and Settings\Valued Customer\Application Data\Ojahfa folder moved successfully.
C:\Documents and Settings\Valued Customer\ntuser.tmp deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Documents and Settings\Valued Customer\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Valued Customer\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.39.1 log created on 03182012_132658

OTL #2:

OTL logfile created on: 3/18/2012 1:36:12 PM - Run 4
OTL by OldTimer - Version 3.2.39.1 Folder = C:\Documents and Settings\Valued Customer\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

253.51 Mb Total Physical Memory | 59.20 Mb Available Physical Memory | 23.35% Memory free
624.58 Mb Paging File | 490.65 Mb Available in Paging File | 78.56% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.14 Gb Total Space | 2.97 Gb Free Space | 15.54% Space Free | Partition Type: NTFS

Computer Name: VALUED-0D5227D4 | User Name: Valued Customer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Valued Customer\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\WINDOWS\system32\BrmfBAgS.exe (Brother Industries, Ltd.)

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV - (LiveUpdate) -- C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE File not found
SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (brmfbags) -- C:\WINDOWS\system32\BrmfBAgS.exe (Brother Industries, Ltd.)

========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (Cdralw2k) -- File not found
DRV - (Cdr4_2K) -- File not found
DRV - (SCTDriverV1011) -- C:\WINDOWS\system32\drivers\SCTDriverV1011.sys (Jungo)
DRV - (slabser) -- C:\WINDOWS\system32\drivers\slabser.sys (MCCI Corporation)
DRV - (slabbus) Edge Products USB Device driver (WDM) -- C:\WINDOWS\system32\drivers\slabbus.sys (MCCI Corporation)
DRV - (mf) -- C:\WINDOWS\system32\drivers\mf.sys (Microsoft Corporation)
DRV - (FlyUsb) -- C:\WINDOWS\system32\drivers\FlyUsb.sys (LeapFrog)
DRV - (iAimFP4) -- C:\WINDOWS\system32\drivers\wVchNTxx.sys (Intel® Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\system32\drivers\wSiINTxx.sys (Intel® Corporation)
DRV - (iAimTV5) -- C:\WINDOWS\system32\drivers\wATV10nt.sys (Intel® Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys (Intel® Corporation)
DRV - (iAimTV6) -- C:\WINDOWS\system32\drivers\wATV06nt.sys (Intel® Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\system32\drivers\wATV04nt.sys (Intel® Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\system32\drivers\wATV02NT.sys (Intel® Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\system32\drivers\wATV01nt.sys (Intel® Corporation)
DRV - (iAimFP7) -- C:\WINDOWS\system32\drivers\wADV09NT.sys (Intel® Corporation)
DRV - (iAimFP5) -- C:\WINDOWS\system32\drivers\wADV07nt.sys (Intel® Corporation)
DRV - (iAimFP6) -- C:\WINDOWS\system32\drivers\wADV08NT.sys (Intel® Corporation)
DRV - (i81x) -- C:\WINDOWS\system32\drivers\i81xnt5.sys (Intel® Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\system32\drivers\wADV01nt.sys (Intel® Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\system32\drivers\wADV02NT.sys (Intel® Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\system32\drivers\wADV05NT.sys (Intel® Corporation)
DRV - (brparimg) -- C:\WINDOWS\system32\drivers\BrParImg.sys (Brother Industries Ltd.)
DRV - (BrParWdm) -- C:\WINDOWS\system32\drivers\BrParwdm.sys (Brother Industries Ltd.)
DRV - (brfilt) -- C:\WINDOWS\system32\drivers\BrFilt.sys (Brother Industries Ltd.)
DRV - (EL90XBC) -- C:\WINDOWS\system32\drivers\el90xbc5.sys (3Com Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapp.../search/ie.html
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\..\SearchScopes,DefaultScope = {ADCD4153-DF7D-424A-8540-152D600E55E9}
IE - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\..\SearchScopes\{ADCD4153-DF7D-424A-8540-152D600E55E9}: "URL" = http://www.google.co...age={startPage}
IE - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

O1 HOSTS File: ([2012/02/18 00:28:03 | 000,610,008 | R-S- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost #[IPv6]
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 abcstats.com
O1 - Hosts: 127.0.0.1 a.abv.bg
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 ca.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ad2games.com
O1 - Hosts: 16254 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyMusic = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 0
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 0
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 0
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 0
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 0
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyMusic = 1
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\..Trusted Domains: uploaded.to ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1993962763-1343024091-1060284298-1004\..Trusted Domains: utsa.edu ([]* in Trusted sites)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll (Installation Support)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.s...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1170368816796 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.h...tDetection2.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.h...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9FC23261-05FD-4681-A8B5-123B43FCA55A}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/02/01 16:47:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9b09ecb0-a632-11df-865e-00065b71ebb3}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/18 13:33:29 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Valued Customer\Recent
[2012/03/18 13:26:58 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/03/18 13:12:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\LeapFrog Connect
[2012/03/18 13:08:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valued Customer\Desktop\RK_Quarantine
[2012/03/18 12:42:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2012/03/17 12:54:59 | 000,594,432 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Valued Customer\Desktop\OTL.exe
[2012/02/26 12:02:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\H&R Block 2011
[2012/02/26 12:01:54 | 000,000,000 | ---D | C] -- C:\Program Files\PDF995
[2012/02/26 12:01:54 | 000,000,000 | ---D | C] -- C:\Program Files\HRBlock2011

========== Files - Modified Within 30 Days ==========

[2012/03/18 13:34:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/18 13:34:14 | 265,895,936 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/18 13:29:46 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2012/03/18 12:35:41 | 001,219,072 | ---- | M] () -- C:\Documents and Settings\Valued Customer\Desktop\RogueKiller.exe
[2012/03/17 12:55:02 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Valued Customer\Desktop\OTL.exe
[2012/03/13 23:58:39 | 000,641,128 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/13 23:50:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/12 22:47:55 | 000,002,547 | ---- | M] () -- C:\Documents and Settings\Valued Customer\Desktop\OpenOffice.org Writer.lnk
[2012/03/11 18:09:27 | 000,441,552 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/11 18:09:27 | 000,071,488 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/27 21:59:42 | 000,037,904 | ---- | M] () -- C:\Documents and Settings\Valued Customer\My Documents\Charles Adamson 2011 Tax Return.T11
[2012/02/26 19:55:58 | 001,483,108 | ---- | M] () -- C:\Documents and Settings\Valued Customer\My Documents\Amendment[1].jpg
[2012/02/26 12:04:18 | 000,001,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2011.lnk
[2012/02/18 00:28:03 | 000,610,008 | R-S- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS

========== Files Created - No Company Name ==========

[2012/03/18 13:12:48 | 000,002,439 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SCT Device Updater.lnk
[2012/03/18 13:12:48 | 000,002,101 | ---- | C] () -- C:\Documents and Settings\Valued Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\Zipeg.lnk
[2012/03/18 13:12:48 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2012/03/18 13:12:48 | 000,001,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2011.lnk
[2012/03/18 13:12:48 | 000,001,615 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK DC3200.lnk
[2012/03/18 13:12:48 | 000,001,536 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Eraser.lnk
[2012/03/18 13:12:48 | 000,001,239 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Nero StartSmart.lnk
[2012/03/18 13:12:48 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Valued Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/18 13:12:48 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Director.lnk
[2012/03/18 13:12:48 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Valued Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/03/18 13:12:48 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Valued Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/03/18 13:12:47 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/03/18 13:12:45 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Internet Explorer.lnk
[2012/03/18 13:12:44 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2012/03/18 13:12:44 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Eraser.lnk
[2012/03/18 13:12:44 | 000,000,739 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\EncSpot.lnk
[2012/03/18 12:35:27 | 001,219,072 | ---- | C] () -- C:\Documents and Settings\Valued Customer\Desktop\RogueKiller.exe
[2012/03/17 00:34:33 | 265,895,936 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/27 21:59:41 | 000,037,904 | ---- | C] () -- C:\Documents and Settings\Valued Customer\My Documents\Charles Adamson 2011 Tax Return.T11
[2012/02/26 20:04:09 | 001,483,108 | ---- | C] () -- C:\Documents and Settings\Valued Customer\My Documents\Amendment[1].jpg
[2012/02/14 13:38:57 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/12/24 18:46:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2010/11/07 08:06:18 | 000,633,568 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/29 14:07:22 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
[2010/05/29 13:53:55 | 000,000,046 | ---- | C] () -- C:\WINDOWS\hpqscr01.dat
[2010/05/29 13:52:00 | 000,000,046 | ---- | C] () -- C:\WINDOWS\hposcr05.dat

========== LOP Check ==========

[2009/08/27 01:14:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grid
[2010/12/29 14:33:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2009/05/03 12:10:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2012/02/26 11:59:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2007/12/15 20:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/09/07 15:41:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Valued Customer\Application Data\com.zipeg
[2012/02/26 21:40:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Image Zone Express
[2007/12/16 15:26:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Valued Customer\Application Data\MSNInstaller
[2011/05/22 23:57:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Valued Customer\Application Data\RadioCatch Web Radio Recorder
[2012/02/26 12:04:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Valued Customer\Application Data\TaxCut
[2007/12/16 15:49:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Uniblue
[2009/04/25 22:21:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Valued Customer\Application Data\WinPatrol
[2010/07/02 22:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Valued Customer\Application Data\Zipeg

========== Purity Check ==========

< End of report >

aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-18 13:47:58
-----------------------------
13:47:58.080 OS Version: Windows 5.1.2600 Service Pack 3
13:47:58.080 Number of processors: 1 586 0x80A
13:47:58.080 ComputerName: VALUED-0D5227D4 UserName: Valued Customer
13:47:58.941 Initialize success
13:53:25.320 AVAST engine defs: 12031700
13:53:43.947 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:53:43.947 Disk 0 Vendor: MAXTOR_6L020L1 A93.0500 Size: 19595MB BusType: 3
13:53:44.017 Disk 0 MBR read successfully
13:53:44.017 Disk 0 MBR scan
13:53:44.328 Disk 0 Windows XP default MBR code
13:53:44.358 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 19594 MB offset 63
13:53:44.418 Disk 0 Partition 2 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 40130370
13:53:44.428 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
13:53:44.438 Disk 0 scanning sectors +40132487
13:53:44.818 Disk 0 scanning C:\WINDOWS\system32\drivers
13:54:14.561 Service scanning
13:54:44.865 Modules scanning
13:55:04.633 Disk 0 trace - called modules:
13:55:04.663 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
13:55:04.663 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x81f02030]
13:55:04.673 3 CLASSPNP.SYS[f9307fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x81efe700]
13:55:05.214 AVAST engine scan C:\WINDOWS
13:55:24.792 AVAST engine scan C:\WINDOWS\system32
13:59:26.880 AVAST engine scan C:\WINDOWS\system32\drivers
13:59:50.724 AVAST engine scan C:\Documents and Settings\Valued Customer
14:04:25.319 AVAST engine scan C:\Documents and Settings\All Users
14:05:11.235 Scan finished successfully
14:06:00.857 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Valued Customer\Desktop\MBR.dat"
14:06:00.857 The log file has been saved successfully to "C:\Documents and Settings\Valued Customer\Desktop\aswMBR.txt"

#5
Nedklaw

Posted 18 March 2012 - 06:14 PM

Trusted Helper

Malware Removal
1,652 posts

Hi.

It looks like you have a new variant of a nasty rootkit which creates a hidden partition on your computer containing the rootkit.

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following step.

Step 1

Try this please. You will need a USB drive and another computer which is clean from infection.

Download GETxPUD.exe to the desktop of your clean computer.

Run GETxPUD.exe
A new folder will appear on the desktop.
Open the GETxPUD folder and click on the get&burn.bat.
The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
Click on Start and follow the prompts to burn the image to a CD.
Remove the USB & CD and insert it in the sick computer.
Boot the Sick computer with the CD you just burned.
The computer must be set to boot from the CD.
Gently tap F12 and choose to boot from the CD.
Follow the prompts.
A Welcome to xPUD screen will appear.
Press File.
Expand mnt.
sda1,2...usually corresponds to your HDD.
sdb1 is likely your USB.
Click on the folder that represents your USB drive (sdb1 ?).
Press Tool at the top.
Choose Open Terminal.
Type the following and press enter:

dd if=/dev/sda of=mbr.bin bs=512 count=1
Press Enter
After it has finished a file will be located on your USB drive named mbr.bin.
Remove the USB drive and insert it back in your working computer and navigate to mbr.bin.
Zip the mbr.bin file and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

#6
adam80

Posted 18 March 2012 - 06:51 PM

Member

Topic Starter
Member
54 posts

First, thanks for getting back to me so quickly. Due to the seriousness of the situation, I think it's probably best if I look into buying a new hard drive and remove any important files from this infected computer and transfer them. Is there anything else I need to do?

Thanks for all your help,
Adam

#7
Nedklaw

Posted 19 March 2012 - 01:51 PM

Trusted Helper

Malware Removal
1,652 posts

Hi.

We can reformat your computer so you don't have to purchase a new hard drive. This restores your computer to the facotry settings so make sure to save any personal files that you want to keep.

Please follow the instructions here to reformat your computer and let me know how you get on.

#8
adam80

Posted 19 March 2012 - 05:36 PM

Member

Topic Starter
Member
54 posts

Unfortunately, I lost the discs for the PC. Anyway, it's about time I replaced this old one with an upgrade. I am concerned about transferring files from the infected PC to a new hard drive; is there anything I can do for protection? Any precautions I need to take? Thanks again.

#9
Nedklaw

Posted 22 March 2012 - 04:19 PM

Trusted Helper

Malware Removal
1,652 posts

Hi.

We can immunize any flash drives that you will use to transfer files against infection.

Please download Panda USB Vaccine (you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
Install and run the program.
- Double-click on the file USBVaccine.zip located on your desktop.
- A file viewer will open. Double-click on the file USBVaccineSetup.exe. Please select Yes if you are asked if you want to allow the program to make changes to the computer.
- Follow the steps on screen to install the program on your computer.
Plug in your USB drive and click on Vaccinate USB and Vaccinate Computer.

#10
NeonFx

Posted 24 March 2012 - 11:43 PM

Malware Removal Dude

Expert
3,798 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.