Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Can't even download the programmes on the malware cleaning guide

Started by Conor74 , Apr 09 2010 11:25 AM

Please log in to reply

#1
Conor74

Posted 09 April 2010 - 11:25 AM

Member

Member
21 posts

In the past day, when I start the computer, I get all these messages about security warnings.

Went on the malware and spyware cleaning guide, but when I tried at the first step to download TFC a red box appears with the following note

"Security Tool
TFC[1] is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details to connect to remote host"

Then it asks in a new red box if I'm sure I want to continue unprotected.

And this keeps flashing up again and again every minute or so, with some variations (sometimes it was start giving a list of viruses that it says are on the computer).

So when I try to run TFC I can't find any icon or anything to click to start the clean up.

Similarly tried to download other programmes from there and the same message pops up again and again, and after when I go to my list of programs I can't see any icon to click.

I'm a novice, and don't know the first thing about this, so any help or pointers appreciated. For all I know, maybe it is some firewall on the computer and I should actually tell it to proceed to removes the alleged viruses, but it's a bit...persistant!

#2
RKinner

Posted 12 April 2010 - 06:34 PM

Malware Expert

Expert
24,625 posts

o Press CTRL+ALT+DEL to open Task Manager then select Processes

Kill Processes:

692527612.exe, 1313928688.exe, 1806188250.exe (and any other processes which are just numbers!)

* Delete these Files and Folders:

C:\Documents and Settings\All Users\Application Data\1929146152\1313928688.exe
C:\Documents and Settings\All Users\Application Data\1372029626\1806188250.exe
C:\Documents and Settings\All Users\Application Data\870894309\692527612.exe

Ron

#3
Conor74

Posted 13 April 2010 - 12:46 AM

Member

Topic Starter
Member
21 posts

o Press CTRL+ALT+DEL to open Task Manager then select Processes

Thanks.

But can't even manage this! Every time I press CTRL+ALT+DEL the red security tool box comes on screen again, like above except this time the message is "taskmgr.exe is infected with the worm Lsas.Blaster.Keyloger..."

#4
RKinner

Posted 13 April 2010 - 08:22 AM

Malware Expert

Expert
24,625 posts

Does it do it in Safe Mode?

(Reboot and when you see the maker's logo or hear a beep start slowly tapping the F8 key. Keeping tapping until you see the Safe Mode menu. Select Safe Mode or Safe Mode with Networking.)

Also try Safe Mode with Command Prompt if that works then you can type:

cd "\Documents and Settings\All Users\Application Data"

(SPACE after cd. Prompt will change to show your are in Application Data folder)

dir /a

(SPACE after dir. Look for folders which are all numbers. Say you find: 1929146152)

del 1929146152

(SPACE before and after del. It may ask you if you are sure. Say y and if it won't delete then try:
attrib -r -h -s 1929146152
)

(Repeat for any all-number folders)

#5
Conor74

Posted 16 April 2010 - 01:19 AM

Member

Topic Starter
Member
21 posts

Sorry, away at work for a few days, thanks for getting back to me.

Does it do it in Safe Mode?

No. But when I open task manager and then processes in safe mode, I can't see any files with numbers.

Also try Safe Mode with Command Prompt if that works then you can type:

cd "\Documents and Settings\All Users\Application Data"

(SPACE after cd. Prompt will change to show your are in Application Data folder)

dir /a

Tried this too and got to the Application Data folder. However, when I type in

dir /a

(and inserting the space)

The reply I get is

Volume in Drive C has no label
Volume Serial Number is
Directory of C:\Docuemtns and Settings\All Users...

And the list of folders does not contain any which are numbers.

Edited by Conor74, 16 April 2010 - 01:20 AM.

#6
RKinner

Posted 16 April 2010 - 01:38 AM

Malware Expert

Expert
24,625 posts

In Safe Mode, Start, Run, msconfig, OK

Under Startup, uncheck everything but your antivirus. Under Services, first check the Hide Microsoft services box then uncheck everything but your antivirus. OK and reboot into regular mode. Does it do it now?

Can you get on the internet? Can you download and run any of our tools?

Ron

#7
Conor74

Posted 21 April 2010 - 01:22 AM

Member

Topic Starter
Member
21 posts

In Safe Mode, Start, Run, msconfig, OK

Under Startup, uncheck everything but your antivirus. Under Services, first check the Hide Microsoft services box then uncheck everything but your antivirus. OK and reboot into regular mode.

Did this, and seems to be a lot better. The annoying pop up is gone, as is the blue 'security tool' icon that kept appearing too.

Can you get on the internet? Can you download and run any of our tools?

Managed to download and run TFC, Erunt and Malwarebytes, which I couldn't do when the pop up kept appearing. Malwarebytes detected 3 infected files and 2 infected folders, all infected with 'rogue.multiple' or 'rogue.security...'

When I start the pc now, I get the following message

"You have used the system configuration utility to make changes to the way Windows starts.

The system configuration utility is currently in Diagnostic or Selective startup mode..."

There is a box at the end of the message. I'm happy enough to leave it up, it doesn't affect my use of the pc anyway.

Thanks so much for all your help so far, if you're ever in Ireland I owe you a pint or 2!

#8
RKinner

Posted 21 April 2010 - 08:57 AM

Malware Expert

Expert
24,625 posts

You aren't fixed, just sort of temporarily patched. See if you can run OTL (step 5 in the guide) and post (copy and paste) the two logs.

You can cancel out the message from msconfig and tell it not to bother you again but in this mode you are running naked with no protection so please stick with us for a while.

Ron

#9
Conor74

Posted 25 April 2010 - 05:54 AM

Member

Topic Starter
Member
21 posts

See if you can run OTL (step 5 in the guide) and post (copy and paste) the two logs.

Can get through the first 4 steps now, downloaded TFC, Malwarebytes Anti-Malware and avast. However when I try to download OTL I keep getting the following message

OTL cannot be run from a temporary folder!
Please download it to your Desktop or other suitable location.

#10
RKinner

Posted 25 April 2010 - 09:08 AM

Malware Expert

Expert
24,625 posts

So is the file otl.exe on your desktop? If using IE you must SAVE the file and it will ask you where so you point it at the desktop. Then copy the script they ask you to run. Close IE then find otl.exe on the desktop and run it. Paste the script into the custom scan box and hit Quick Scan.

Ron

#11
Conor74

Posted 02 May 2010 - 05:40 AM

Member

Topic Starter
Member
21 posts

OTL logfile created on: 02/05/2010 12:19:25 - Run 1
OTL by OldTimer - Version 3.2.4.0 Folder = C:\Documents and Settings\patrick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

318.00 Mb Total Physical Memory | 119.00 Mb Available Physical Memory | 37.00% Memory free
773.00 Mb Paging File | 482.00 Mb Available in Paging File | 62.00% Paging File free
Paging file location(s): C:\pagefile.sys 480 960 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 13.98 Gb Total Space | 3.27 Gb Free Space | 23.36% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 36.15 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PKDESKTOP
Current User Name: patrick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/02 12:14:10 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\patrick\Desktop\OTL.exe
PRC - [2010/04/14 17:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 17:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/03/30 00:46:02 | 001,086,856 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/11/16 20:12:44 | 002,463,744 | ---- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
PRC - [2009/02/10 23:21:33 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/05/02 12:14:10 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\patrick\Desktop\OTL.exe
MOD - [2008/04/14 13:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/04/14 17:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 17:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 17:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/11/16 20:12:32 | 000,009,216 | ---- | M] (Vodafone) [Disabled | Stopped] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2007/12/17 05:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) [Disabled | Stopped] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE -- (EPSON_EB_RPCV4_01) EPSON V5 Service4(01)
SRV - [2007/01/11 05:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Disabled | Stopped] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)

========== Driver Services (SafeList) ==========

DRV - [2010/04/14 17:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 17:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 17:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 17:31:12 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/04/14 17:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/14 17:30:45 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/11/04 17:59:38 | 000,113,280 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009/11/04 17:59:38 | 000,102,528 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/11/04 17:59:38 | 000,100,736 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ewusbfake.sys -- (hwusbfake)
DRV - [2008/04/13 23:04:34 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
DRV - [2008/04/13 23:04:32 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2008/04/13 23:04:30 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2008/04/13 23:04:30 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2008/04/13 23:04:30 | 000,025,471 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV10nt.sys -- (iAimTV5)
DRV - [2008/04/13 23:04:30 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2008/04/13 23:04:30 | 000,022,271 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV06nt.sys -- (iAimTV6)
DRV - [2008/04/13 23:04:30 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
DRV - [2008/04/13 23:04:28 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2008/04/13 23:04:28 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2008/04/13 23:04:28 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2008/04/13 23:04:28 | 000,011,871 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV09NT.sys -- (iAimFP7)
DRV - [2008/04/13 23:04:28 | 000,011,807 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV07nt.sys -- (iAimFP5)
DRV - [2008/04/13 23:04:28 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2008/04/13 23:04:28 | 000,011,295 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV08NT.sys -- (iAimFP6)
DRV - [2001/08/17 13:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/09 19:03:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/05 17:46:12 | 000,000,000 | ---D | M]

[2009/01/05 20:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\patrick\Application Data\Mozilla\Extensions
[2010/04/09 17:45:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\patrick\Application Data\Mozilla\Firefox\Profiles\w93eoymc.default\extensions
[2010/04/09 17:45:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\patrick\Application Data\Mozilla\Firefox\Profiles\w93eoymc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/09 17:45:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\patrick\Application Data\Mozilla\Firefox\Profiles\w93eoymc.default\extensions\staged-xpis
[2008/11/03 14:22:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/01/04 16:36:50 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2008/01/04 16:36:50 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2008/09/22 20:14:04 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2008/01/04 16:36:50 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2008/04/14 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\patrick\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 89.19.64.164 89.19.64.36
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/14 21:14:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/11/17 13:48:47 | 000,000,119 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{c0f423cf-dc1a-11dd-bdca-0002a5578a5a}\Shell\AutoRun\command - "" = E:\WD_Windows_Tools\Setup.exe -- File not found
O33 - MountPoints2\{f3b7dc6a-fd3e-11de-be3e-0002a5578a5a}\Shell - "" = AutoRun
O33 - MountPoints2\{f3b7dc6a-fd3e-11de-be3e-0002a5578a5a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f3b7dc6a-fd3e-11de-be3e-0002a5578a5a}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe -- [2009/11/16 17:57:39 | 000,274,432 | R--- | M] (Vodafone)
O33 - MountPoints2\{f3b7dc6b-fd3e-11de-be3e-0002a5578a5a}\Shell - "" = AutoRun
O33 - MountPoints2\{f3b7dc6b-fd3e-11de-be3e-0002a5578a5a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f3b7dc6b-fd3e-11de-be3e-0002a5578a5a}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe -- [2009/11/16 17:57:39 | 000,274,432 | R--- | M] (Vodafone)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/01/05 20:35:21 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56308606093492224)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/02 12:13:26 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\patrick\Desktop\OTL.exe
[2010/04/25 09:34:03 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/25 09:34:03 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/25 09:34:02 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/25 09:34:00 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/25 09:33:57 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/25 09:33:57 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/25 09:33:57 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/25 09:32:20 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/25 09:32:20 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/25 09:31:38 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/25 09:31:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2010/04/16 18:52:01 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\patrick\Desktop\TFC.exe
[2010/04/16 18:46:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\patrick\Application Data\Malwarebytes
[2010/04/16 18:46:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/16 18:46:29 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/16 18:46:29 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/16 18:46:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010/04/16 18:45:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/16 18:44:56 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/16 18:38:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/04/16 07:34:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/03/12 20:54:11 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/03/12 20:53:38 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/03/12 20:45:12 | 000,000,000 | ---D | C] -- C:\Program Files\Safari
[2010/02/25 21:50:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\patrick\Local Settings\Application Data\Temp

========== Files - Modified Within 90 Days ==========

[2010/05/02 12:14:10 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\patrick\Desktop\OTL.exe
[2010/05/02 12:00:17 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/02 11:58:01 | 000,002,557 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Vodafone Mobile Connect.lnk
[2010/05/02 11:47:56 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/05/02 11:47:37 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/02 11:47:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/02 11:47:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/02 11:47:11 | 333,959,168 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/02 11:46:19 | 003,145,728 | -H-- | M] () -- C:\Documents and Settings\patrick\NTUSER.DAT
[2010/05/02 11:46:19 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\patrick\ntuser.ini
[2010/05/02 10:29:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/02 09:16:39 | 003,766,322 | -H-- | M] () -- C:\Documents and Settings\patrick\Local Settings\Application Data\IconCache.db
[2010/04/25 09:34:05 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Free Antivirus.lnk
[2010/04/25 09:33:58 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/23 22:05:40 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2010/04/19 20:01:41 | 000,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/19 20:01:41 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/19 20:01:41 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/16 18:52:08 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\patrick\Desktop\TFC.exe
[2010/04/16 18:46:36 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/16 18:45:01 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\patrick\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/04/16 18:44:57 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\patrick\Desktop\NTREGOPT.lnk
[2010/04/16 18:44:57 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\patrick\Desktop\ERUNT.lnk
[2010/04/15 03:03:50 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/14 17:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 17:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 17:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 17:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 17:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 17:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 17:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 17:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 17:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/05 15:29:34 | 000,033,280 | ---- | M] () -- C:\Documents and Settings\patrick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/29 10:36:58 | 000,432,686 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/29 10:36:58 | 000,067,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/29 10:36:57 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/27 14:00:08 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Safari.lnk
[2010/03/07 09:53:37 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Browser Choice.lnk

========== Files Created - No Company Name ==========

[2010/04/25 09:34:05 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Free Antivirus.lnk
[2010/04/16 18:46:36 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/16 18:45:01 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\patrick\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/04/16 18:44:57 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\patrick\Desktop\NTREGOPT.lnk
[2010/04/16 18:44:57 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\patrick\Desktop\ERUNT.lnk
[2010/04/16 18:40:33 | 333,959,168 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/12 20:55:33 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2010/03/12 20:45:27 | 000,002,187 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Safari.lnk
[2010/03/07 09:53:36 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Browser Choice.lnk
[2010/02/03 20:45:45 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/03 20:45:44 | 000,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/02/12 21:37:04 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2009/01/05 21:51:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/05 20:57:05 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/01/05 20:55:49 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE SX400DEFGIPS.ini
[2008/04/14 13:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2008/04/14 13:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2008/04/14 13:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2008/04/14 13:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2008/04/14 13:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll

========== LOP Check ==========

[2010/04/25 09:31:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2009/01/05 20:56:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EPSON
[2009/01/05 21:01:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\UDL
[2010/01/09 18:02:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Vodafone
[2010/01/09 19:52:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/02/12 21:37:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\patrick\Application Data\EPSON
[2010/01/09 18:03:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\patrick\Application Data\Vodafone
[2010/05/02 11:47:56 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2008/10/14 21:14:49 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/04/19 20:01:41 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/10/14 21:14:49 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/05/02 11:47:11 | 333,959,168 | -HS- | M] () -- C:\hiberfil.sys
[2008/10/14 21:14:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/10/14 21:14:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 13:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/02 11:47:10 | 503,316,480 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/03/11 13:38:51 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/03/11 13:38:51 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/01/05 19:57:39 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/01/05 19:57:39 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/01/05 19:57:39 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/14 17:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aavmker4.sys
[2010/04/14 17:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys
[2010/04/14 17:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswmon.sys
[2010/04/14 17:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswmon2.sys
[2010/04/14 17:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswRdr.sys
[2010/04/14 17:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswSP.sys
[2010/04/14 17:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswTdi.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 14:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/02/11 13:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
< End of report >

OTL Extras logfile created on: 02/05/2010 12:19:25 - Run 1
OTL by OldTimer - Version 3.2.4.0 Folder = C:\Documents and Settings\patrick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

318.00 Mb Total Physical Memory | 119.00 Mb Available Physical Memory | 37.00% Memory free
773.00 Mb Paging File | 482.00 Mb Available in Paging File | 62.00% Paging File free
Paging file location(s): C:\pagefile.sys 480 960 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 13.98 Gb Total Space | 3.27 Gb Free Space | 23.36% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 36.15 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PKDESKTOP
Current User Name: patrick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1E5E2F9A-17D3-45CA-8FF0-B0C2927D4B03}" = MobileMe Control Panel
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42EDF895-158C-484E-A7F2-42B90759F281}" = Camera RAW Plug-In for EPSON Creativity Suite
"{46CBBDF8-55B5-40DB-B459-7B848394309C}" = EPSON File Manager
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7CA72235-27FF-4B4F-BC71-957C4CC390A4}" = Vodafone Mobile Connect Lite
"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{8A8F8391-4C2C-4BE1-A984-CD4A5A546467}" = EPSON Easy Photo Print
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E1B2DF7C-A176-4A1D-9D32-3CEC5037A524}" = Apple Application Support
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast5" = avast! Free Antivirus
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"EPSON Scanner" = EPSON Scan
"EPSON Stylus SX200_SX400_TX200_TX400 User’s Guide" = EPSON Stylus SX200_SX400_TX200_TX400 Manual
"EPSON Stylus SX400 Series" = EPSON Stylus SX400 Series Printer Uninstall
"ERUNT_is1" = ERUNT 1.1j
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.6)" = Mozilla Firefox (3.0.6)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 02/05/2010 03:35:31 | Computer Name = PKDESKTOP | Source = Google Update | ID = 20
Description =

Error - 02/05/2010 04:00:05 | Computer Name = PKDESKTOP | Source = Google Update | ID = 20
Description =

Error - 02/05/2010 05:30:03 | Computer Name = PKDESKTOP | Source = Google Update | ID = 20
Description =

Error - 02/05/2010 05:35:48 | Computer Name = PKDESKTOP | Source = Google Update | ID = 20
Description =

Error - 02/05/2010 06:00:05 | Computer Name = PKDESKTOP | Source = Google Update | ID = 20
Description =

Error - 02/05/2010 06:35:48 | Computer Name = PKDESKTOP | Source = Google Update | ID = 20
Description =

Error - 02/05/2010 06:47:44 | Computer Name = PKDESKTOP | Source = Google Update | ID = 20
Description =

Error - 02/05/2010 06:54:51 | Computer Name = PKDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application MobileConnect.exe, version 9.4.5.19167, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 02/05/2010 06:54:55 | Computer Name = PKDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application MobileConnect.exe, version 9.4.5.19167, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 02/05/2010 06:54:57 | Computer Name = PKDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application MobileConnect.exe, version 9.4.5.19167, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 29/04/2010 15:10:54 | Computer Name = PKDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gupdate with
arguments "/comsvc" in order to run the server: {E225E692-4B47-4777-9BED-4FD7FE257F0E}

Error - 29/04/2010 16:11:37 | Computer Name = PKDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gusvc with
arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}

Error - 30/04/2010 15:38:13 | Computer Name = PKDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gusvc with
arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}

Error - 30/04/2010 15:38:14 | Computer Name = PKDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gupdate with
arguments "/comsvc" in order to run the server: {E225E692-4B47-4777-9BED-4FD7FE257F0E}

Error - 30/04/2010 17:07:00 | Computer Name = PKDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gusvc with
arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}

Error - 01/05/2010 13:26:35 | Computer Name = PKDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gusvc with
arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}

Error - 01/05/2010 13:26:43 | Computer Name = PKDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gupdate with
arguments "/comsvc" in order to run the server: {E225E692-4B47-4777-9BED-4FD7FE257F0E}

Error - 01/05/2010 17:40:12 | Computer Name = PKDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gusvc with
arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}

Error - 01/05/2010 23:13:57 | Computer Name = PKDESKTOP | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 109.79.44.219 on
the Network Card with network address 001E101F72B8.

Error - 02/05/2010 06:47:42 | Computer Name = PKDESKTOP | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer EPSON Stylus SX400 Series share
name EPSONSty.

< End of report >

#12
RKinner

Posted 02 May 2010 - 08:19 AM

Malware Expert

Expert
24,625 posts

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Ron

#13
Conor74

Posted 11 May 2010 - 01:50 AM

Member

Topic Starter
Member
21 posts

Download but do not yet run ComboFix

Do you know any link to it? Maybe I can just search this site. Can google it but just don't trust the results that come up there, always concerned that I could be downloading the very thing I'm trying to get rid of.

#14
RKinner

Posted 11 May 2010 - 08:01 AM

Malware Expert

Expert
24,625 posts

I tell you where to get it a few lines later:
Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Ron

#15
Conor74

Posted 12 May 2010 - 01:33 AM

Member

Topic Starter
Member
21 posts

ComboFix 10-05-10.05 - patrick 12/05/2010 8:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.318.49 [GMT 1:00]
Running from: c:\documents and settings\patrick\Desktop\george.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 06:58 . 2010-05-12 06:58 -------- d-----w- c:\windows\LastGood
2010-04-25 08:34 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-25 08:34 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-25 08:34 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-25 08:34 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-25 08:33 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-25 08:33 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-25 08:33 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-25 08:32 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-25 08:32 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-25 08:31 . 2010-04-25 08:31 -------- d-----w- c:\program files\Alwil Software
2010-04-25 08:31 . 2010-04-25 08:31 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-04-16 17:46 . 2010-04-16 17:46 -------- d-----w- c:\documents and settings\patrick\Application Data\Malwarebytes
2010-04-16 17:46 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-16 17:46 . 2010-04-16 17:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-16 17:46 . 2010-04-16 17:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-04-16 17:46 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 17:44 . 2010-04-16 17:45 -------- d-----w- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 07:37 . 2009-01-08 21:02 17464 -c--a-w- c:\documents and settings\patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-23 20:58 . 2008-11-02 16:16 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2010-03-27 13:00 . 2009-01-05 20:47 -------- d-----w- c:\documents and settings\patrick\Application Data\Apple Computer
2010-03-12 19:47 . 2010-03-12 19:47 72488 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-12 19:42 . 2010-03-12 19:42 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 08:10 . 2008-04-14 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-06 17:20 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\patrick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 02:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-02-17 19:37 177472 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus SX400 Series]
2007-12-17 06:00 188928 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIEGE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 18:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2009-11-16 19:12 2463744 ----a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 04:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-10 22:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VMCService"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"EPSON_PM_RPCV4_01"=2 (0x2)
"EPSON_EB_RPCV4_01"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [25/04/2010 09:34 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25/04/2010 09:34 19024]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [09/01/2010 18:04 113280]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [11/01/2010 10:48 100736]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2010 20:45 135664]
S4 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [16/11/2009 20:12 9216]
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:45]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:45]

2010-05-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\patrick\Application Data\Mozilla\Firefox\Profiles\w93eoymc.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-22332012 - c:\documents and settings\All Users.WINDOWS\Application Data\22332012\22332012.exe
MSConfigStartUp-56705629 - c:\docume~1\ALLUSE~1.WIN\APPLIC~1\56705629\56705629.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 08:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-12 08:25:48
ComboFix-quarantined-files.txt 2010-05-12 07:25

Pre-Run: 3,200,692,224 bytes free
Post-Run: 3,193,438,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2A8997D9FE90CCE12BF213234E107F2E