Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"Your System is Infected"

Started by mariijane , Apr 25 2011 10:01 AM

  • Please log in to reply

#1
mariijane
Posted 25 April 2011 - 10:01 AM

mariijane

    Member

  • Member
  • PipPip
  • 20 posts
Hi all!

On one of my older, Dell laptops (XP), the wallpaper changed to the dreaded "Your System is Infected" & I was unable to open any browsers, access the Start menu or run certain exe files. (It's worth noting, all files are downloaded off my [working] computer and copied to the laptop using an external drive.)

Last night, I was able to run hijackthis in safemode & removed/deleted winupdate.exe. Upon doing so, I was still unable to access either browser (Mozilla & IE) or the Start menu, still. I disabled Win Recovery & downloaded and ran Stinger which then appeared to have removed numerous files with the exception of a few (smss.exe which according to the scan, is infected with FakeAlert!Exploit virus!!! and autorun.inf which is infected with Generic! atr virus!!). I also ran fixswen.exe which after scanning twice, still states "W32.Swen.A@mm has not been found." I rebooted (in regular mode) and am now able to access the Start menu as well as the browsers, however the wallpaper refuses to change and certain exe files will still not open.

A scan with "CWShredder" reports "None infected."

I did download Malwarebytes, which goes through the set up and install wizard correctly, however it refuses to run. Combofix will also not run either.

Below is my most recent hijackthis scan. Any help is appreciated: I've read through dozens of different tutorials and forum posts regarding similar issues but all of them seem to require running the above files which won't open for me. Thanks!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:04:34, on 2011/04/25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Charlie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [] C:\DOCUME~1\Charlie\LOCALS~1\Temp\cg1hoo.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Charlie\LOCALS~1\Temp\cg1hoo.exe
O4 - HKUS\S-1-5-21-4008763428-1199046705-24455348-1007\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe (User '?')
O4 - HKUS\S-1-5-21-4008763428-1199046705-24455348-1007\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-4008763428-1199046705-24455348-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4008763428-1199046705-24455348-1007\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User '?')
O4 - HKUS\S-1-5-21-4008763428-1199046705-24455348-1007\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-4008763428-1199046705-24455348-1007\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized (User '?')
O4 - HKUS\S-1-5-21-4008763428-1199046705-24455348-1007\..\Run: [] C:\DOCUME~1\Charlie\LOCALS~1\Temp\cg1hoo.exe (User '?')
O4 - HKUS\S-1-5-21-4008763428-1199046705-24455348-1007\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Charlie\LOCALS~1\Temp\cg1hoo.exe (User '?')
O4 - S-1-5-21-4008763428-1199046705-24455348-1007 Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe (User '?')
O4 - S-1-5-21-4008763428-1199046705-24455348-1007 Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe (User '?')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BB74622-173C-4334-A9EA-9735D36B53B9}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A9F34A-7375-43CC-AA38-CC6FCBE47160}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BB74622-173C-4334-A9EA-9735D36B53B9}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BB74622-173C-4334-A9EA-9735D36B53B9}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS3\Services\Tcpip\..\{1BB74622-173C-4334-A9EA-9735D36B53B9}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour ???? (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod ???? (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\WINDOWS\system32\mfevtps.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10394 bytes

  • 0

Advertisements

#2
Essexboy
Posted 25 April 2011 - 10:12 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there - transfer this programme to the infected system and then run it - this should allow you to get online to download and run the final programme

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

THEN

Run malwarebytes after updating, posting the resultant log

FINALLY

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#3
mariijane
Posted 25 April 2011 - 11:17 AM

mariijane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi! Thanks for all your help. I ran RogueKiller with no issues on the first try. (This is the first log below.)

Next, I attempted to run malwarebytes: unfortunately though, it still won't load. I went through the set-up wizard again, but at the end, it doesn't appear to have installed properly nor does clicking on it directly work.

I downloaded OTL and ran using the custom scan above. Here are the results (RK first, OTL then Extras):

RogueKiller V4.3.10 [04/24/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode
User: Charlie [Admin rights]
Mode: Remove -- Date : 04/25/2011 10:03:36

Bad processes: 2
[SVCHOST] svchost.exe -- c:\windows\system32\svchost.exe -> KILLED
[APPDT/TMP/DESKTOP] HijackThis.exe -- c:\documents and settings\charlie\desktop\hijackthis.exe -> KILLED

Registry Entries: 14
[APPDT/TMP/DESKTOP] HKCU\[...]\Run :  (C:\DOCUME~1\Charlie\LOCALS~1\Temp\cg1hoo.exe) -> DELETED
[APPDT/TMP/DESKTOP] HKCU\[...]\Run : hsf7husjnfg98gi498aejhiugjkdg4 (C:\DOCUME~1\Charlie\LOCALS~1\Temp\cg1hoo.exe) -> DELETED
[DNS] HKLM\[...]\ControlSet001\Parameters : NameServer (85.255.112.39,85.255.112.40) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{1BB74622-173C-4334-A9EA-9735D36B53B9} : NameServer (85.255.112.39,85.255.112.40) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{D9A9F34A-7375-43CC-AA38-CC6FCBE47160} : NameServer (85.255.112.39,85.255.112.40) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Parameters : NameServer (85.255.112.39,85.255.112.40) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{1BB74622-173C-4334-A9EA-9735D36B53B9} : NameServer (85.255.112.39,85.255.112.40) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{D9A9F34A-7375-43CC-AA38-CC6FCBE47160} : NameServer (85.255.112.39,85.255.112.40) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Parameters : NameServer (85.255.112.39,85.255.112.40) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{1BB74622-173C-4334-A9EA-9735D36B53B9} : NameServer (85.255.112.39,85.255.112.40) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{D9A9F34A-7375-43CC-AA38-CC6FCBE47160} : NameServer (85.255.112.39,85.255.112.40) -> NOT REMOVED, USE DNSFIX
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)

HOSTS File:


Finished : << RKreport[1].txt >>
RKreport[1].txt

OTL logfile created on: 2011/04/25 10:12:38 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Charlie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000411 | Country: Japan | Language: JPN | Date Format: yyyy/MM/dd

759.00 Mb Total Physical Memory | 483.00 Mb Available Physical Memory | 64.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.47 Gb Total Space | 9.26 Gb Free Space | 17.65% Space Free | Partition Type: NTFS

Computer Name: BIG_BOSS | User Name: Charlie | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/25 12:52:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/04/25 12:52:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
MOD - [2008/06/18 06:03:14 | 002,458,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WMVCore.dll
MOD - [2008/04/13 20:12:51 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 20:12:47 | 001,724,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\GdiPlus.dll
MOD - [2008/04/13 20:12:09 | 000,053,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll
MOD - [2008/04/13 20:12:05 | 000,068,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\shgina.dll
MOD - [2008/04/13 20:12:02 | 000,249,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\odbc32.dll
MOD - [2008/04/13 20:12:02 | 000,245,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui1.dll
MOD - [2008/04/13 20:12:02 | 000,080,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui0.dll
MOD - [2008/04/13 20:12:02 | 000,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntlanman.dll
MOD - [2008/04/13 20:12:01 | 000,011,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netrap.dll
MOD - [2008/04/13 20:11:59 | 000,997,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msgina.dll
MOD - [2008/04/13 20:11:52 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drprov.dll
MOD - [2008/04/13 20:11:51 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\davclnt.dll
MOD - [2008/04/13 13:26:05 | 000,094,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\odbcint.dll
MOD - [2007/10/27 18:40:30 | 000,222,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wmasf.dll
MOD - [2006/10/18 22:47:18 | 000,284,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\PortableDeviceApi.dll
MOD - [2004/12/14 04:20:02 | 000,110,592 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Viewpoint Manager Service)
SRV - File not found [Auto | Stopped] -- -- (mfevtp)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2009/07/02 16:40:17 | 000,036,352 | ---- | M] () [Auto | Stopped] -- C:\Program Files\drv\drv.dll -- (drv)
SRV - [2007/04/05 22:35:40 | 001,543,614 | ---- | M] () [Auto | Stopped] -- C:\Program Files\iPod Access for Windows\iPAHelper.exe -- (iPAHelper.exe)
SRV - [2006/08/03 20:50:46 | 000,380,928 | ---- | M] (Dell Inc.) [Auto | Stopped] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


========== Driver Services (SafeList) ==========

DRV - [2009/07/02 16:40:16 | 000,009,344 | ---- | M] (drv) [Kernel | System | Stopped] -- C:\Program Files\drv\drv.sys -- (drvdrv)
DRV - [2008/06/20 07:08:27 | 000,225,856 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2006/11/02 17:40:17 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/08/25 09:23:08 | 000,044,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/03/25 01:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/10 14:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/11/02 21:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/08/12 19:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/22 05:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 05:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 05:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co...html?channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========



FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/24 22:47:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/24 22:47:22 | 000,000,000 | ---D | M]

[2008/09/23 12:19:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Charlie\Application Data\Mozilla\Extensions
[2007/09/04 09:26:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\thikbzvr.default\extensions
[2009/07/02 16:55:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/15 20:05:00 | 000,049,152 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

O1 HOSTS File: ([2011/04/25 07:58:17 | 000,000,000 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (C:\WINDOWS\system32\gsf83iujid.dll) - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - File not found
O3 - HKLM\..\Toolbar: (Megaupload Toolbar) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll (MEGAUPLOAD )
O3 - HKLM\..\Toolbar: (FlashGet Bar) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll (Amaze Soft)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Megaupload Toolbar) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll (MEGAUPLOAD )
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKCU..\Run: [BitTorrent] C:\Program Files\BitTorrent\bittorrent.exe ()
O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\GameSpot Download Manager.lnk = File not found
O4 - Startup: C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\Last.fm Helper.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\drivers\smss.exe) - File not found
O22 - SharedTaskScheduler: {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - rtasgvfu76ew8ndkfno94 - File not found
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 15:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/07/02 17:26:58 | 000,002,444 | ---- | M] () - C:\autorun.PNF -- [ NTFS ]
O33 - MountPoints2\{899a5ec8-6749-11de-8751-0015c56dce9e}\Shell - "" = Autorun
O33 - MountPoints2\{899a5ec8-6749-11de-8751-0015c56dce9e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{899a5ec8-6749-11de-8751-0015c56dce9e}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:
O33 - MountPoints2\{899a5ec8-6749-11de-8751-0015c56dce9e}\Shell\Open\command - "" = E:\resycled\ntldr.com e:
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 30 Days ==========

[2011/04/25 10:07:17 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
[2011/04/25 10:03:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\RK_Quarantine
[2011/04/25 09:05:34 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Charlie\Desktop\mbam-setup(2).exe
[2011/04/25 09:05:26 | 000,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Documents and Settings\Charlie\Desktop\cwshredder.exe
[2011/04/24 20:55:07 | 008,128,007 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.exe
[2011/04/24 20:55:03 | 000,187,072 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Charlie\Desktop\FixSwen.exe
[2011/04/24 20:11:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/24 20:11:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/24 20:11:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/24 20:11:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/24 20:11:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/24 19:40:42 | 000,000,000 | ---D | C] -- C:\Avenger
[2011/04/24 19:21:35 | 000,028,672 | ---- | C] (Doug Knox MS-MVP) -- C:\Documents and Settings\Charlie\Desktop\MessengerDisable.exe
[2011/04/24 18:50:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\backups
[2011/04/24 18:49:05 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Charlie\Desktop\HijackThis.exe
[2011/04/24 18:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\mcafee
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/25 12:52:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
[2011/04/25 12:46:06 | 001,117,696 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\RogueKiller.exe
[2011/04/25 11:31:04 | 004,329,386 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
[2011/04/25 11:18:54 | 000,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Documents and Settings\Charlie\Desktop\cwshredder.exe
[2011/04/25 10:04:45 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/25 09:59:32 | 000,000,017 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.opt
[2011/04/25 08:10:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/25 07:58:15 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/24 23:40:46 | 000,187,072 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Charlie\Desktop\FixSwen.exe
[2011/04/24 23:38:46 | 008,128,007 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.exe
[2011/04/24 22:56:30 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Charlie\Desktop\mbam-setup(2).exe
[2011/04/24 21:34:44 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Charlie\Desktop\HijackThis.exe
[2011/04/24 18:52:05 | 000,000,831 | ---- | M] () -- C:\WINDOWS\System32\critical_warning.html
[2011/04/10 22:04:46 | 000,000,459 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\fixswen.inf
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/25 10:01:42 | 001,117,696 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\RogueKiller.exe
[2011/04/25 09:05:17 | 004,329,386 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
[2011/04/25 08:15:30 | 000,000,459 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\fixswen.inf
[2011/04/25 07:13:28 | 000,000,017 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.opt
[2011/04/24 22:19:49 | 000,731,136 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\avenger.exe
[2011/04/24 20:11:49 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/09 15:36:10 | 000,018,432 | ---- | C] () -- C:\WINDOWS\vron_1249846569.exe
[2009/08/08 19:29:58 | 000,000,002 | ---- | C] () -- C:\WINDOWS\010112010146120114.dat
[2009/07/05 20:22:43 | 000,000,002 | ---- | C] () -- C:\WINDOWS\0101120101464849.dat
[2009/07/05 20:10:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\strt_1246838951.exe
[2009/07/02 17:45:12 | 000,000,001 | -H-- | C] () -- C:\WINDOWS\bf23567.dat
[2009/07/02 16:40:10 | 000,000,002 | ---- | C] () -- C:\WINDOWS\010112010146118114.dat
[2008/01/09 07:18:12 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/12/11 15:43:44 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/10/08 10:21:43 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Charlie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/22 21:15:23 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/08/06 20:07:06 | 000,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/08/06 20:05:13 | 000,000,105 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI
[2007/08/06 20:05:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2007/08/06 20:05:01 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2007/08/06 20:03:48 | 000,000,074 | ---- | C] () -- C:\WINDOWS\PMINI.ini
[2007/06/29 19:13:15 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2007/03/06 10:00:52 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/12 10:12:12 | 000,000,023 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2007/01/15 13:05:08 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/01/15 13:05:08 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\4D653ADD3D.sys
[2007/01/09 22:58:20 | 000,000,016 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2006/12/25 11:46:42 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/12/25 11:38:00 | 000,001,168 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/12/25 09:42:13 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/12/25 09:11:33 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Charlie\Local Settings\Application Data\fusioncache.dat
[2006/11/02 17:59:30 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/02 17:50:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/02 17:40:41 | 000,000,154 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/11/02 17:39:16 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/11/02 17:34:32 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/11/02 17:09:42 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/11/02 17:09:24 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2006/11/02 17:09:22 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/11/02 17:09:18 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/11/02 17:09:10 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/09 19:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 15:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 15:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 15:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 15:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 14:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 14:57:15 | 000,267,800 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 14:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 14:51:20 | 000,400,090 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 14:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 14:51:20 | 000,061,590 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 14:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 14:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 14:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 14:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 14:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 14:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 14:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 14:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

========== LOP Check ==========

[2007/11/08 12:04:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Findley Designs
[2007/08/06 20:07:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2007/08/06 20:07:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard
[2011/04/24 20:43:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/11/02 17:47:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2008/12/30 22:44:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2007/06/14 09:49:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\acccore
[2008/01/06 00:09:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\BitTorrent
[2007/07/14 21:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\LucasArts
[2011/04/25 07:58:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\MEGAUPLOADTOOLBAR
[2008/12/25 18:12:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\Red Alert 3
[2008/11/04 04:30:00 | 000,000,264 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/07/02 16:37:38 | 000,007,680 | ---- | M] () -- C:\gswrij.exe
[2009/07/02 16:37:35 | 000,043,008 | ---- | M] (Microsoft Corporation) -- C:\rmydqsiw.exe
[2009/07/02 16:36:08 | 000,024,576 | ---- | M] () -- C:\ttrw.exe
[2001/05/24 12:59:30 | 000,162,304 | ---- | M] () -- C:\UNWISE.EXE
[2009/07/02 16:38:31 | 000,084,992 | ---- | M] () -- C:\wyqrvts.exe


< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\i386\svchost.exe
[2004/08/04 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\i386\userinit.exe
[2004/08/04 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
[2004/08/04 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2009/06/18 11:03:47 | 000,509,544 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2009/06/18 11:03:47 | 000,509,544 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2009/06/18 11:03:47 | 000,509,544 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2009/06/18 11:03:46 | 000,307,704 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2009/06/18 11:03:46 | 000,307,704 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2009/06/18 11:03:46 | 000,307,704 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "%programfiles%\Internet Explorer\iexplore.exe" [2008/04/13 20:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2009/06/18 11:03:47 | 000,509,544 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2009/06/18 11:03:47 | 000,509,544 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2009/06/18 11:03:47 | 000,509,544 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2009/06/18 11:03:46 | 000,307,704 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2009/06/18 11:03:46 | 000,307,704 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2009/06/18 11:03:46 | 000,307,704 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "%programfiles%\Internet Explorer\iexplore.exe" [2008/04/13 20:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation)

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}] -> \Device\__max++>\^ -> Mount Point

< End of report >


OTL Extras logfile created on: 2011/04/25 10:12:38 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Charlie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000411 | Country: Japan | Language: JPN | Date Format: yyyy/MM/dd

759.00 Mb Total Physical Memory | 483.00 Mb Available Physical Memory | 64.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.47 Gb Total Space | 9.26 Gb Free Space | 17.65% Space Free | Partition Type: NTFS

Computer Name: BIG_BOSS | User Name: Charlie | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" %*
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"Disable Config" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"8241:TCP" = 8241:TCP:*:Enabled:BitComet 8241 TCP
"8241:UDP" = 8241:UDP:*:Enabled:BitComet 8241 UDP
"8085:TCP" = 8085:TCP:*:Enabled:drv

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Last.fm\LastFM.exe" = C:\Program Files\Last.fm\LastFM.exe:*:Enabled:LastFM
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\BitTorrent_DNA\dna.exe" = C:\Program Files\BitTorrent_DNA\dna.exe:*:Enabled:BitTorrent DNA
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- ()
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{11D2C5F8-F379-4659-85BE-DCE1D8D60FB8}" = OpenOffice.org Installer 1.0
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE
"{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}" = MobileMe Control Panel
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Management Programs
"{296D8550-CB06-48E4-9A8B-E5034FB64715}" = Command & Conquer™ Red Alert™ 3
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{3846E811-639D-4DE1-844B-30491C0A6C0C}" = Dell Support 3.2
"{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}" = Mega Manager
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{444B6A7B-0E26-4416-A43F-D1C9AAE6075D}" = Canon CanoScan Toolbox 4.8
"{57BBB1AD-A239-4B05-86F5-3D138A0CFEE8}" = PureVoice
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5BE42A03-E7B8-42A9-B1BB-FC48B03D58B8}" = Presto! PageManager 6.11
"{5E68BB65-4059-4FE5-AAC4-0CD1D79BBDE2}" = EarthLink Setup Files
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{746EC26B-9A80-4FD5-9861-545E0CD2A795}" = Mega Manager
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0
"{7ADE3A47-B425-45E9-8FF6-11BE2B775645}" = Corel Snapfire Plus
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C49EA42-5647-4051-84C2-E6404F25A931}" = Yahoo! Music Jukebox
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D2261C4B-4D9B-4149-8472-31B7A2FEAB91}" = ArcSoft PhotoStudio 5.5
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{E42BD75A-FC23-4E3F-9F91-2658334C644F}" = Internet Service Offers Launcher
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"‚¤‚¿‚¾ƒVƒbƒh" = ‚¤‚¿‚¾ƒVƒbƒh ?????????
"989E4C3B-B2C9-4486-9A09-D5A8F953837C" = Bejeweled 2 Deluxe
"AC3Filter" = AC3Filter (remove only)
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"AIM_6" = AIM 6
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.0+6
"BitComet" = BitComet 0.80
"BitTorrent" = BitTorrent 5.0.9
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"Cliprex DVD Player Professional" = Cliprex DVD Player Professional
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Dell Game Console" = Dell Game Console
"ffdshow_is1" = ffdshow [rev 1425] [2007-08-17]
"FlashGet(JetCar)" = FlashGet(JetCar)
"iPod Access for Windows_is1" = iPod Access for Windows v4.1.3
"KainUninstallKey" = Legacy of Kain
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MegauploadToolbar" = Megaupload Toolbar
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"My Global Search Uninstall" = My Global Search Bar
"RealPlayer 6.0" = RealPlayer Basic
"SearchAssist" = SearchAssist
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SysInfo" = Creative System Information
"Trillian" = Trillian
"VLC media player" = VideoLAN VLC media player 0.8.6d
"WhenUSaveMsg" = WhenU Save
"WildTangent CDA" = WildTangent Web Driver
"WinAce Archiver" = WinAce Archiver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WOLAPI" = Westwood Shared Internet Components
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager
"ZENcast Organizer" = ZENcast Organizer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2011/04/25 8:04:16 | Computer Name = BIG_BOSS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 2011/04/25 8:04:16 | Computer Name = BIG_BOSS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 2011/04/25 8:04:17 | Computer Name = BIG_BOSS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 2011/04/25 8:04:17 | Computer Name = BIG_BOSS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 2011/04/25 8:04:17 | Computer Name = BIG_BOSS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 2011/04/25 8:04:17 | Computer Name = BIG_BOSS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 2011/04/25 8:04:20 | Computer Name = BIG_BOSS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 2011/04/25 8:05:21 | Computer Name = BIG_BOSS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: 404 (HTTP Response Status)

Error - 2011/04/25 8:09:51 | Computer Name = BIG_BOSS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: 404 (HTTP Response Status)

Error - 2011/04/25 8:12:18 | Computer Name = BIG_BOSS | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

[ System Events ]
Error - 2011/04/24 20:42:31 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 2011/04/24 20:43:24 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2011/04/25 7:55:43 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2011/04/25 8:11:56 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2011/04/25 8:12:07 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2011/04/25 8:15:05 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2011/04/25 9:05:05 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2011/04/25 9:05:08 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2011/04/25 9:07:52 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2011/04/25 10:04:50 | Computer Name = BIG_BOSS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}


< End of report >
  • 0

#4
Essexboy
Posted 25 April 2011 - 11:28 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


Please note the above warning

Back to work

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\drivers\smss.exe) - File not found
    O22 - SharedTaskScheduler: {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - rtasgvfu76ew8ndkfno94 - File not found
    O33 - MountPoints2\{899a5ec8-6749-11de-8751-0015c56dce9e}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:
    O33 - MountPoints2\{899a5ec8-6749-11de-8751-0015c56dce9e}\Shell\Open\command - "" = E:\resycled\ntldr.com e:
    [2011/04/24 18:52:05 | 000,000,831 | ---- | M] () -- C:\WINDOWS\System32\critical_warning.html
    [2009/08/09 15:36:10 | 000,018,432 | ---- | C] () -- C:\WINDOWS\vron_1249846569.exe
    [2009/08/08 19:29:58 | 000,000,002 | ---- | C] () -- C:\WINDOWS\010112010146120114.dat
    [2009/07/05 20:22:43 | 000,000,002 | ---- | C] () -- C:\WINDOWS\0101120101464849.dat
    [2009/07/05 20:10:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\strt_1246838951.exe
    [2009/07/02 17:45:12 | 000,000,001 | -H-- | C] () -- C:\WINDOWS\bf23567.dat
    [2009/07/02 16:40:10 | 000,000,002 | ---- | C] () -- C:\WINDOWS\010112010146118114.dat
    [2009/07/02 16:37:38 | 000,007,680 | ---- | M] () -- C:\gswrij.exe
    [2009/07/02 16:37:35 | 000,043,008 | ---- | M] (Microsoft Corporation) -- C:\rmydqsiw.exe
    [2009/07/02 16:36:08 | 000,024,576 | ---- | M] () -- C:\ttrw.exe
    [2009/07/02 16:38:31 | 000,084,992 | ---- | M] () -- C:\wyqrvts.exe
    [C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}] -> \Device\__max++>\^ -> Mount Point

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image
Click the "Scan" button to start scan


Posted Image
On completion of the scan click save log, save it to your desktop and post in your next reply
  • 0

#5
mariijane
Posted 25 April 2011 - 12:13 PM

mariijane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Many thanks again!

Ran OTL as instructed (fix), let it reboot and it produced the first log below.
Ran OTL a second time as above and it produced the second log below. I noticed after rebooting, the desktop image that had the "Your System is Infected" message is gone and is now a plain blue screen.
Downloaded and ran aswMBR.exe and it produced the third log below.

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\drivers\smss.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{D76AB2A1-00F3-42BD-F434-00BBC39C8953} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{899a5ec8-6749-11de-8751-0015c56dce9e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{899a5ec8-6749-11de-8751-0015c56dce9e}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{899a5ec8-6749-11de-8751-0015c56dce9e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{899a5ec8-6749-11de-8751-0015c56dce9e}\ not found.
File E:\resycled\ntldr.com e:\ not found.
C:\WINDOWS\system32\critical_warning.html moved successfully.
C:\WINDOWS\vron_1249846569.exe moved successfully.
C:\WINDOWS\010112010146120114.dat moved successfully.
C:\WINDOWS\0101120101464849.dat moved successfully.
C:\WINDOWS\strt_1246838951.exe moved successfully.
C:\WINDOWS\bf23567.dat moved successfully.
C:\WINDOWS\010112010146118114.dat moved successfully.
C:\gswrij.exe moved successfully.
C:\rmydqsiw.exe moved successfully.
C:\ttrw.exe moved successfully.
C:\wyqrvts.exe moved successfully.
Mount Point C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF} removed successfully!
========== FILES ==========
[color=#A23BEC]< ipconfig /flushdns /c >[/color]
Windows IP Configuration
An internal error occurred: The request is not supported.
 
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
C:\Documents and Settings\Charlie\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Charlie\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
 
User: Charlie
->Temp folder emptied: 510872319 bytes
->Temporary Internet Files folder emptied: 14520176 bytes
->Java cache emptied: 2443183 bytes
->FireFox cache emptied: 131449905 bytes
->Flash cache emptied: 583 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: marmar
->Temp folder emptied: 181947766 bytes
->Temporary Internet Files folder emptied: 2879277 bytes
->Java cache emptied: 246171 bytes
->FireFox cache emptied: 62390801 bytes
->Flash cache emptied: 19710 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67133329 bytes
 
User: Owner
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 4230673 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 164179690 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 4328852 bytes
 
Total Files Cleaned = 1,094.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Charlie
->Flash cache emptied: 0 bytes
 
User: Default User
 
User: LocalService
 
User: marmar
->Flash cache emptied: 0 bytes
 
User: NetworkService
 
User: Owner
 
Total Flash Files Cleaned = 0.00 mb
 
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.
 
OTL by OldTimer - Version 3.2.22.3 log created on 04252011_105824

Files\Folders moved on Reboot...
File move failed. C:\Documents and Settings\marmar\Local Settings\Temp\hsperfdata_marmar\3544 scheduled to be moved on reboot.

Registry entries deleted on Reboot...


OTL logfile created on: 2011/04/25 11:12:59 - Run 2
OTL by OldTimer - Version 3.2.22.3     Folder = C:\Documents and Settings\Charlie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000411 | Country: Japan | Language: JPN | Date Format: yyyy/MM/dd
 
759.00 Mb Total Physical Memory | 422.00 Mb Available Physical Memory | 56.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.47 Gb Total Space | 9.53 Gb Free Space | 18.16% Space Free | Partition Type: NTFS
 
Computer Name: BIG_BOSS | User Name: Charlie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2011/04/25 12:52:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/25 04:28:02 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
PRC - [2008/01/03 12:15:06 | 000,050,528 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe
PRC - [2007/09/07 19:01:54 | 000,043,008 | ---- | M] () -- C:\Program Files\BitTorrent\bittorrent.exe
PRC - [2007/05/25 13:16:08 | 000,042,032 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe
PRC - [2007/04/05 22:35:40 | 001,543,614 | ---- | M] () -- C:\Program Files\iPod Access for Windows\iPAHelper.exe
PRC - [2006/08/03 20:50:46 | 000,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2006/07/16 23:29:54 | 000,389,120 | ---- | M] (Gteko Ltd.) -- C:\Program Files\Dell Support\DSAgnt.exe
PRC - [2006/03/25 01:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2003/09/10 04:24:00 | 000,020,480 | ---- | M] () -- C:\Program Files\NetWaiting\netwaiting.exe
PRC - [2003/05/08 12:00:58 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
 
 
[color=#E56717]========== Modules (SafeList) ==========[/color]
 
MOD - [2011/04/25 12:52:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
MOD - [2008/04/13 20:12:51 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2003/05/08 12:00:46 | 000,159,744 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll
 
 
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
 
SRV - File not found [Auto | Stopped] --  -- (Viewpoint Manager Service)
SRV - File not found [Auto | Stopped] --  -- (mfevtp)
SRV - File not found [Disabled | Stopped] --  -- (HidServ)
SRV - File not found [On_Demand | Stopped] --  -- (AppMgmt)
SRV - [2009/07/02 16:40:17 | 000,036,352 | ---- | M] () [Auto | Start_Pending] -- C:\Program Files\drv\drv.dll -- (drv)
SRV - [2007/04/05 22:35:40 | 001,543,614 | ---- | M] () [Auto | Running] -- C:\Program Files\iPod Access for Windows\iPAHelper.exe -- (iPAHelper.exe)
SRV - [2006/08/03 20:50:46 | 000,380,928 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV - [2009/07/02 16:40:16 | 000,009,344 | ---- | M] (drv) [Kernel | System | Running] -- C:\Program Files\drv\drv.sys -- (drvdrv)
DRV - [2008/06/20 07:08:27 | 000,225,856 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2006/11/02 17:40:17 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/08/25 09:23:08 | 000,044,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/03/25 01:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/10 14:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/11/02 21:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/08/12 19:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/22 05:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 05:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 05:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
[color=#E56717]========== FireFox ==========[/color]
 
 
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/24 22:47:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/24 22:47:22 | 000,000,000 | ---D | M]
 
[2008/09/23 12:19:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Charlie\Application Data\Mozilla\Extensions
[2007/09/04 09:26:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\thikbzvr.default\extensions
[2009/07/02 16:55:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/15 20:05:00 | 000,049,152 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
 
O1 HOSTS File: ([2011/04/25 10:58:28 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1       localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Megaupload Toolbar) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll (MEGAUPLOAD                                   )
O3 - HKLM\..\Toolbar: (FlashGet Bar) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll (Amaze Soft)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Megaupload Toolbar) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll (MEGAUPLOAD                                   )
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKCU..\Run: [BitTorrent] C:\Program Files\BitTorrent\bittorrent.exe ()
O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\GameSpot Download Manager.lnk =  File not found
O4 - Startup: C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\Last.fm Helper.lnk =  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: 
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 15:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/07/02 17:26:58 | 000,002,444 | ---- | M] () - C:\autorun.PNF -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2011/04/25 11:13:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\new
[2011/04/25 10:58:24 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/25 10:57:38 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Charlie\Desktop\aswMBR.exe
[2011/04/25 10:07:17 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
[2011/04/25 10:03:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\RK_Quarantine
[2011/04/25 09:05:34 | 007,734,240 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Charlie\Desktop\mbam-setup(2).exe
[2011/04/25 09:05:26 | 000,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Documents and Settings\Charlie\Desktop\cwshredder.exe
[2011/04/24 20:55:07 | 008,128,007 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.exe
[2011/04/24 20:55:03 | 000,187,072 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Charlie\Desktop\FixSwen.exe
[2011/04/24 20:11:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/24 20:11:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/24 20:11:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/24 20:11:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/24 20:11:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/24 19:40:42 | 000,000,000 | ---D | C] -- C:\Avenger
[2011/04/24 18:50:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\backups
[2011/04/24 18:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\mcafee
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2011/04/25 13:42:28 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Charlie\Desktop\aswMBR.exe
[2011/04/25 12:52:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
[2011/04/25 12:46:06 | 001,117,696 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\RogueKiller.exe
[2011/04/25 11:31:04 | 004,329,386 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
[2011/04/25 11:18:54 | 000,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Documents and Settings\Charlie\Desktop\cwshredder.exe
[2011/04/25 11:11:45 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\MBR.dat
[2011/04/25 11:04:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/25 11:02:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/25 11:02:25 | 796,327,936 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/25 10:04:45 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/25 09:59:32 | 000,000,017 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.opt
[2011/04/24 23:40:46 | 000,187,072 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Charlie\Desktop\FixSwen.exe
[2011/04/24 23:38:46 | 008,128,007 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.exe
[2011/04/24 22:56:30 | 007,734,240 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Charlie\Desktop\mbam-setup(2).exe
[2011/04/10 22:04:46 | 000,000,459 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\fixswen.inf
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2011/04/25 11:11:45 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\MBR.dat
[2011/04/25 11:02:25 | 796,327,936 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/25 10:01:42 | 001,117,696 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\RogueKiller.exe
[2011/04/25 09:05:17 | 004,329,386 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
[2011/04/25 08:15:30 | 000,000,459 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\fixswen.inf
[2011/04/25 07:13:28 | 000,000,017 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.opt
[2011/04/24 20:11:49 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/01/09 07:18:12 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/12/11 15:43:44 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/10/08 10:21:43 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Charlie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/22 21:15:23 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/08/06 20:07:06 | 000,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/08/06 20:05:13 | 000,000,105 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI
[2007/08/06 20:05:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2007/08/06 20:05:01 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2007/08/06 20:03:48 | 000,000,074 | ---- | C] () -- C:\WINDOWS\PMINI.ini
[2007/06/29 19:13:15 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2007/03/06 10:00:52 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/12 10:12:12 | 000,000,023 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2007/01/15 13:05:08 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/01/15 13:05:08 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\4D653ADD3D.sys
[2007/01/09 22:58:20 | 000,000,016 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2006/12/25 11:46:42 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/12/25 11:38:00 | 000,001,168 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/12/25 09:42:13 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/12/25 09:11:33 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Charlie\Local Settings\Application Data\fusioncache.dat
[2006/11/02 17:59:30 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/02 17:50:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/02 17:40:41 | 000,000,154 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/11/02 17:39:16 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/11/02 17:34:32 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/11/02 17:09:42 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/11/02 17:09:24 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2006/11/02 17:09:22 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/11/02 17:09:18 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/11/02 17:09:10 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/09 19:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 15:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 15:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 15:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 15:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 14:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 14:57:15 | 000,267,800 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 14:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 14:51:20 | 000,400,090 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 14:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 14:51:20 | 000,061,590 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 14:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 14:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 14:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 14:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 14:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 14:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 14:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 14:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2007/11/08 12:04:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Findley Designs
[2007/08/06 20:07:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2007/08/06 20:07:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard
[2011/04/24 20:43:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/11/02 17:47:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2008/12/30 22:44:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2007/06/14 09:49:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\acccore
[2008/01/06 00:09:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\BitTorrent
[2007/07/14 21:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\LucasArts
[2011/04/25 11:13:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\MEGAUPLOADTOOLBAR
[2008/12/25 18:12:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\Red Alert 3
[2008/11/04 04:30:00 | 000,000,264 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job
 
[color=#E56717]========== Purity Check ==========[/color]

< End of report >


aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-25 11:06:31
-----------------------------
11:06:31.531    OS Version: Windows 5.1.2600 Service Pack 3
11:06:31.531    Number of processors: 1 586 0xD08
11:06:31.531    ComputerName: BIG_BOSS  UserName: Charlie
11:06:32.265    Initialize success
11:06:41.156    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
11:06:41.156    Disk 0 Vendor: SAMSUNG_HM060HC YJ100-15 Size: 57231MB BusType: 3
11:06:43.171    Disk 0 MBR read successfully
11:06:43.171    Disk 0 MBR scan
11:06:45.171    Disk 0 scanning sectors +117194175
11:06:45.203    Disk 0 scanning C:\WINDOWS\system32\drivers
11:06:52.125    File: C:\WINDOWS\system32\drivers\gaopdxltqlhhbl.sys **HIDDEN**
11:06:52.140    File: C:\WINDOWS\system32\drivers\gaopdxnirmdxub.sys **HIDDEN**
11:06:52.156    File: C:\WINDOWS\system32\drivers\UACnsqthxvmppwbuhtkb.sys **HIDDEN**
11:06:52.156    Service scanning
11:06:52.734    Disk 0 trace - called modules:
11:06:52.734    ntkrnlpa.exe >>UNKNOWN [0x8371f6d3]<<>>UNKNOWN [0xaa37904a]<<
11:06:52.734    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x837ccab8]
11:06:52.734    Scan finished successfully

  • 0

#6
Essexboy
Posted 25 April 2011 - 12:56 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK you have a hidden rootkit as well (two varieties )

11:06:52.125 File: C:\WINDOWS\system32\drivers\gaopdxltqlhhbl.sys **HIDDEN**
11:06:52.140 File: C:\WINDOWS\system32\drivers\gaopdxnirmdxub.sys **HIDDEN**
11:06:52.156 File: C:\WINDOWS\system32\drivers\UACnsqthxvmppwbuhtkb.sys **HIDDEN**
11:06:52.156 Service scanning
11:06:52.734 Disk 0 trace - called modules:
11:06:52.734 ntkrnlpa.exe >>UNKNOWN [0x8371f6d3]<<>>UNKNOWN [0xaa37904a]<<
11:06:52.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x837ccab8]
11:06:52.734 Scan finished successfully


Could you delete your current copy of combofix please as we need to use a fresh one

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#7
mariijane
Posted 25 April 2011 - 02:14 PM

mariijane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
So, I re-downloaded Combofix from one of the provided links, deleted the old one & attempted to run the program in Safe Mode. Basically, when I double click on it, I get the hourglass for a hot minute, then nothing. I rebooted regularly but after clicking on my profile, all it did was give me the hourglass ("Loading your personal settings...") for several minutes.

I restarted and it went straight to Windows in regular mode only this time, I was able to pull up my desktop. I tried running Combofix again from here, and still, the same issue. Hourglass then nothing.
  • 0

#8
Essexboy
Posted 25 April 2011 - 02:27 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK we need to go another route

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to replace with dummy:
C:\WINDOWS\system32\drivers\gaopdxltqlhhbl.sys
C:\WINDOWS\system32\drivers\gaopdxnirmdxub.sys
C:\WINDOWS\system32\drivers\UACnsqthxvmppwbuhtkb.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log .
  • 0

#9
mariijane
Posted 25 April 2011 - 02:44 PM

mariijane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks again, mate!

Results of Avenger followed by an OTL scan:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\drivers\gaopdxltqlhhbl.sys" replaced with dummy successfully.
File "C:\WINDOWS\system32\drivers\gaopdxnirmdxub.sys" replaced with dummy successfully.

Error:  could not create dummy to replace file "C:\WINDOWS\system32\drivers\UACnsqthxvmppwbuhtkb.sys"
Replacement with dummy of file "C:\WINDOWS\system32\drivers\UACnsqthxvmppwbuhtkb.sys" failed!
Status: 0xc0000035 (STATUS_OBJECT_NAME_COLLISION)
  --> another object exists already with the same name


Completed script processing.

*******************

Finished!  Terminate.


OTL logfile created on: 2011/04/25 13:51:05 - Run 3
OTL by OldTimer - Version 3.2.22.3     Folder = C:\Documents and Settings\Charlie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000411 | Country: Japan | Language: JPN | Date Format: yyyy/MM/dd
 
759.00 Mb Total Physical Memory | 409.00 Mb Available Physical Memory | 54.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.47 Gb Total Space | 9.53 Gb Free Space | 18.16% Space Free | Partition Type: NTFS
 
Computer Name: BIG_BOSS | User Name: Charlie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2011/04/25 12:52:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/25 04:28:02 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
PRC - [2008/01/03 12:15:06 | 000,050,528 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe
PRC - [2007/09/07 19:01:54 | 000,043,008 | ---- | M] () -- C:\Program Files\BitTorrent\bittorrent.exe
PRC - [2007/05/25 13:16:08 | 000,042,032 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe
PRC - [2007/04/05 22:35:40 | 001,543,614 | ---- | M] () -- C:\Program Files\iPod Access for Windows\iPAHelper.exe
PRC - [2006/08/03 20:50:46 | 000,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2006/07/16 23:29:54 | 000,389,120 | ---- | M] (Gteko Ltd.) -- C:\Program Files\Dell Support\DSAgnt.exe
PRC - [2006/03/25 01:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/09/24 00:05:26 | 000,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2003/09/10 04:24:00 | 000,020,480 | ---- | M] () -- C:\Program Files\NetWaiting\netwaiting.exe
PRC - [2003/05/08 12:00:58 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
 
 
[color=#E56717]========== Modules (SafeList) ==========[/color]
 
MOD - [2011/04/25 12:52:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
MOD - [2008/04/13 20:12:51 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2003/05/08 12:00:46 | 000,159,744 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll
 
 
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
 
SRV - File not found [Auto | Stopped] --  -- (Viewpoint Manager Service)
SRV - File not found [Disabled | Stopped] --  -- (HidServ)
SRV - File not found [On_Demand | Stopped] --  -- (AppMgmt)
SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/07/02 16:40:17 | 000,036,352 | ---- | M] () [Auto | Start_Pending] -- C:\Program Files\drv\drv.dll -- (drv)
SRV - [2007/04/05 22:35:40 | 001,543,614 | ---- | M] () [Auto | Running] -- C:\Program Files\iPod Access for Windows\iPAHelper.exe -- (iPAHelper.exe)
SRV - [2006/08/03 20:50:46 | 000,380,928 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV - File not found [Kernel | Unknown | Running] --  -- (gwmulmma)
DRV - [2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/07/02 16:40:16 | 000,009,344 | ---- | M] (drv) [Kernel | System | Running] -- C:\Program Files\drv\drv.sys -- (drvdrv)
DRV - [2008/06/20 07:08:27 | 000,225,856 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2006/11/02 17:40:17 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/08/25 09:23:08 | 000,044,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/03/25 01:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/10 14:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/11/02 21:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/08/12 19:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/22 05:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 05:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 05:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
IE - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
IE - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
[color=#E56717]========== FireFox ==========[/color]
 
 
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/24 22:47:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/24 22:47:22 | 000,000,000 | ---D | M]
 
[2008/09/23 12:19:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Charlie\Application Data\Mozilla\Extensions
[2007/09/04 09:26:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\thikbzvr.default\extensions
[2009/07/02 16:55:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/15 20:05:00 | 000,049,152 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
 
O1 HOSTS File: ([2011/04/25 10:58:28 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1       localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Megaupload Toolbar) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll (MEGAUPLOAD                                   )
O3 - HKLM\..\Toolbar: (FlashGet Bar) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll (Amaze Soft)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\..\Toolbar\WebBrowser: (Megaupload Toolbar) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll (MEGAUPLOAD                                   )
O3 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007..\Run: [BitTorrent] C:\Program Files\BitTorrent\bittorrent.exe ()
O4 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\GameSpot Download Manager.lnk =  File not found
O4 - Startup: C:\Documents and Settings\Charlie\Start Menu\Programs\Startup\Last.fm Helper.lnk =  File not found
O4 - Startup: C:\Documents and Settings\marmar\Start Menu\Programs\Startup\Last.fm Helper.lnk =  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-21-4008763428-1199046705-24455348-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: 
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 15:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/07/02 17:26:58 | 000,002,444 | ---- | M] () - C:\autorun.PNF -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2011/04/25 13:29:39 | 000,141,792 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2011/04/25 11:13:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\new
[2011/04/25 10:58:24 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/25 10:57:38 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Charlie\Desktop\aswMBR.exe
[2011/04/25 10:07:17 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
[2011/04/25 10:03:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\RK_Quarantine
[2011/04/25 09:05:26 | 000,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Documents and Settings\Charlie\Desktop\cwshredder.exe
[2011/04/24 20:55:07 | 008,128,007 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.exe
[2011/04/24 20:55:03 | 000,187,072 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Charlie\Desktop\FixSwen.exe
[2011/04/24 20:11:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/24 20:11:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/24 20:11:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/24 20:11:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/24 20:11:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/24 19:40:42 | 000,000,000 | ---D | C] -- C:\Avenger
[2011/04/24 18:50:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\backups
[2011/04/24 18:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charlie\Desktop\mcafee
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2011/04/25 13:49:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/25 13:48:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/25 13:47:59 | 796,327,936 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/25 13:42:28 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Charlie\Desktop\aswMBR.exe
[2011/04/25 12:52:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charlie\Desktop\OTL.exe
[2011/04/25 12:46:06 | 001,117,696 | ---- | M] () -- C:\Documents and Settings\Charlie\Desktop\RogueKiller.exe
[2011/04/25 11:18:54 | 000,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Documents and Settings\Charlie\Desktop\cwshredder.exe
[2011/04/25 10:04:45 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/24 23:40:46 | 000,187,072 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Charlie\Desktop\FixSwen.exe
[2011/04/24 23:38:46 | 008,128,007 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Charlie\Desktop\stinger10101535.exe
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2011/04/25 13:47:59 | 796,327,936 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/25 13:45:47 | 000,731,136 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\avenger.exe
[2011/04/25 10:01:42 | 001,117,696 | ---- | C] () -- C:\Documents and Settings\Charlie\Desktop\RogueKiller.exe
[2011/04/24 20:11:49 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/01/09 07:18:12 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/12/11 15:43:44 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/10/08 10:21:43 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Charlie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/22 21:15:23 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/08/06 20:07:06 | 000,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/08/06 20:05:13 | 000,000,105 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI
[2007/08/06 20:05:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2007/08/06 20:05:01 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2007/08/06 20:03:48 | 000,000,074 | ---- | C] () -- C:\WINDOWS\PMINI.ini
[2007/06/29 19:13:15 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2007/03/06 10:00:52 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/12 10:12:12 | 000,000,023 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2007/01/15 13:05:08 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/01/15 13:05:08 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\4D653ADD3D.sys
[2007/01/09 22:58:20 | 000,000,016 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2006/12/25 11:46:42 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/12/25 11:38:00 | 000,001,168 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/12/25 09:42:13 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/12/25 09:11:33 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Charlie\Local Settings\Application Data\fusioncache.dat
[2006/11/02 17:59:30 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/02 17:50:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/02 17:40:41 | 000,000,154 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/11/02 17:39:16 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/11/02 17:34:32 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/11/02 17:09:42 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/11/02 17:09:24 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2006/11/02 17:09:22 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/11/02 17:09:18 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/11/02 17:09:10 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/09 19:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 15:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 15:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 15:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 15:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 14:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 14:57:15 | 000,267,800 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 14:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 14:51:20 | 000,400,090 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 14:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 14:51:20 | 000,061,590 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 14:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 14:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 14:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 14:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 14:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 14:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 14:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 14:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2007/11/08 12:04:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Findley Designs
[2007/08/06 20:07:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2007/08/06 20:07:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard
[2011/04/24 20:43:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/11/02 17:47:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2008/12/30 22:44:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2007/06/14 09:49:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\acccore
[2008/01/06 00:09:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\BitTorrent
[2007/07/14 21:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\LucasArts
[2011/04/25 13:49:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\MEGAUPLOADTOOLBAR
[2008/12/25 18:12:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charlie\Application Data\Red Alert 3
[2007/07/29 19:12:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\acccore
[2007/12/23 20:35:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\Amazon
[2007/12/09 11:59:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\BitTorrent
[2008/04/23 19:45:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\BitTorrent DNA
[2007/09/08 00:40:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\Canon
[2009/01/29 12:52:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\DNA
[2007/08/06 20:02:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\InterTrust
[2007/02/12 13:36:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\Leadertech
[2007/11/25 13:26:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\Megaupload
[2007/11/25 13:23:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\MegauploadToolbar
[2007/08/06 20:03:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\NewSoft
[2007/08/06 20:07:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\ScanSoft
[2007/10/07 12:09:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\marmar\Application Data\Viewpoint
[2008/11/04 04:30:00 | 000,000,264 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job
 
[color=#E56717]========== Purity Check ==========[/color]
 
 

< End of report >

  • 0

#10
Essexboy
Posted 25 April 2011 - 02:47 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK now we have some dummies :D

Delete your current copy of combofix please

Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha before saving it to your desktop.

Link 1
Link 2


==================================
Posted Image

Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • 0

Advertisements

#11
mariijane
Posted 25 April 2011 - 04:40 PM

mariijane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I was able to successfully re-download and run combofix after renaming.

It downloaded & properly installed the Recovery Console, followed by a message "Scanning for infected files... This typically doesn't take more than 10 minutes However, scan times for badly infected machines may easily double." After about a minute, a Windows pop-up came up, "PEV.cfxxe has encountered a problem and needs to close." I selected "Don't send" when it prompted to send Microsoft the error.

I've had it running for about an hour now and the status hasn't changed. Does it normally take this long & how would I know if it simply is stalling or crashed? Yikes!

EDIT: It's about 9:06pm now and the screen is still blank and giving the same message. I clicked outside of the box and everything froze: I restarted in regular mode and as I was re-running combofix, a Windows pop-up came up ("Windows cannot run iexplorer.exe.") and closed itself out. Everything appears to be scanning fine now.. I plan to leave it going overnight and will check back before work tomorrow.

Edited by mariijane, 25 April 2011 - 07:08 PM.

  • 0

#12
mariijane
Posted 26 April 2011 - 07:32 AM

mariijane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Update: upon leaving it running overnight, it's still at the same screen.
  • 0

#13
Essexboy
Posted 26 April 2011 - 12:23 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets skip combofix for now and we will proceed to use AVP - this comes in two parts: The first is a deep virus scan and may take an hour, the second and analysis scan and will take about ten minutes. If you have insufficient time initially to run the Virus scan part then go direct to the analysis section

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

Posted Image

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

Posted Image
  • 0

#14
mariijane
Posted 26 April 2011 - 07:36 PM

mariijane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Many thanks! I just ran the scan (selected Hidden startup objects, system memory and disk boot sectors) and gathered the system info as requested. I wasn't sure though, while I was running the scan if I should have followed the prompts to delete, cleanse and reboot: I selected "prompt when scan is complete" to allow it to stay open while I was away. (If necessary, I can make time to do so tomorrow after work.)

Autoscan: stopped 11 minutes ago   (events: 12, objects: 1662, time: 00:01:44)	
2011/04/26 18:29:58	Task stopped			
2011/04/26 18:28:14	Task started			
2011/04/26 18:14:03	Task stopped			
2011/04/26 18:13:45	Detected: MEM:Rootkit.Win32.TDSS.a	System Memory		
2011/04/26 18:13:33	Task started			
2011/04/26 17:39:20	Task stopped			
2011/04/26 17:38:48	Detected: Trojan.Win32.Inject.afhr	C:\WINDOWS\system32\wbem\proquota.exe		
2011/04/26 17:35:25	Deleted: Rootkit.Win32.Small.adn	C:\Program Files\drv\drv.sys		
2011/04/26 17:31:20	Detected: Rootkit.Win32.Small.adn	C:\Program Files\drv\drv.sys		
2011/04/26 17:31:00	Deleted: Trojan-Downloader.Win32.Agent.chpc	C:\Program Files\drv\drv.dll		
2011/04/26 17:29:05	Detected: Trojan-Downloader.Win32.Agent.chpc	C:\Program Files\drv\drv.dll		
2011/04/26 17:26:45	Task started			
Disinfect active threats: completed 59 minutes ago   (events: 4, objects: 6205, time: 00:03:19)	
2011/04/26 17:42:39	Task completed			
2011/04/26 17:39:29	Deleted: Trojan.Win32.Inject.afhr	C:\WINDOWS\system32\wbem\proquota.exe		
2011/04/26 17:39:22	Detected: Trojan.Win32.Inject.afhr	C:\WINDOWS\system32\wbem\proquota.exe		
2011/04/26 17:39:20	Task started			
Disinfect active threats: completed 22 minutes ago   (events: 7, objects: 8773, time: 00:05:23)	
2011/04/26 18:19:26	Task completed			
2011/04/26 18:16:07	Will be deleted on system restart: Rootkit.Win32.Agent.moy	C:\WINDOWS\system32\drivers\UACnsqthxvmppwbuhtkb.sys		
2011/04/26 18:15:29	Detected: Rootkit.Win32.Agent.moy	C:\WINDOWS\system32\drivers\UACnsqthxvmppwbuhtkb.sys		
2011/04/26 18:14:03	Disinfected: MEM:Rootkit.Win32.TDSS.a	System Memory		
2011/04/26 18:14:03	Disinfected: MEM:Rootkit.Win32.TDSS.a	System Memory		
2011/04/26 18:14:03	Detected: MEM:Rootkit.Win32.TDSS.a	System Memory		
2011/04/26 18:14:03	Task started			
Autoscan: completed 7 minutes ago   (events: 17, objects: 3984, time: 00:03:58)	
2011/04/26 18:34:31	Task completed			
2011/04/26 18:33:47	Will be deleted on system restart: Packed.Win32.TDSS.a	C:\WINDOWS\system32\gaopdxooqoewnd.dll		
2011/04/26 18:33:47	Cannot be deleted: Packed.Win32.TDSS.a	C:\WINDOWS\system32\gaopdxooqoewnd.dll	Object is locked	
2011/04/26 18:33:43	Detected: Packed.Win32.TDSS.a	C:\WINDOWS\system32\gaopdxooqoewnd.dll		
2011/04/26 18:33:36	Will be deleted on system restart: Packed.Win32.TDSS.y	C:\WINDOWS\system32\UACrwtahohslybhbpchm.dll		
2011/04/26 18:33:36	Cannot be deleted: Packed.Win32.TDSS.y	C:\WINDOWS\system32\UACrwtahohslybhbpchm.dll	Object is locked	
2011/04/26 18:33:31	Detected: Packed.Win32.TDSS.y	C:\WINDOWS\system32\UACrwtahohslybhbpchm.dll		
2011/04/26 18:33:30	Will be deleted on system restart: Trojan.Win32.TDSS.anrc	C:\WINDOWS\system32\UACqgixudjvopotfuorj.dll		
2011/04/26 18:33:30	Cannot be deleted: Trojan.Win32.TDSS.anrc	C:\WINDOWS\system32\UACqgixudjvopotfuorj.dll	Object is locked	
2011/04/26 18:33:25	Detected: Trojan.Win32.TDSS.anrc	C:\WINDOWS\system32\UACqgixudjvopotfuorj.dll		
2011/04/26 18:33:23	Will be deleted on system restart: Trojan.Win32.TDSS.anre	C:\WINDOWS\system32\UACouvloestashwsessl.dll		
2011/04/26 18:33:23	Cannot be deleted: Trojan.Win32.TDSS.anre	C:\WINDOWS\system32\UACouvloestashwsessl.dll	Object is locked	
2011/04/26 18:33:09	Detected: Trojan.Win32.TDSS.anre	C:\WINDOWS\system32\UACouvloestashwsessl.dll		
2011/04/26 18:33:09	Will be deleted on system restart: Packed.Win32.TDSS.y	C:\WINDOWS\system32\UACmeqpujxjxjvryktga.dll		
2011/04/26 18:33:09	Cannot be deleted: Packed.Win32.TDSS.y	C:\WINDOWS\system32\UACmeqpujxjxjvryktga.dll	Object is locked	
2011/04/26 18:32:38	Detected: Packed.Win32.TDSS.y	C:\WINDOWS\system32\UACmeqpujxjxjvryktga.dll		
2011/04/26 18:30:33	Task started			
Autoscan: completed <1 minute ago   (events: 12, objects: 4046, time: 00:02:10)	
2011/04/26 18:41:30	Task completed			
2011/04/26 18:41:09	Untreated: Packed.Win32.TDSS.a	c:\WINDOWS\system32\gaopdxooqoewnd.dll	Postponed	
2011/04/26 18:41:09	Detected: Packed.Win32.TDSS.a	c:\WINDOWS\system32\gaopdxooqoewnd.dll		
2011/04/26 18:41:05	Untreated: Packed.Win32.TDSS.y	c:\WINDOWS\system32\UACrwtahohslybhbpchm.dll	Postponed	
2011/04/26 18:41:05	Detected: Packed.Win32.TDSS.y	c:\WINDOWS\system32\UACrwtahohslybhbpchm.dll		
2011/04/26 18:41:05	Untreated: Trojan.Win32.TDSS.anrc	c:\WINDOWS\system32\UACqgixudjvopotfuorj.dll	Postponed	
2011/04/26 18:41:05	Detected: Trojan.Win32.TDSS.anrc	c:\WINDOWS\system32\UACqgixudjvopotfuorj.dll		
2011/04/26 18:41:05	Untreated: Trojan.Win32.TDSS.anre	c:\WINDOWS\system32\UACouvloestashwsessl.dll	Postponed	
2011/04/26 18:41:05	Detected: Trojan.Win32.TDSS.anre	c:\WINDOWS\system32\UACouvloestashwsessl.dll		
2011/04/26 18:41:04	Untreated: Packed.Win32.TDSS.y	c:\WINDOWS\system32\UACmeqpujxjxjvryktga.dll	Postponed	
2011/04/26 18:41:04	Detected: Packed.Win32.TDSS.y	c:\WINDOWS\system32\UACmeqpujxjxjvryktga.dll		
2011/04/26 18:39:20	Task started

Attached Files


  • 0

#15
Essexboy
Posted 27 April 2011 - 09:48 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes allow it to delete them - If it should fail

  • Re-run AVPTool
  • Select the Manual Disinfection tab
  • Where it states Step 3 paste in the following disinfection script and press execute

    begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 BC_DeleteFile('C:\WINDOWS\system32\drivers\UACnsqthxvmppwbuhtkb.sys');
 BC_DeleteFile('c:\WINDOWS\system32\UACmeqpujxjxjvryktga.dll');
 BC_DeleteFile('c:\WINDOWS\system32\UACouvloestashwsessl.dll');
 BC_DeleteFile('c:\WINDOWS\system32\UACqgixudjvopotfuorj.dll ');
 BC_DeleteFile('C:\WINDOWS\system32\UACrwtahohslybhbpchm.dll');
 BC_DeleteFile('C:\WINDOWS\system32\drivers\UACnsqthxvmppwbuhtkb.sys');
 BC_DeleteFile('C:\WINDOWS\system32\gaopdxooqoewnd.dll  ');
 BC_DeleteFile('C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
  • Your system will reboot on completion, if it does not please do so yourself
  • On completion please run another analysis scan and attach the zip file

Posted Image
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP