Security Tool 2010 - Infected on Windows XP Home Edition SP3

View previous topic View next topic Go down

Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 15th September 2010, 4:29 am

Hi,
I've been trying for a couple of days to sort this out before I found this forum. Prior to finding this forum and running OTL I have tried:

- Running the RKill to stop the main program pop up....that's didn't work.

- Ran MBAM in normal mode which found some infected files and removed. This was early days with the problem so I thought it had worked....booted back up and low and behold it was still there.

- Loaded up in normal mode, opened task manager straight away, noted down the random string of numbers which was the program running, stopped the program running. Found the folder containing the program, deleted and emptied the recycle bin.

- Booted up in Safe mode and ran Combofix....which found loads of infected files and did its thing which I believe was delete the infected files and restore them.

- After Combofix booted up in normal mode...the main program doesn't load up anymore, however I still can't run any programs or do a system restore to prior to having the infection.


So, now I've found this forum, downloaded and run OTL off a USB key in the infected computer, and here is the log file and the Extras file...

LOG:

OTL logfile created on: 15/09/2010 05:03:44 - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = F:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,015.00 Mb Total Physical Memory | 794.00 Mb Available Physical Memory | 78.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 1522 1522 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40.00 Gb Total Space | 1.76 Gb Free Space | 4.40% Space Free | Partition Type: NTFS
Drive D: | 34.49 Gb Total Space | 0.79 Gb Free Space | 2.29% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 14.92 Gb Total Space | 1.05 Gb Free Space | 7.07% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARTLIN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- F:\OTL.com
PRC - [2009/03/25 17:25:20 | 000,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/03/25 17:25:20 | 000,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/03/19 11:42:02 | 000,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- F:\OTL.com
MOD - [2008/04/14 13:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\pleasework329596p\PEV.cfx -- (PEVSystemStart)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/04/01 14:21:30 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/03/25 17:25:20 | 000,797,864 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/03/25 11:05:48 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/03/24 00:03:18 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/03/19 11:42:02 | 000,884,360 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/01/09 13:05:26 | 000,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/01/09 11:31:16 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/01/09 09:22:10 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/01/09 08:06:52 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2008/07/23 18:52:06 | 000,206,112 | ---- | M] () [Auto | Stopped] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2007/01/05 03:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\epfwtdir.sys -- (epfwtdir)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\easdrv.sys -- (easdrv)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\DRIVERS\eamon.sys -- (eamon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2009/05/23 00:08:32 | 000,029,696 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VClone.sys -- (VClone)
DRV - [2009/03/25 11:06:30 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/03/25 11:06:28 | 000,214,024 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/03/25 11:06:28 | 000,079,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/03/25 11:06:28 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/03/25 11:05:54 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/02/17 18:11:30 | 000,024,232 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2008/10/23 13:08:54 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/08/12 10:30:54 | 000,007,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/07/16 11:52:00 | 004,747,776 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/14 07:12:06 | 000,025,088 | ---- | M] (ELANTECH Devices Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ETD.sys -- (Ktp)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2008/04/14 13:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/12 03:37:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2007/07/27 04:00:38 | 000,011,264 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2007/05/03 12:00:58 | 000,546,976 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2006/10/10 23:24:00 | 001,181,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2001/08/17 15:05:16 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OVCD.sys -- (QCDonner)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/03/03 01:28:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0FED6A9D-2712-4322-8209-E040FCB5E084}: C:\Documents and Settings\Web\Local Settings\Application Data\{0FED6A9D-2712-4322-8209-E040FCB5E084}
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/12 16:25:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/10 06:03:36 | 000,000,000 | ---D | M]

[2010/09/12 02:29:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/11/10 19:21:00 | 001,499,136 | ---- | M] (LizardTech) -- C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
[2009/08/22 05:00:30 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/08/22 05:00:30 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/08/22 05:00:30 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/08/22 05:00:30 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/09/14 09:15:43 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (IEButton Class) - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Save Flash) - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll (TODO: )
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe File not found
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [autodetect] C:\WINDOWS\system32\SupportAppXL\AutoDect.exe ()
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCTRL.EXE (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [ocernwasxm.tmp] C:\DOCUME~1\Web\LOCALS~1\Temp\ocernwasxm.tmp File not found
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe File not found
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKLM..\Run: [Wmimefameteq] C:\WINDOWS\onuyohuy.DLL File not found
O4 - HKLM..\Run: [wupdate] C:\WINDOWS\System32\wupdate.exe File not found
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk = C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\lspnuj.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/05 02:52:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Alcmtr - hkey= - key= - C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: AlcWzrd - hkey= - key= - C:\WINDOWS\alcwzrd.exe (RealTek Semicoductor Corp.)
MsConfig - StartUpReg: MsnMsgr - hkey= - key= - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Microsoft Corporation)
MsConfig - StartUpReg: SoundMan - hkey= - key= - C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - C:\pleasework329596p\PEV.cfx File not found
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootNet: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootNet: MpfService - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PEVSystemStart - C:\pleasework329596p\PEV.cfx File not found
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: procexp90.Sys - Driver
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/09/14 09:08:41 | 000,000,000 | ---D | C] -- C:\pleasework329596p
[2010/09/14 08:37:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/14 08:36:25 | 000,000,000 | ---D | C] -- C:\pleasework3
[2010/09/14 08:35:59 | 004,614,888 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[2010/09/14 08:25:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/14 08:25:41 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/14 08:25:41 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/14 08:25:41 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/14 08:25:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/14 08:25:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/14 07:34:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/09/14 07:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/09/14 07:33:41 | 006,084,416 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\Administrator\Desktop\HitmanPro35.exe
[2010/09/14 05:13:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/14 03:02:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/09/14 03:02:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/14 03:02:16 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/14 03:02:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/14 03:02:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/14 03:01:46 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/09/14 03:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/09/14 03:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\InstallShield
[2010/09/14 03:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2010/09/14 03:00:43 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Desktop\StarOffice 8
[2010/09/14 03:00:43 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/09/14 03:00:43 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Cookies
[2010/09/14 03:00:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2010/09/14 03:00:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Favorites
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2010/09/14 03:00:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2010/09/14 03:00:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/09/14 03:00:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2010/09/14 03:00:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2010/09/14 03:00:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2010/09/14 03:00:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents
[2010/09/14 03:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2010/09/14 03:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2010/09/14 03:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2010/09/14 03:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2010/09/14 02:56:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/09/13 01:39:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[2010/09/11 12:14:59 | 000,000,000 | ---D | C] -- C:\Program Files\Convar
[2008/07/05 03:55:03 | 015,523,560 | ---- | C] (Macrovision Corporation) -- C:\Program Files\U1 Setup.exe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/15 05:06:30 | 000,841,216 | ---- | M] () -- C:\WINDOWS\System32\drivers\lggtctm.sys
[2010/09/15 04:30:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/15 04:29:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/15 04:29:16 | 000,020,589 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/09/15 04:29:16 | 000,008,212 | ---- | M] () -- C:\WINDOWS\mfebcdata
[2010/09/15 04:25:16 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/15 04:12:57 | 000,002,838 | ---- | M] () -- C:\WINDOWS\uyevuladiwoxewof.dll
[2010/09/15 04:10:46 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/14 15:35:26 | 004,614,888 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[2010/09/14 14:49:56 | 003,844,155 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\pleasework3.exe
[2010/09/14 14:26:38 | 006,084,416 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\Administrator\Desktop\HitmanPro35.exe
[2010/09/14 09:19:31 | 004,959,888 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/09/14 09:15:54 | 000,000,284 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/14 09:15:43 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/14 08:37:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/09/14 08:12:43 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/14 08:12:43 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/09/14 04:47:48 | 000,002,838 | ---- | M] () -- C:\WINDOWS\Ojefuyag.dat
[2010/09/14 03:59:51 | 000,000,370 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\fix.inf
[2010/09/14 03:45:05 | 000,000,354 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\fix.reg
[2010/09/14 03:02:20 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/14 03:01:40 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2010/09/14 02:48:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qtuweqetalaj.bin
[2010/09/13 11:27:42 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/09/13 11:26:24 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/09/08 12:50:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/15 04:29:16 | 000,008,212 | ---- | C] () -- C:\WINDOWS\mfebcdata
[2010/09/15 04:12:57 | 000,002,838 | ---- | C] () -- C:\WINDOWS\uyevuladiwoxewof.dll
[2010/09/14 08:37:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/09/14 08:37:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/14 08:34:25 | 003,844,155 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\pleasework3.exe
[2010/09/14 08:25:41 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 08:25:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 08:25:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 08:25:41 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 08:25:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/14 03:59:51 | 000,000,370 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\fix.inf
[2010/09/14 03:53:58 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/09/14 03:45:05 | 000,000,354 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\fix.reg
[2010/09/14 03:02:20 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/14 03:00:48 | 000,001,845 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Live Mail.lnk
[2010/09/14 03:00:48 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/14 03:00:48 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2010/09/14 03:00:47 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2010/09/14 03:00:42 | 000,303,104 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2010/09/14 03:00:42 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/09/14 03:00:41 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/13 01:43:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qtuweqetalaj.bin
[2010/09/13 01:43:48 | 000,002,838 | ---- | C] () -- C:\WINDOWS\Ojefuyag.dat
[2010/09/13 01:42:14 | 000,841,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\lggtctm.sys
[2009/05/15 13:17:11 | 000,749,568 | ---- | C] () -- C:\WINDOWS\System32\AGISSI.DLL
[2009/05/15 13:17:09 | 011,194,368 | ---- | C] () -- C:\WINDOWS\System32\ZHHP_RES.DLL
[2009/02/17 18:11:30 | 000,024,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\ElbyCDIO.sys
[2009/01/04 22:25:29 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/07/05 04:34:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/07/05 03:37:44 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/07/05 03:37:44 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/07/05 03:37:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/07/05 03:37:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/07/05 03:37:44 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/07/05 03:37:44 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/07/05 02:59:40 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
[2008/07/03 05:32:06 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/07/03 05:31:59 | 000,078,336 | ---- | C] () -- C:\WINDOWS\wimgxft.dll
[2008/03/17 23:54:36 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/09/15 05:07:30 | 000,841,216 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\lggtctm.sys

< %systemroot%\System32\config\*.sav >
[2008/07/04 19:43:58 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/07/04 19:43:57 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/07/04 19:43:57 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2008/04/14 13:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2008/04/14 13:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2008/04/14 13:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2008/04/14 13:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2008/04/14 13:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2008/04/14 13:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2008/04/14 13:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2008/04/14 13:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2008/04/14 13:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2008/04/14 13:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2008/04/14 13:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2008/04/14 13:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2008/04/14 13:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2008/04/14 13:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2008/04/14 13:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/14 13:00:00 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/04/17 13:26:40 | 001,847,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2008/07/05 03:02:43 | 000,000,157 | ---- | M] () -- C:\AsusUpdate.log
[2008/07/05 02:52:33 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/12/26 03:00:19 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/09/14 08:37:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/09/14 09:17:53 | 000,010,888 | ---- | M] () -- C:\ComboFix.txt
[2008/07/05 02:52:33 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/07/05 02:52:33 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/07/05 02:52:33 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 13:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/15 04:30:09 | 1595,932,672 | -HS- | M] () -- C:\pagefile.sys
[2008/07/05 02:59:24 | 000,000,522 | ---- | M] () -- C:\RHDSetup.log
[2010/09/14 03:55:32 | 000,000,408 | ---- | M] () -- C:\rkill.log

< %PROGRAMFILES%\*. >
[2010/03/05 04:45:02 | 000,000,000 | ---D | M] -- C:\Program Files\7-Zip
[2010/08/02 08:30:14 | 000,000,000 | ---D | M] -- C:\Program Files\Ableton
[2009/11/10 16:09:05 | 000,000,000 | ---D | M] -- C:\Program Files\Acoustic Labs Multitrack Recorder (Demo)
[2010/04/08 04:51:09 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2008/12/25 17:00:22 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/05/02 05:59:13 | 000,000,000 | ---D | M] -- C:\Program Files\Aptana
[2008/07/05 03:02:51 | 000,000,000 | ---D | M] -- C:\Program Files\Asus
[2010/07/10 05:55:44 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2009/05/15 13:13:07 | 000,000,000 | ---D | M] -- C:\Program Files\Canon
[2010/09/14 09:13:14 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2008/07/05 02:49:56 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/09/11 12:14:59 | 000,000,000 | ---D | M] -- C:\Program Files\Convar
[2008/12/25 12:28:41 | 000,000,000 | ---D | M] -- C:\Program Files\ECAP
[2008/12/25 12:30:24 | 000,000,000 | ---D | M] -- C:\Program Files\Eee Storage
[2008/07/05 03:00:28 | 000,000,000 | ---D | M] -- C:\Program Files\EeePC
[2009/07/27 14:46:05 | 000,000,000 | ---D | M] -- C:\Program Files\Elaborate Bytes
[2008/12/25 12:28:11 | 000,000,000 | ---D | M] -- C:\Program Files\Elantech
[2008/12/25 12:29:52 | 000,000,000 | ---D | M] -- C:\Program Files\ESET
[2010/01/11 11:10:37 | 000,000,000 | ---D | M] -- C:\Program Files\Flash Movie Player
[2009/12/27 05:33:41 | 000,000,000 | ---D | M] -- C:\Program Files\FLV Player
[2010/08/02 05:46:48 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/05/15 13:16:53 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2010/09/14 07:34:09 | 000,000,000 | ---D | M] -- C:\Program Files\Hitman Pro 3.5
[2009/10/17 01:36:48 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2008/07/05 02:59:32 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2009/11/08 05:53:07 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2008/07/05 03:37:38 | 000,000,000 | ---D | M] -- C:\Program Files\InterVideo
[2010/07/10 06:07:01 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/07/10 06:09:04 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/02/08 10:19:46 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/09/26 04:59:22 | 000,000,000 | ---D | M] -- C:\Program Files\JRE
[2009/11/29 10:24:01 | 000,000,000 | ---D | M] -- C:\Program Files\Kreatives.org
[2009/04/22 21:14:33 | 000,000,000 | ---D | M] -- C:\Program Files\LizardTech
[2010/09/15 04:36:23 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/15 09:19:26 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee
[2009/04/12 22:27:32 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee.com
[2010/08/02 01:18:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mediafour
[2009/11/10 10:03:33 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/11/08 05:44:29 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2008/07/05 02:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2008/07/05 03:10:00 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2009/11/10 10:39:59 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2008/07/05 03:07:56 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2009/11/08 05:50:58 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Sync Framework
[2009/11/10 10:00:46 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2008/07/05 02:50:26 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/09/13 02:00:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2008/07/05 02:49:00 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2010/07/25 15:37:40 | 000,000,000 | ---D | M] -- C:\Program Files\Music Rescue
[2008/07/05 02:50:31 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2008/07/05 02:50:45 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2009/09/26 04:59:19 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 3
[2009/11/09 08:56:03 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/03/07 16:55:05 | 000,000,000 | ---D | M] -- C:\Program Files\Project64 1.6
[2010/07/10 06:03:34 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/07/27 15:12:35 | 000,000,000 | ---D | M] -- C:\Program Files\RarZilla Free Unrar
[2009/03/06 22:46:10 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2008/12/25 12:26:03 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek
[2010/01/11 11:02:07 | 000,000,000 | ---D | M] -- C:\Program Files\Save Flash
[2009/11/14 06:43:58 | 000,000,000 | ---D | M] -- C:\Program Files\ScummVM
[2009/04/12 22:33:17 | 000,000,000 | ---D | M] -- C:\Program Files\SiteAdvisor
[2008/07/05 03:55:00 | 000,000,000 | ---D | M] -- C:\Program Files\Skype
[2009/07/19 18:26:48 | 000,000,000 | ---D | M] -- C:\Program Files\Spotify
[2010/07/30 13:54:30 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2008/07/05 03:39:55 | 000,000,000 | ---D | M] -- C:\Program Files\Sun
[2010/09/13 01:11:10 | 000,000,000 | ---D | M] -- C:\Program Files\Telstra Turbo Connection Manager
[2009/07/27 15:26:53 | 000,000,000 | ---D | M] -- C:\Program Files\The Rosetta Stone
[2010/01/30 04:41:19 | 000,000,000 | ---D | M] -- C:\Program Files\UnH Solutions
[2008/07/05 02:55:55 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/07/27 15:09:59 | 000,000,000 | ---D | M] -- C:\Program Files\UnRar for Windows
[2008/12/25 14:07:09 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2009/11/08 05:58:34 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2009/11/08 05:43:52 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2008/07/05 02:52:32 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/07/05 02:48:58 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/07/05 02:50:49 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2010/07/25 15:35:44 | 000,000,000 | ---D | M] -- C:\Program Files\WindSolutions
[2010/02/01 11:14:58 | 000,000,000 | ---D | M] -- C:\Program Files\WinHTTrack
[2008/07/05 02:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2009/11/14 10:55:20 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!

< %appdata%\*.* >
[2008/07/04 19:44:51 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:atapi.sys
[2008/04/14 13:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 13:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: DISK.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:disk.sys
[2008/04/14 13:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 13:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 13:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 13:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 13:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 13:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 13:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:usbstor.sys
[2008/04/14 13:00:00 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-11-10 09:04:18

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

So that's the log file and it looks like the Extras file will have to be posted separately....








MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 15th September 2010, 4:37 am

OK, so here's the text from the Extras file it created:

OTL Extras logfile created on: 15/09/2010 05:03:44 - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = F:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,015.00 Mb Total Physical Memory | 794.00 Mb Available Physical Memory | 78.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 1522 1522 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40.00 Gb Total Space | 1.76 Gb Free Space | 4.40% Space Free | Partition Type: NTFS
Drive D: | 34.49 Gb Total Space | 0.79 Gb Free Space | 2.29% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 14.92 Gb Total Space | 1.05 Gb Free Space | 7.07% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARTLIN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.js [@ = JSFile] -- C:\Program Files\Aptana\Aptana Studio 2.0\AptanaStudio.exe ()

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
jsfile [open] -- "C:\Program Files\Aptana\Aptana Studio 2.0\AptanaStudio.exe" "%1" ()
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify AB)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0990B5DF-92C3-4AD6-A18D-BF3ADF311240}" = Super Hybrid Engine
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = Lizardtech DjVu Control
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 17
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3364BD16-5A28-4862-86A1-A8FF5FD23919}" = Music Rescue
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{5C52CED3-D45C-4DA9-932F-B91BD44BB461}" = Adabas D 13.01.00
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6E4DAE31-7CF3-441A-B6E5-B014D63C80CD}" = Eee Instant Key
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{85E3CFBC-9B1B-470C-AF72-54EACA0F1322}" = ECAP
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{93D34EE3-99B3-4DB1-8B0A-0A657466F90D}" = Telstra Turbo Connection Manager
"{9510AB97-A36C-4352-8725-E72E5528FA1B}" = StarOffice 8 ASUS Edition
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{9811A185-3D3D-11D6-9E14-00036D172B00}" = Adobe MPEG Encoder
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81100000003}" = Adobe Reader 8.1.1
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DEB6ACEB-C418-4880-9133-1C5EB9AFBC79}" = Eee Storage
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"7-Zip" = 7-Zip 4.65
"Ableton Live_is1" = Ableton Live v6.0.3
"Acoustic Labs Multitrack Recorder (Demo)" = Acoustic Labs Multitrack Recorder (Demo)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Premiere 6.5" = Adobe Premiere 6.5
"Aptana Studio 2.0" = Aptana Studio 2.0
"CopyTrans Suite" = CopyTrans Suite Remove Only
"Elantech" = ETDWare PS/2-x86 7.0.3.7 WHQL
"Flash Movie Player" = Flash Movie Player 1.5
"Flash Saving Plugin" = Flash Saving Plugin
"FLV Player" = FLV Player 2.0 (build 25)
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"KRISTAL Audio Engine" = KRISTAL Audio Engine
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MSC" = McAfee SecurityCenter
"RarZilla Free Unrar 2.53" = RarZilla Free Unrar 2.53
"RNCompiler 6.0" = Advanced RealMedia Export Plug-in for Premiere 6.0
"Save Flash" = Save Flash 4.1
"ScummVM_is1" = ScummVM 1.0.0rc1
"Spotify" = Spotify
"The Rosetta Stone" = The Rosetta Stone
"uneavset" = ESET NOD32 register program
"UnRAR for Windows" = UnRAR for Windows
"VirtualCloneDrive" = VirtualCloneDrive
"VLC media player" = VLC media player 0.9.8a
"WinHTTrack Website Copier_is1" = WinHTTrack Website Copier 3.43-9
"WinLiveSuite_Wave3" = Windows Live Essentials
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 14/09/2010 23:32:19 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The server name or address could not be resolved

Error - 14/09/2010 23:32:19 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:32:20 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:32:20 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:34:47 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The server name or address could not be resolved

Error - 14/09/2010 23:34:47 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:34:47 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:34:47 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:45:34 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The server name or address could not be resolved

Error - 14/09/2010 23:45:34 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

[ System Events ]
Error - 14/09/2010 23:23:43 | Computer Name = MARTLIN | Source = DCOM | ID = 10010
Description = The server {B1DBD568-80B2-43FA-AE07-76FB23AA4650} did not register
with DCOM within the required timeout.

Error - 14/09/2010 23:32:03 | Computer Name = MARTLIN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
easdrv ElbyCDIO epfwtdir Fips intelppm mfehidk

Error - 14/09/2010 23:32:38 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 14/09/2010 23:32:44 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 14/09/2010 23:32:48 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 14/09/2010 23:34:04 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 14/09/2010 23:54:04 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 14/09/2010 23:54:41 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 15/09/2010 00:03:59 | Computer Name = MARTLIN | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 15/09/2010 00:03:59 | Computer Name = MARTLIN | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >


Hopefully someone can help me get rid of the last few security warnings that come up, and also help me getting it back to normal.

A couple of last things I remember....now when I boot up the computer it normal mode it also comes up with a dialog box headed RUNDLL saying...

"Error Loading C:\Windows\onuyohuy.dll The Specified Module Can't Be Found"

I also tried running the Spyware Doctor, but I couldn't run that as I couldn't get the infected computer online, which was also the same problem I had when trying to run HitmanPro.

The infected computer is an EEEPC with no CD drive and it came with Windows installed on it already. I am currently travelling in the North West of Australia so getting to find someone who can fix this is pretty slim, however I am somewhere with an internet cafe for the next few days so I am hoping to be able to fix it all before I leave!


I really hope someone can help. Thanks in advance, you'll be a lifesaver!

Regards,
Martin

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 16th September 2010, 12:11 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 16th September 2010, 6:41 am

Hi, thanks so much for replying so quickly.

I downloaded direct from your link, and tried installing MBAM in normal mode, which went fine until I clicked 'OK' after checking the update and lauch boxes as you said. The installation then failed and a dialog box from Windows Security Alert appeared saying that MBAM.exe was infected and could not be opened. (We get this same dialog box for any program - notepad, control panel etc).

I then tried the process again, this time installing MBAM onto the USB key, and the same thing happened.

So I restarted the computer to try again in safe mode. I have no access to a LAN cable to allow the update during installation, however I proceeded with the installation. It installed and I ran the scan, and below is the log it created:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

16/09/2010 06:23:11
mbam-log-2010-09-16 (06-23-11).txt

Scan type: Quick scan
Objects scanned: 119494
Time elapsed: 6 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





As you can see, it found no infected/malicious/suspicious items. However there is obviously still something dodgy going on, as we can't run any programs.

When we were first dealing with this problem, we ran MBAM in safe mode and it found some infected/malicious files and cleared them up. Below is the log from that scan:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

14/09/2010 03:11:59
mbam-log-2010-09-14 (03-11-59).txt

Scan type: Quick scan
Objects scanned: 123943
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsdefrag (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.127,93.188.161.217 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7514f068-ed81-41a6-9c42-c5bcf9dfd13e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.127,93.188.161.217 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7514f068-ed81-41a6-9c42-c5bcf9dfd13e}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.127,93.188.161.217 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Web\.COMMgr\complmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\sroxmnecaw.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.



After quarantining/deleting these files, we're still having problems, hence our other efforts with Combofix, OTL etc etc...

The current status of the laptop is:
- it doesn't allow us to open programs,
- Windows Security Alert pops up every time I try to open anything, and tells me it's infected.
- when I boot up the computer it normal mode it also comes up with a dialog box headed RUNDLL saying "Error Loading C:\Windows\onuyohuy.dll The Specified Module Can't Be Found"
- another Windows Security Alert graphical window opens saying something like "the computer is infected, would you like to protect now or stay unprotected?"

Feels like I'm getting closer to the solution, but there's a massive brick wall in the way! If you can shed any more light, I'd appreciate it so much.
I really need this to be fixed before I move on, and I really need to move on soon!
Thanks again, hope you can help further
Martin

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 16th September 2010, 4:59 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 17th September 2010, 3:09 am

Hi, thanks again for replying so quickly, I really hope you'll be able to reply just as quickly today as I am needing to leave my current location tomorrow.

I had to run the above in safe mode, as normal mode would start to open the Combo-fix.exe and then close it , and bring up a dialog box saying that it was infected and did I want to open my virus software.

I did exactly what you said, and after (approximately) the 5th completed task in the scan, a windows error message appeared for PEV.exe. I didn't click on Send or Don't Send, but after a while the box just disappeared from the screen. Combofix was still scanning throughout all this.

Combofix scan completed and the log popped up...here it is

ComboFix 10-09-16.04 - Administrator 17/09/2010 3:45.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.712 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\awatahixowetohe.dll
c:\windows\igubovid.dll
c:\windows\uhupavidifex.dll
c:\windows\uyevuladiwoxewof.dll

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-17 02:20 . 2010-09-17 02:20 -------- d-----w- c:\windows\LastGood
2010-09-14 06:34 . 2010-09-14 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-09-14 06:34 . 2010-09-14 06:34 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-14 04:14 . 2010-09-14 04:14 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools
2010-09-14 04:13 . 2010-09-14 06:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-14 02:02 . 2010-09-14 02:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-14 02:02 . 2010-09-14 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-14 01:56 . 2010-09-14 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-13 00:43 . 2010-09-14 01:48 0 ----a-w- c:\windows\Qtuweqetalaj.bin
2010-09-13 00:43 . 2010-09-14 03:47 2838 ----a-w- c:\windows\Ojefuyag.dat
2010-09-13 00:42 . 2010-09-17 02:51 841216 ----a-w- c:\windows\system32\drivers\lggtctm.sys
2010-09-11 11:14 . 2010-09-11 11:14 -------- d-----w- c:\program files\Convar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 02:21 . 2010-09-14 02:00 60464 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-14 02:01 . 2010-09-14 02:00 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-09-13 00:11 . 2009-10-17 00:36 -------- d-----w- c:\program files\Telstra Turbo Connection Manager
2010-08-23 01:36 . 2009-04-12 21:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-08-04 00:11 . 2010-07-21 11:28 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-02 07:30 . 2010-08-02 07:30 -------- d-----w- c:\program files\Ableton
2010-08-02 04:46 . 2009-02-18 21:42 -------- d-----w- c:\program files\Google
2010-08-02 00:18 . 2010-07-10 10:47 -------- d-----w- c:\program files\Mediafour
2010-07-25 14:40 . 2010-07-25 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
2010-07-25 14:37 . 2010-07-25 14:37 -------- d-----w- c:\program files\Music Rescue
2010-07-25 14:35 . 2010-07-25 14:35 -------- d-----w- c:\program files\WindSolutions
2010-07-10 04:53 . 2010-07-10 04:53 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2008-05-07 08:34 . 2008-07-05 02:55 15523560 ----a-w- c:\program files\U1 Setup.exe
.

------- Sigcheck -------

[-] 2008-04-14 . 858A92ABBFA4395FDEAE9CE8404D0DF5 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . ED8230261CDBB41414A152098A5E1293 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-06-03 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-06-03 479232]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-07-23 335872]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"ocernwasxm.tmp"="c:\docume~1\Web\LOCALS~1\Temp\ocernwasxm.tmp" [BU]
"wupdate"="c:\windows\system32\wupdate.exe" [BU]
"utlegodg"="c:\documents and settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe" [BU]
"aopgomts"="c:\documents and settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe" [BU]
"Wmimefameteq"="c:\windows\onuyohuy.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\system32\cmd.exe [2008-7-3 389120]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-2-3 113664]
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-7-5 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ----a-w- c:\windows\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-06-18 10:01 77824 ----a-w- c:\windows\SoundMan.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=

S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys --> c:\windows\system32\DRIVERS\epfwtdir.sys [?]
S2 0028831284690044mcinstcleanup;McAfee Application Installer Cleanup (0028831284690044);c:\docume~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9921256115394;Google Update Service (gupdate1c9921256115394);c:\program files\Google\Update\GoogleUpdate.exe [18/02/2009 22:46 133104]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17/10/2009 01:37 7680]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0028831284690044MCINSTCLEANUP
*Deregistered* - lggtctm
.
Contents of the 'Scheduled Tasks' folder

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 21:46]

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-09-17 03:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lggtctm]

.
Completion time: 2010-09-17 03:53:39
ComboFix-quarantined-files.txt 2010-09-17 02:53
ComboFix2.txt 2010-09-14 08:17
ComboFix3.txt 2010-09-14 07:46

Pre-Run: 2,053,500,928 bytes free
Post-Run: 2,046,287,872 bytes free

- - End Of File - - 5D6B2A4CD5AF1018F2C28BFA724C580B



A message indicating that I couldn't run a System Restore in safe mode then popped up. After completing Combofix, I was unable to shutdown the laptop via the Start Menu.

Looking forward to your response, thanks again
Martin

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 17th September 2010, 4:39 am

Out of interest, what time zone are you in? Just wondering so that maybe I can get to a late-night internet cafe to get your posts and action them sooner!

Thanks again
Martin

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 17th September 2010, 1:19 pm

Hello.
I'm in GMT, currently on GMT +1 time because of BST/DST.

Do you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 18th September 2010, 3:42 am

Hey there once again,

As mentioned in the first couple of posts......The infected computer is an EEEPC with no CD/DVD drive that came with Windows XP already installed on it.

I'm gathering that that doesn't help.

Any clues from the logs what's wrong with it still, or how to fix it?

Had some car trouble yesterday so won't be leaving here until Tuesday now...waiting for a part to be delivered....so I have a little longer to try and sort this laptop out!


MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 18th September 2010, 1:36 pm

Hello.
Yeah, I can see the problem, but the problem is legit system files are infected by this malware.

There maybe backup copies on your machine, but if not, we usually resort to getting a backup of the disc, guess we can't do that though.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    /md5start
    explorer.exe
    winlogon.exe
    /md5stop


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the pink Quick Scan button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 19th September 2010, 8:23 am

Hi,

Managed to use the internet at a hotel today, so I will try your new suggestions later.

I also logged into another user account on the laptop in safe mode and ran MBAM and Comofix...both programs found something....logs below:

MBAM LOG:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

19/09/2010 04:55:34
mbam-log-2010-09-19 (04-55-34).txt

Scan type: Quick scan
Objects scanned: 126672
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com+ manager (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Web\Local Settings\Temp\hjkr1p.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\jkr2hs7fqw.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\kqt4n6dlkw.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\tpcuqc.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\u3dwyosn.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\zmo0cie0.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.


COMBOFIX LOG:
ComboFix 10-09-16.04 - Web 19/09/2010 5:00.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.807 [GMT 1:00]
Running from: c:\documents and settings\Web\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Web\.COMMgr
c:\documents and settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
c:\documents and settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
c:\windows\atidalosa.dll
c:\windows\eputibof.dll
c:\windows\ulibiyovoxanetix.dll
c:\windows\wimgxft.dll

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-17 12:02 . 2010-09-17 12:02 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc
2010-09-17 11:51 . 2010-09-17 11:51 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Google
2010-09-17 11:44 . 2010-09-17 12:12 -------- d-----w- c:\documents and settings\Admin\Application Data\Apple Computer
2010-09-17 02:44 . 2010-09-17 02:53 -------- d-----w- C:\Combo-Fix
2010-09-14 06:34 . 2010-09-14 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-09-14 06:34 . 2010-09-14 06:34 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-14 04:14 . 2010-09-14 04:14 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools
2010-09-14 04:13 . 2010-09-14 06:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-14 02:02 . 2010-09-14 02:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-14 02:02 . 2010-09-14 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-14 01:56 . 2010-09-14 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-13 00:43 . 2010-09-14 01:48 0 ----a-w- c:\windows\Qtuweqetalaj.bin
2010-09-13 00:43 . 2010-09-14 03:47 2838 ----a-w- c:\windows\Ojefuyag.dat
2010-09-13 00:42 . 2010-09-19 04:08 841216 ----a-w- c:\windows\system32\drivers\lggtctm.sys
2010-09-11 11:14 . 2010-09-11 11:14 -------- d-----w- c:\program files\Convar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 12:12 . 2009-02-07 11:28 60464 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-17 02:21 . 2010-09-14 02:00 60464 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-14 02:01 . 2010-09-14 02:00 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-09-13 00:11 . 2009-10-17 00:36 -------- d-----w- c:\program files\Telstra Turbo Connection Manager
2010-08-23 01:36 . 2009-04-12 21:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-08-04 00:11 . 2010-07-21 11:28 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-02 07:30 . 2010-08-02 07:30 -------- d-----w- c:\program files\Ableton
2010-08-02 04:46 . 2009-02-18 21:42 -------- d-----w- c:\program files\Google
2010-08-02 00:18 . 2010-07-10 10:47 -------- d-----w- c:\program files\Mediafour
2010-07-25 14:40 . 2010-07-25 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
2010-07-25 14:37 . 2010-07-25 14:37 -------- d-----w- c:\program files\Music Rescue
2010-07-25 14:35 . 2010-07-25 14:35 -------- d-----w- c:\program files\WindSolutions
2010-07-10 04:53 . 2010-07-10 04:53 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2008-05-07 08:34 . 2008-07-05 02:55 15523560 ----a-w- c:\program files\U1 Setup.exe
.

------- Sigcheck -------

[-] 2008-04-14 . 858A92ABBFA4395FDEAE9CE8404D0DF5 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . ED8230261CDBB41414A152098A5E1293 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-06-03 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-06-03 479232]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-07-23 335872]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"wupdate"="c:\windows\system32\wupdate.exe" [BU]
"utlegodg"="c:\documents and settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe" [BU]
"aopgomts"="c:\documents and settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe" [BU]
"Wmimefameteq"="c:\windows\onuyohuy.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-2-3 113664]
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-7-5 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ----a-w- c:\windows\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-06-18 10:01 77824 ----a-w- c:\windows\SoundMan.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=

S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys --> c:\windows\system32\DRIVERS\epfwtdir.sys [?]
S2 0028831284690044mcinstcleanup;McAfee Application Installer Cleanup (0028831284690044);c:\docume~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9921256115394;Google Update Service (gupdate1c9921256115394);c:\program files\Google\Update\GoogleUpdate.exe [18/02/2009 22:46 133104]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17/10/2009 01:37 7680]

--- Other Services/Drivers In Memory ---

*Deregistered* - lggtctm
.
Contents of the 'Scheduled Tasks' folder

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 21:46]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride =
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
FF - ProfilePath - c:\documents and settings\Web\Application Data\Mozilla\Firefox\Profiles\zirmi4w0.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: XULRunner: {0FED6A9D-2712-4322-8209-E040FCB5E084} - c:\documents and settings\Web\Local Settings\Application Data\{0FED6A9D-2712-4322-8209-E040FCB5E084}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKCU-Run-Wcoluj - c:\windows\wimgxft.dll
HKCU-Run-utlegodg - c:\documents and settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
HKCU-Run-aopgomts - c:\documents and settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
HKCU-Run-sdsetup_aff - c:\documents and settings\Web\Desktop\sdsetup_aff.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-09-19 05:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lggtctm]

.
Completion time: 2010-09-19 05:10:25
ComboFix-quarantined-files.txt 2010-09-19 04:10
ComboFix2.txt 2010-09-17 02:53
ComboFix3.txt 2010-09-14 08:17
ComboFix4.txt 2010-09-14 07:46

Pre-Run: 2,011,340,800 bytes free
Post-Run: 2,358,132,736 bytes free

- - End Of File - - F9D228B21C98CAF298F0247ACB869F59


I'll try the OTL thing later and hopefully get online and post the log tomorrow. |Thanks so much for all your help!!

Martin


MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 19th September 2010, 12:29 pm

Hey,

Here's the log created by OTL:

OTL logfile created on: 19/09/2010 13:15:29 - Run 2
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Web\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,015.00 Mb Total Physical Memory | 809.00 Mb Available Physical Memory | 80.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 1522 1522 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40.00 Gb Total Space | 2.18 Gb Free Space | 5.46% Space Free | Partition Type: NTFS
Drive D: | 34.49 Gb Total Space | 0.15 Gb Free Space | 0.44% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 14.92 Gb Total Space | 0.37 Gb Free Space | 2.48% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARTLIN
Current User Name: Web
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Web\Desktop\OTL.com
PRC - [2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/05/26 06:33:26 | 000,021,185 | R--- | M] () -- F:\malware software n logs.exe


========== Modules (SafeList) ==========

MOD - [2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Web\Desktop\OTL.com
MOD - [2008/04/14 13:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Combo-Fix20529C\PEV.cfx -- (PEVSystemStart)
SRV - File not found [On_Demand | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe -- (McSysmon)
SRV - File not found [Unknown | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe -- (McShield)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE -- (0028831284690044mcinstcleanup) McAfee Application Installer Cleanup (0028831284690044)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2007/01/05 03:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\epfwtdir.sys -- (epfwtdir)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\easdrv.sys -- (easdrv)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\DRIVERS\eamon.sys -- (eamon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Web\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2009/05/23 00:08:32 | 000,029,696 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VClone.sys -- (VClone)
DRV - [2009/02/17 18:11:30 | 000,024,232 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2008/08/12 10:30:54 | 000,007,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/07/16 11:52:00 | 004,747,776 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/14 07:12:06 | 000,025,088 | ---- | M] (ELANTECH Devices Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ETD.sys -- (Ktp)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2008/04/14 13:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/12 03:37:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2007/07/27 04:00:38 | 000,011,264 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2007/05/03 12:00:58 | 000,546,976 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2006/10/10 23:24:00 | 001,181,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2001/08/17 15:05:16 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OVCD.sys -- (QCDonner)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.2
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {0FED6A9D-2712-4322-8209-E040FCB5E084}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{0FED6A9D-2712-4322-8209-E040FCB5E084}: C:\Documents and Settings\Web\Local Settings\Application Data\{0FED6A9D-2712-4322-8209-E040FCB5E084} [2010/09/13 01:43:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/12 16:25:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/10 06:03:36 | 000,000,000 | ---D | M]

[2008/12/25 14:05:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Mozilla\Extensions
[2010/08/21 12:03:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Mozilla\Firefox\Profiles\zirmi4w0.default\extensions
[2009/05/02 09:10:09 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Web\Application Data\Mozilla\Firefox\Profiles\zirmi4w0.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/09/12 02:29:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/11/10 19:21:00 | 001,499,136 | ---- | M] (LizardTech) -- C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
[2009/08/22 05:00:30 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/08/22 05:00:30 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/08/22 05:00:30 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/08/22 05:00:30 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/09/19 05:07:46 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (IEButton Class) - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Save Flash) - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll (TODO: )
O3 - HKCU\..\Toolbar\WebBrowser: (&Save Flash) - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll (TODO: )
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe File not found
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [autodetect] C:\WINDOWS\system32\SupportAppXL\AutoDect.exe ()
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCTRL.EXE (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [Flashy Bot] C:\WINDOWS\system32\Flashy.exe ()
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [ocernwasxm.tmp] C:\DOCUME~1\Web\LOCALS~1\Temp\ocernwasxm.tmp File not found
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe File not found
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKLM..\Run: [Wmimefameteq] C:\WINDOWS\onuyohuy.DLL File not found
O4 - HKLM..\Run: [wupdate] C:\WINDOWS\System32\wupdate.exe File not found
O4 - HKCU..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe File not found
O4 - HKCU..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe File not found
O4 - HKCU..\Run: [sdsetup_aff] C:\Documents and Settings\Web\Desktop\sdsetup_aff.exe File not found
O4 - HKCU..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe File not found
O4 - HKCU..\Run: [Wcoluj] C:\WINDOWS\wimgxft.DLL File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk = C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O4 - Startup: C:\Documents and Settings\Web\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Web\Start Menu\Programs\Startup\systemID.pif ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O8 - Extra context menu item: Save Flash - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O8 - Extra context menu item: Save YouTube Video - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\lspnuj.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Web\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Web\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/05 02:52:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{bf1dda54-9bba-11df-a5e5-00235411e6aa}\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{bf1dda54-9bba-11df-a5e5-00235411e6aa}\Shell\Shell00\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{bf1dda54-9bba-11df-a5e5-00235411e6aa}\Shell\Shell01\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{bf1dda54-9bba-11df-a5e5-00235411e6aa}\Shell\Shell02\Command - "" = F:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/19 13:14:34 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Web\Desktop\OTL.com
[2010/09/19 05:17:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Desktop\sort this crap
[2010/09/19 05:10:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/09/19 04:59:30 | 000,000,000 | ---D | C] -- C:\Combo-Fix20529C
[2010/09/17 03:44:44 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/09/14 08:37:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/14 08:25:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/14 08:25:41 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/14 08:25:41 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/14 08:25:41 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/14 08:25:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/14 08:25:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/14 07:34:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/09/14 07:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/09/14 05:13:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/14 03:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Application Data\Malwarebytes
[2010/09/14 03:02:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/14 02:56:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/09/13 01:43:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Local Settings\Application Data\{0FED6A9D-2712-4322-8209-E040FCB5E084}
[2010/09/13 01:40:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi
[2010/09/13 01:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg
[2010/09/13 01:39:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[2010/09/13 01:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Application Data\F24339461A107A09551E960FE262B144
[2010/09/11 12:14:59 | 000,000,000 | ---D | C] -- C:\Program Files\Convar
[2010/08/02 08:30:14 | 000,000,000 | ---D | C] -- C:\Program Files\Ableton
[2010/08/02 01:18:07 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/07/25 15:37:36 | 000,000,000 | ---D | C] -- C:\Program Files\Music Rescue
[2010/07/25 15:37:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Local Settings\Application Data\Downloaded Installations
[2010/07/25 15:35:44 | 000,000,000 | ---D | C] -- C:\Program Files\WindSolutions
[2010/07/25 15:35:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Application Data\WindSolutions
[2010/07/25 15:35:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WindSolutions
[2010/07/10 11:47:18 | 000,000,000 | ---D | C] -- C:\Program Files\Mediafour
[2010/07/10 06:07:01 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/07/10 06:06:48 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/07/10 06:02:24 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/07/10 05:55:41 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/06/26 09:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Desktop\Programs
[2010/06/26 09:23:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Desktop\Documents
[2008/07/05 03:55:03 | 015,523,560 | ---- | C] (Macrovision Corporation) -- C:\Program Files\U1 Setup.exe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/19 13:18:02 | 000,841,216 | ---- | M] () -- C:\WINDOWS\System32\drivers\lggtctm.sys
[2010/09/19 13:11:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/19 13:10:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/19 13:05:46 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/19 05:18:14 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\Web\NTUSER.DAT
[2010/09/19 05:18:14 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Web\ntuser.ini
[2010/09/19 05:18:07 | 004,084,248 | -H-- | M] () -- C:\Documents and Settings\Web\Local Settings\Application Data\IconCache.db
[2010/09/19 05:07:56 | 000,000,284 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/19 05:07:46 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/19 04:25:16 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/19 04:12:42 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/17 03:16:16 | 000,008,212 | ---- | M] () -- C:\WINDOWS\mfebcdata
[2010/09/16 06:53:44 | 000,003,056 | ---- | M] () -- C:\Documents and Settings\Web\Local Settings\Application Data\syssvc.exe
[2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Web\Desktop\OTL.com
[2010/09/14 08:37:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/09/14 04:47:48 | 000,002,838 | ---- | M] () -- C:\WINDOWS\Ojefuyag.dat
[2010/09/14 02:48:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qtuweqetalaj.bin
[2010/09/13 10:04:55 | 000,077,824 | ---- | M] () -- C:\Documents and Settings\Web\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/13 01:11:18 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\Web\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/08/17 10:41:19 | 000,005,360 | ---- | M] () -- C:\Documents and Settings\Web\Application Data\wklnhst.dat
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/19 13:13:46 | 000,021,185 | R--- | C] () -- C:\Documents and Settings\Web\Start Menu\Programs\Startup\systemID.pif
[2010/09/19 13:13:46 | 000,021,185 | -H-- | C] () -- C:\WINDOWS\System32\Flashy.exe
[2010/09/17 03:16:16 | 000,008,212 | ---- | C] () -- C:\WINDOWS\mfebcdata
[2010/09/16 06:53:44 | 000,003,056 | ---- | C] () -- C:\Documents and Settings\Web\Local Settings\Application Data\syssvc.exe
[2010/09/14 08:37:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/09/14 08:37:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/14 08:25:41 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 08:25:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 08:25:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 08:25:41 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 08:25:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/13 01:43:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qtuweqetalaj.bin
[2010/09/13 01:43:48 | 000,002,838 | ---- | C] () -- C:\WINDOWS\Ojefuyag.dat
[2010/09/13 01:42:14 | 000,841,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\lggtctm.sys
[2010/07/26 12:44:38 | 000,002,155 | ---- | C] () -- C:\Documents and Settings\Web\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2009/05/15 13:17:11 | 000,749,568 | ---- | C] () -- C:\WINDOWS\System32\AGISSI.DLL
[2009/05/15 13:17:09 | 011,194,368 | ---- | C] () -- C:\WINDOWS\System32\ZHHP_RES.DLL
[2009/02/17 18:11:30 | 000,024,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\ElbyCDIO.sys
[2009/01/13 12:29:15 | 000,005,360 | ---- | C] () -- C:\Documents and Settings\Web\Application Data\wklnhst.dat
[2009/01/04 22:25:29 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/12/26 23:23:10 | 000,077,824 | ---- | C] () -- C:\Documents and Settings\Web\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/26 03:00:55 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Web\Local Settings\Application Data\fusioncache.dat
[2008/12/11 13:27:24 | 000,000,259 | ---- | C] () -- C:\Documents and Settings\Web\Application Data\com.kennettnet.MusicRescue4.Profiles.plist
[2008/12/11 12:53:20 | 000,000,207 | ---- | C] () -- C:\Documents and Settings\Web\Application Data\com.kennettnet.MusicRescue4.plist
[2008/07/05 04:34:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/07/05 03:37:44 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/07/05 03:37:44 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/07/05 03:37:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/07/05 03:37:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/07/05 03:37:44 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/07/05 03:37:44 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/07/05 02:59:40 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
[2008/07/03 05:32:06 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/03/17 23:54:36 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini

========== LOP Check ==========

[2010/06/11 14:14:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ableton
[2008/12/25 16:56:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ECAP
[2008/12/25 12:29:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/09/14 07:34:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/09/14 07:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/07/25 15:40:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WindSolutions
[2010/08/02 08:30:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Ableton
[2009/08/20 10:52:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\avidemux
[2009/06/04 22:08:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2010/09/13 01:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\F24339461A107A09551E960FE262B144
[2010/01/05 13:13:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\InterVideo
[2009/09/26 05:03:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\OpenOffice.org
[2009/11/08 12:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\ScummVM
[2009/07/19 18:51:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Spotify
[2009/01/13 12:29:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Template
[2010/07/25 15:40:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\WindSolutions

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=ED8230261CDBB41414A152098A5E1293 -- C:\WINDOWS\explorer.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 13:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=858A92ABBFA4395FDEAE9CE8404D0DF5 -- C:\WINDOWS\system32\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


Hope this helps.
Thanks, once it's all fixed I'll definately be making a donation!

Martin

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 19th September 2010, 9:29 pm

Hello.
Do you have an XP disc you can borrow from a friend?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 20th September 2010, 12:22 am

Unfortunately not, and even if I found someone with an XP disc, as I mentioned in the first post, this EEEpc doesn't have a CD or DVD drive Sad tearing

Seems like I'm right by the finish line but I just can't cross it.

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 20th September 2010, 12:28 am

Aslong as you have USB ports, external CD drives can be bought.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 20th September 2010, 3:36 am

That is very true, however they are fairly hard to come by up in the North West of Australia, as are people with an XP, and also fresh water. lol

Is there any other way to re create the system files that were corrupt? If I could get System Restore to work and could do a system restore to before the computer became infected would that restore them?

After running OTL I can now open most programs however it still gives me the RUNDLL dialog boxes when I enter windows saying two files are missing.

So close!!

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 20th September 2010, 3:52 am

I managed to get online using the laptop last night to make the post previous to yours, however another fake spyware page loaded, so I disconnected and ran the MBAM again in both user accounts, logs follow:

LOG FROM ACCOUNT 1:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

20/09/2010 01:44:37
mbam-log-2010-09-20 (01-44-37).txt

Scan type: Quick scan
Objects scanned: 120256
Time elapsed: 8 minute(s), 46 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\WINDOWS\system32\Flashy.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\flashy bot (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Flashy.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\systemID.pif (Trojan.Downloader) -> Quarantined and deleted successfully.


LOG FROM ACCOUNT 2:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

20/09/2010 01:56:12
mbam-log-2010-09-20 (01-56-12).txt

Scan type: Quick scan
Objects scanned: 127618
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\Web\Start Menu\Programs\Startup\systemID.pif (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Web\Start Menu\Programs\Startup\systemID.pif (Trojan.Downloader) -> Quarantined and deleted successfully.




I won't be logging on on the laptop again until I have it totally fixed and a new and up to date virus/spyware/maleware protection on it!

Thanks for all your help...hope I haven't take steps backwards when going online on the laptop.

Martin.



MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 20th September 2010, 11:25 pm

Hello.
The problem isn't what MBAM detected, it's that your system files are infected and there isn't much options left. We need to get them infected files clean somehow, and getting them from a CD is probably the best option.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 21st September 2010, 5:46 am

Are there any other options aside from finding someone with the CD and then finding someone with a USB CD drive?

Is there any software that can run a fix and re create the system files? I'm just asking for alternatives as my chances of finding the CD ad CD drive are quite slim.

Thanks again,
Martin

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 21st September 2010, 9:13 pm

Nope, sadly not.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 23rd September 2010, 10:45 am

It seems to be running fine without apart for the two RUNDLL boxes that appear on loading so I'll just have to stick with this until I either buy a new laptop or meet someone with the CD and a USB CD drive!

Thanks for everything.

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 23rd September 2010, 10:53 am

Hello.
That error is easy to fix.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 24th September 2010, 9:07 am

Sorry about the delay, I had to drive 1200km to get to the next place I can get online!

here's the log from HijackThis....hope it helps...

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:04:15, on 24/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: IEButton Class - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [autodetect] C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ocernwasxm.tmp] "C:\DOCUME~1\Web\LOCALS~1\Temp\ocernwasxm.tmp"
O4 - HKLM\..\Run: [wupdate] %SystemRoot%\system32\wupdate.exe
O4 - HKLM\..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
O4 - HKLM\..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
O4 - HKLM\..\Run: [Wmimefameteq] rundll32.exe "C:\WINDOWS\onuyohuy.dll",Startup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [Wcoluj] rundll32.exe "C:\WINDOWS\wimgxft.dll",Startup
O4 - HKCU\..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
O4 - HKCU\..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
O4 - HKCU\..\Run: [sdsetup_aff] C:\Documents and Settings\Web\Desktop\sdsetup_aff.exe -min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SuperHybridEngine.lnk = ?
O8 - Extra context menu item: Save Flash - [You must be registered and logged in to see this link.] Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Save YouTube Video - [You must be registered and logged in to see this link.] Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspnuj.dll' missing
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0028831284690044) (0028831284690044mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9921256115394) (gupdate1c9921256115394) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: PEVSystemStart - Unknown owner - C:\Combo-Fix20529C\PEV.cfxxe (file missing)

--
End of file - 10931 bytes


It was a very quick scan!
What might be the next steps I should take?
Thanks again,
Martin

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 24th September 2010, 10:08 am

So another pop up window appeared whilst logging on to post that log, so i ran MBAM again, found more system files corrupted apparently...so here's the MBAM log and a new Hijack this log...hope I'm not just posting useless info to you now....

MBAM:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4662

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

24/09/2010 10:32:09
mbam-log-2010-09-24 (10-32-09).txt

Scan type: Quick scan
Objects scanned: 150780
Time elapsed: 13 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\gepn.fyo (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.


HIJACK:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:03:10, on 24/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: IEButton Class - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [autodetect] C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ocernwasxm.tmp] "C:\DOCUME~1\Web\LOCALS~1\Temp\ocernwasxm.tmp"
O4 - HKLM\..\Run: [wupdate] %SystemRoot%\system32\wupdate.exe
O4 - HKLM\..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
O4 - HKLM\..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
O4 - HKLM\..\Run: [Wmimefameteq] rundll32.exe "C:\WINDOWS\onuyohuy.dll",Startup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [Wcoluj] rundll32.exe "C:\WINDOWS\wimgxft.dll",Startup
O4 - HKCU\..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
O4 - HKCU\..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
O4 - HKCU\..\Run: [sdsetup_aff] C:\Documents and Settings\Web\Desktop\sdsetup_aff.exe -min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SuperHybridEngine.lnk = ?
O8 - Extra context menu item: Save Flash - [You must be registered and logged in to see this link.] Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Save YouTube Video - [You must be registered and logged in to see this link.] Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspnuj.dll' missing
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0028831284690044) (0028831284690044mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9921256115394) (gupdate1c9921256115394) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: PEVSystemStart - Unknown owner - C:\Combo-Fix20529C\PEV.cfxxe (file missing)

--
End of file - 10967 bytes


Can you recommend a virus checker program to buy that will stop all this nonsense happening to my computer too? So much of a headache! I really appreciate all your help!

Martin

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 24th September 2010, 9:31 pm

I did mention there isn't much we can do until we can repair them 2 infected files because they keep downloading more malware.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 24th September 2010, 11:15 pm

I thought as much.

Did the HijackThis log help on how I could fix the RunDDL files?

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 25th September 2010, 11:54 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [ocernwasxm.tmp] "C:\DOCUME~1\Web\LOCALS~1\Temp\ocernwasxm.tmp"
    O4 - HKLM\..\Run: [wupdate] %SystemRoot%\system32\wupdate.exe
    O4 - HKLM\..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
    O4 - HKLM\..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
    O4 - HKLM\..\Run: [Wmimefameteq] rundll32.exe "C:\WINDOWS\onuyohuy.dll",Startup
    O4 - HKCU\..\Run: [Wcoluj] rundll32.exe "C:\WINDOWS\wimgxft.dll",Startup
    O4 - HKCU\..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
    O4 - HKCU\..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
    O4 - HKCU\..\Run: [sdsetup_aff] C:\Documents and Settings\Web\Desktop\sdsetup_aff.exe -min


  • Press "Fix Checked"
  • Close Hijack This.

Reboot normally.
That should stop the error on startup.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by MBanks on 3rd October 2010, 1:28 am

Hey,

OK, so I made it up to Darwin in the Northern Territory, the closest city where I thought
I might be able to get windows reinstalled. Managed to get it reinstalled yesterday and
then went to an internet cafe to get MBAM installed. Downloaded it but have not yet
purchased it, is it an effective malware, virus and spyware protector that will stop me getting
attacked?

I ran a scan just to check and here is the log:


Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4733

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

10/3/2010 10:49:54 AM
mbam-log-2010-10-03 (10-49-54).txt

Scan type: Quick scan
Objects scanned: 124835
Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



As you can see it found 3 infected registry data items were infected.

I clicked on the remove/fix infected items button and it said it had completed it successfully.

What steps can I now take. Do I need to do an OTL or Combo-fix run?

Which anti virus software would you recommend I purchase in order to stop getting attacked?
It's pretty frustrating! Thanks for all your help, once I'm fixed up and protected I'll
make a donation to the site for all your help.

Martin.

MBanks
Intermediate
Intermediate

Posts Posts : 92
Joined Joined : 2010-09-15
OS OS : Windows XP Home Edition SP3
Points Points : 24094
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Security Tool 2010 - Infected on Windows XP Home Edition SP3

Post by Belahzur on 3rd October 2010, 11:08 pm

Please run Combofix and then post the Combofix log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum