Virus Zbot.G and trojan horse Cryptic.BGF

View previous topic View next topic Go down

Virus Zbot.G and trojan horse Cryptic.BGF

Post by lsmith on Mon 17 Oct 2011, 7:53 am

Hi,

There is much wrong with my PC (running XP Home Edition, Service Pack 2), including:

- AVG is reporting multiple threat detection. All of them listed as either virus Zbot.G or trojan horse Cryptic.BGF.
- Browsers cannot reach various domains, including this forum(!), PCDoctor and Microsoft. Also, AVG cannot connect to avg.com to update itself.
- All attempts to run a Malwarebytes scan end in a blue screen.

After a fair bit of looking around, your forum seemed to be the best place to seek assistanced. So, I followed the instructions for new postings on this forum at: [You must be registered and logged in to see this link.]

And I am pasting in the various log files below. Before I do, thank you in advance for your time and your help.

NOTES:
- when I ran aswMBR it prompted me, asking if I would like it to download Avast virus definitions. I said yes but it seemed to not work.
- This contains the first log file (OTL.txt) ONLY. I will post the others in a reply to this.

So, the log file:

**FILE: OTL.txt
OTL logfile created on: 16/10/2011 20:50:11 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Luke\Desktop\Fixup
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.49 Gb Total Physical Memory | 0.64 Gb Available Physical Memory | 42.66% Memory free
2.08 Gb Paging File | 1.40 Gb Available in Paging File | 67.37% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 2.01 Gb Free Space | 2.69% Space Free | Partition Type: NTFS
Drive F: | 479.44 Mb Total Space | 1.31 Mb Free Space | 0.27% Space Free | Partition Type: FAT

Computer Name: AMILO | User Name: Luke | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/16 20:47:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Luke\Desktop\Fixup\OTL.com
PRC - [2011/09/10 06:28:50 | 002,338,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/09/09 03:10:56 | 001,082,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/08/18 01:33:26 | 000,659,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2011/08/18 01:33:06 | 007,390,560 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2011/05/23 14:13:04 | 000,657,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2011/03/28 03:00:52 | 000,351,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2011/02/10 07:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/06/24 15:41:38 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/06/25 16:12:42 | 001,414,144 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
PRC - [2009/06/02 11:10:08 | 000,637,952 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
PRC - [2009/05/28 14:45:00 | 000,132,096 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
PRC - [2009/05/27 13:00:24 | 000,753,664 | ---- | M] (Apple Inc.) -- C:\Program Files\AirPort\APAgent.exe
PRC - [2009/05/11 15:15:00 | 000,128,000 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
PRC - [2009/03/30 11:11:14 | 000,120,320 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
PRC - [2007/06/13 12:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/28 19:28:02 | 002,796,544 | ---- | M] (Almico Software ([You must be registered and logged in to see this link.] -- C:\Program Files\SpeedFan\speedfan.exe


========== Modules (No Company Name) ==========

MOD - [2011/02/10 07:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2008/08/12 12:16:16 | 002,023,424 | ---- | M] () -- C:\Program Files\Nokia\Nokia PC Suite 7\QtCore4.dll
MOD - [2008/07/29 15:47:56 | 000,016,384 | ---- | M] () -- C:\Program Files\Nokia\Nokia PC Suite 7\imageformats\qsvg4.dll
MOD - [2008/07/29 15:47:38 | 000,135,168 | ---- | M] () -- C:\Program Files\Nokia\Nokia PC Suite 7\imageformats\qjpeg4.dll
MOD - [2008/07/29 15:11:18 | 000,253,952 | ---- | M] () -- C:\Program Files\Nokia\Nokia PC Suite 7\QtSvg4.dll
MOD - [2008/07/29 15:01:12 | 007,331,840 | ---- | M] () -- C:\Program Files\Nokia\Nokia PC Suite 7\QtGUI4.dll
MOD - [2008/07/29 14:50:26 | 000,364,544 | ---- | M] () -- C:\Program Files\Nokia\Nokia PC Suite 7\QtXml4.dll
MOD - [2005/07/15 19:35:56 | 000,831,488 | ---- | M] () -- C:\WINDOWS\system32\libeay32.dll
MOD - [2005/07/15 19:35:56 | 000,159,744 | ---- | M] () -- C:\WINDOWS\system32\ssleay32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (clr_optimization_v2.0.50727_32)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/18 01:33:06 | 007,390,560 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/06/24 15:41:38 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/06/02 11:10:08 | 000,637,952 | ---- | M] (Nokia.) [On_Demand | Running] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2006/10/18 21:05:24 | 001,029,121 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/05/27 19:05:44 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/04/05 00:59:56 | 000,297,168 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/03/16 16:03:20 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/03/01 14:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/22 08:13:02 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/02/10 07:53:54 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/02/10 07:53:52 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/01/07 06:41:46 | 000,248,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2009/03/26 22:53:08 | 000,081,288 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iksyssec.sys -- (IKSysSec)
DRV - [2009/03/26 22:53:08 | 000,066,952 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iksysflt.sys -- (IKSysFlt)
DRV - [2009/03/26 22:53:07 | 000,040,840 | ---- | M] (PCTools Research Pty Ltd.) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ikfilesec.sys -- (IKFileSec)
DRV - [2009/03/19 15:48:18 | 000,136,704 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys -- (nmwcdnsu)
DRV - [2009/03/19 15:48:12 | 000,008,320 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdnsuc.sys -- (nmwcdnsuc)
DRV - [2009/03/06 16:45:06 | 000,130,424 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/02/09 09:37:56 | 000,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/02/09 09:37:48 | 000,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/02/09 09:37:46 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/02/09 09:37:46 | 000,017,664 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2008/08/26 11:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/08/08 12:12:42 | 000,101,120 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007/06/30 14:29:43 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2006/09/24 14:28:47 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/07/14 13:55:34 | 000,105,088 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2006/01/05 10:30:42 | 000,561,664 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2005/09/30 10:34:10 | 000,310,016 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/09/17 11:01:50 | 000,028,672 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/09/14 12:45:24 | 000,050,560 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/08/06 04:06:32 | 000,028,704 | R--- | M] (USB World) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb2vcom.sys -- (usb2vcom)
DRV - [2005/02/26 17:25:52 | 000,091,527 | ---- | M] (VM) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbVM31b.sys -- (ZSMC301b)
DRV - [1996/04/03 20:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/webhp?rlz=1R0GPCK_en-GB"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.19
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:4.0.0
FF - prefs.js..extensions.enabledItems: {3A987241-0C34-45A4-AAB9-EB66AE5985DF}:1.9.1
FF - prefs.js..keyword.URL: "http://search.avg.com/?d=4d6c98b6&i=23&tp=ab&nt=1&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 5555
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll File not found
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll (Google)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.448: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll ()
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Luke\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Luke\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Luke\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Luke\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/11/02 22:09:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/12/11 14:17:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3A987241-0C34-45A4-AAB9-EB66AE5985DF}: C:\Documents and Settings\Luke\Local Settings\Application Data\{3A987241-0C34-45A4-AAB9-EB66AE5985DF} [2011/01/24 00:17:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/09/16 21:23:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/16 15:01:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/16 15:01:40 | 000,000,000 | ---D | M]

[2010/07/22 21:46:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Extensions
[2010/07/22 21:46:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Extensions\home2@tomtom.com
[2011/09/10 10:15:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\f6mcp1kf.default\extensions
[2010/05/26 14:53:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\f6mcp1kf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/09/22 11:18:25 | 000,000,000 | ---D | M] ("Delicious Bookmarks") -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\f6mcp1kf.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
[2011/09/10 10:15:52 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\f6mcp1kf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/09/19 18:11:50 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\f6mcp1kf.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2009/11/14 09:18:18 | 000,000,000 | ---D | M] (United States English Dictionary) -- C:\Documents and Settings\Luke\Application Data\Mozilla\Firefox\Profiles\f6mcp1kf.default\extensions\en-US@dictionaries.addons.mozilla.org
[2011/04/15 09:27:52 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/24 00:17:42 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\LUKE\LOCAL SETTINGS\APPLICATION DATA\{3A987241-0C34-45A4-AAB9-EB66AE5985DF}
[2011/09/16 21:23:51 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG10\FIREFOX4
[2009/08/10 22:47:55 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/16 15:01:16 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/16 15:01:22 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/05/16 15:01:22 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/05/16 15:01:22 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/05/16 15:01:22 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/05/16 15:01:22 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/04/19 19:52:05 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Cdudapojuyi] rundll32.exe "C:\WINDOWS\eyedageqewipe.dll",Startup File not found
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows (R) Server 2003 DDK provider)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [Jcowa] rundll32.exe "C:\WINDOWS\mshdbds.dll",Startup File not found
O4 - HKCU..\Run: [NwkWfmrb] C:\Documents and Settings\Luke\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe File not found
O4 - HKCU..\Run: [PC Suite Tray] C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
O4 - Startup: C:\Documents and Settings\Luke\Start Menu\Programs\Startup\SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe (Almico Software ([You must be registered and logged in to see this link.]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ()
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} [You must be registered and logged in to see this link.] (Zylom Games Player)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} [You must be registered and logged in to see this link.] (JuniperSetupClientControl Class)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Luke\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe) -C:\Documents and Settings\Luke\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Luke\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Luke\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/13 22:35:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{618fe8af-9102-11df-8090-0011e2fd8180}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe
O33 - MountPoints2\{68465bd6-cbae-11df-80a2-0016367de231}\Shell - "" = AutoRun
O33 - MountPoints2\{68465bd6-cbae-11df-80a2-0016367de231}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{68465bd6-cbae-11df-80a2-0016367de231}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{68465bda-cbae-11df-80a2-0016367de231}\Shell - "" = AutoRun
O33 - MountPoints2\{68465bda-cbae-11df-80a2-0016367de231}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{68465bda-cbae-11df-80a2-0016367de231}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "Messenger"
MsConfig - Services: "JavaQuickStarterService"
MsConfig - Services: "gusvc"
MsConfig - Services: "Fax"
MsConfig - Services: "FastUserSwitchingCompatibility"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe - ()
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe - ()
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TrayMin315.exe.lnk - C:\Program Files\Philips\Philips SPC315NC Webcam\TrayMin315.exe - ()
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - File not found
MsConfig - StartUpReg: BigDogPath - hkey= - key= - C:\WINDOWS\VM_STI.EXE (BIGDOG)
MsConfig - StartUpReg: BluetoothAuthenticationAgent - hkey= - key= - File not found
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found
MsConfig - StartUpReg: PCSuiteTrayApplication - hkey= - key= - File not found
MsConfig - StartUpReg: Picasa Media Detector - hkey= - key= - File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe ()
MsConfig - StartUpReg: RegistryMechanic - hkey= - key= - C:\Program Files\Registry Mechanic\RegMech.exe (PC Tools)
MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - StartUpReg: updateMgr - hkey= - key= - File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2



ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/10/16 20:48:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Luke\Desktop\Fixup
[2011/10/11 16:55:36 | 000,000,000 | ---D | C] -- C:\92932102741bbb635c9516
[2011/09/24 13:33:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Luke\Local Settings\Application Data\fqvlgojq
[2011/09/20 19:22:25 | 000,000,000 | ---D | C] -- C:\dab9d5f12668c76d1c913d
[2011/09/20 09:44:06 | 000,000,000 | ---D | C] -- C:\1584ae9eae420a45fd76e5d4ad11
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/16 20:19:10 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1920139289-2278258733-2505583037-1007UA.job
[2011/10/16 14:43:44 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/16 14:41:35 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/10/16 14:41:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/16 14:41:15 | 1600,311,296 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/16 14:29:01 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/10/16 13:38:15 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/10/04 15:55:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/10/04 10:19:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1920139289-2278258733-2505583037-1007Core.job
[2011/09/19 17:02:45 | 132,914,704 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/09/16 21:23:51 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/24 00:17:44 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Bwugike.dat
[2011/01/24 00:17:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Lmidejucowozi.bin
[2011/01/10 11:26:05 | 000,045,396 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/09/24 13:07:50 | 000,165,584 | ---- | C] () -- C:\WINDOWS\System32\AirfoilInject3.dll
[2009/03/09 14:20:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2007/12/19 23:32:54 | 000,006,834 | ---- | C] () -- C:\Documents and Settings\Luke\Application Data\NMM-MetaData.db
[2007/08/30 08:54:11 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Luke\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/21 11:04:37 | 000,025,372 | ---- | C] () -- C:\Documents and Settings\Luke\Application Data\Comma Separated Values (Windows).ADR
[2007/07/03 23:27:23 | 000,004,391 | ---- | C] () -- C:\Documents and Settings\Luke\Application Data\Comma Separated Values (Windows).NOT
[2007/06/30 17:05:23 | 000,011,460 | ---- | C] () -- C:\Documents and Settings\Luke\Application Data\Comma Separated Values (Windows).TSK
[2007/06/30 16:43:04 | 000,012,988 | ---- | C] () -- C:\Documents and Settings\Luke\Application Data\Comma Separated Values (Windows).CAL
[2007/02/23 17:12:42 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/01/10 20:59:18 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/12/04 12:14:41 | 000,000,042 | ---- | C] () -- C:\WINDOWS\webica.ini
[2006/12/04 11:44:50 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\Luke\Application Data\wklnhst.dat
[2006/12/02 15:15:37 | 000,001,615 | ---- | C] () -- C:\WINDOWS\checkip.dat
[2006/12/01 13:32:21 | 000,001,423 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/12/01 13:30:06 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/12/01 12:51:56 | 000,046,888 | ---- | C] () -- C:\WINDOWS\System32\compare.dat
[2006/10/14 00:31:53 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/10/14 00:31:20 | 000,226,408 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/10/13 23:55:09 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/10/13 23:32:12 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/10/13 23:32:12 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/10/13 23:32:12 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/10/13 23:32:12 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/10/13 23:32:12 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/10/13 23:32:12 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/10/13 23:30:18 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/13 23:25:46 | 000,000,180 | ---- | C] () -- C:\WINDOWS\Option.ini
[2006/10/13 23:18:39 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/10/13 22:38:30 | 000,000,828 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/10/13 22:37:15 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/10/13 22:34:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/10/13 22:33:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/10/12 18:14:22 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/10/12 18:10:34 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\property.dll
[2006/10/12 18:10:24 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/10/12 18:10:23 | 000,445,938 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/10/12 18:10:23 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/10/12 18:10:23 | 000,072,978 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/10/12 18:10:23 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/10/12 18:10:23 | 000,004,711 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/10/12 18:10:22 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/10/12 18:10:22 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/10/12 18:10:20 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/10/12 18:10:20 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/10/12 18:10:17 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/10/12 18:10:15 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2005/07/15 19:35:56 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 19:35:56 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/07/15 19:35:24 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996/04/03 20:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Custom Scans ==========


< %APPDATA%\Microsoft\*.* >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %USERPROFILE%\Desktop\*.exe >
[2009/08/10 20:09:20 | 000,308,160 | ---- | M] (ALWIL Software) -- C:\Documents and Settings\Luke\Desktop\avast_home_setup.exe
[2009/03/26 22:31:03 | 001,075,744 | ---- | M] () -- C:\Documents and Settings\Luke\Desktop\Google Updater.exe
[2007/05/13 15:29:16 | 003,113,024 | ---- | M] (Citrix Systems, Inc.) -- C:\Documents and Settings\Luke\Desktop\ica32t(2).exe
[2006/12/04 11:51:44 | 003,113,024 | ---- | M] (Citrix Systems, Inc.) -- C:\Documents and Settings\Luke\Desktop\ica32t.exe
[2010/04/20 22:58:56 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Luke\Desktop\iexplore.exe
[2009/06/12 21:17:40 | 001,878,888 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Luke\Desktop\install_flash_player(2).exe
[2009/05/21 21:29:23 | 001,878,888 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Luke\Desktop\install_flash_player.exe
[2009/03/08 15:42:48 | 005,408,074 | ---- | M] (Last.fm ) -- C:\Documents and Settings\Luke\Desktop\Last.fm-1.5.2.38918.exe
[2007/12/24 23:24:19 | 015,693,888 | ---- | M] () -- C:\Documents and Settings\Luke\Desktop\NokiaSoftwareUpdaterSetup_en.exe
[2007/08/30 08:44:41 | 005,903,928 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Luke\Desktop\picasaweb-current-setup.exe
[2007/03/31 14:50:12 | 012,711,440 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\Luke\Desktop\RealPlayer10-5GOLD.exe
[2009/08/10 20:50:35 | 008,060,048 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Luke\Desktop\rminstall.exe
[2009/08/10 23:02:47 | 001,579,360 | ---- | M] () -- C:\Documents and Settings\Luke\Desktop\taskmanager17.exe
[2009/08/17 21:39:36 | 000,150,192 | ---- | M] () -- C:\Documents and Settings\Luke\Desktop\TweakUiPowertoySetup.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\winn32\*.* >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozaailla Firefox\*.exe >

< %ProgramFiles%\TinyProxy. >

< %systemroot%\system32\*.* /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.* /lockedfiles >

< %PROGRAMFILES%\*. >
[2009/11/08 15:57:04 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2006/10/13 23:28:18 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2010/01/15 00:51:54 | 000,000,000 | ---D | M] -- C:\Program Files\Airfoil
[2010/01/15 00:10:27 | 000,000,000 | ---D | M] -- C:\Program Files\AirPort
[2009/08/10 20:19:04 | 000,000,000 | ---D | M] -- C:\Program Files\Alwil Software
[2009/02/24 21:46:16 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2011/02/26 22:44:00 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/11/01 18:30:13 | 000,000,000 | ---D | M] -- C:\Program Files\Balsamiq Mockups
[2011/01/04 14:50:08 | 000,000,000 | ---D | M] -- C:\Program Files\BatteryMon
[2007/03/27 09:42:35 | 000,000,000 | ---D | M] -- C:\Program Files\BitTorrent
[2011/01/13 22:46:16 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2006/12/04 12:05:16 | 000,000,000 | ---D | M] -- C:\Program Files\Citrix
[2010/12/30 17:42:30 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2006/10/13 22:34:05 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2006/10/13 23:24:47 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2009/11/02 22:09:53 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2010/04/06 21:54:29 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2007/06/30 14:33:41 | 000,000,000 | ---D | M] -- C:\Program Files\Documents To Go
[2009/08/30 21:41:15 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2007/03/27 10:01:27 | 000,000,000 | ---D | M] -- C:\Program Files\Grisoft
[2010/09/29 10:47:17 | 000,000,000 | ---D | M] -- C:\Program Files\Huawei technologies
[2009/02/05 00:43:50 | 000,000,000 | ---D | M] -- C:\Program Files\igowin
[2007/01/10 21:54:17 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2011/10/16 19:52:12 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2006/10/13 23:32:04 | 000,000,000 | ---D | M] -- C:\Program Files\InterVideo
[2006/10/13 23:32:20 | 000,000,000 | ---D | M] -- C:\Program Files\InterVideo Information Service
[2011/03/01 17:05:22 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2011/03/01 17:06:05 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/01/14 21:22:19 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2006/12/08 20:51:15 | 000,000,000 | ---D | M] -- C:\Program Files\Kodak
[2009/04/30 10:09:27 | 000,000,000 | ---D | M] -- C:\Program Files\Last.fm
[2007/03/27 12:02:09 | 000,000,000 | ---D | M] -- C:\Program Files\Lavasoft
[2011/10/16 13:38:15 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/08/13 22:46:41 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2006/12/04 12:10:08 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2006/10/13 22:35:28 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/12/09 11:50:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2011/09/12 18:11:21 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2006/10/13 23:29:13 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2010/10/11 11:07:44 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2006/12/04 12:08:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2011/10/16 20:00:38 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/10/12 17:10:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/08/10 23:00:04 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2010/12/09 11:50:06 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2006/12/05 21:01:22 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2006/10/13 22:33:37 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2007/04/10 22:21:00 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/08/10 22:49:32 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2006/10/13 22:34:18 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2009/11/02 23:12:31 | 000,000,000 | ---D | M] -- C:\Program Files\Nokia
[2007/03/06 21:07:07 | 000,000,000 | ---D | M] -- C:\Program Files\Nvu
[2006/10/13 22:34:29 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2011/10/16 20:02:32 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2008/08/22 21:26:08 | 000,000,000 | ---D | M] -- C:\Program Files\Palm
[2009/11/02 22:08:26 | 000,000,000 | ---D | M] -- C:\Program Files\PC Connectivity Solution
[2007/01/10 21:54:44 | 000,000,000 | ---D | M] -- C:\Program Files\Philips
[2006/12/01 12:51:05 | 000,000,000 | ---D | M] -- C:\Program Files\Program Shortcuts
[2011/01/13 22:49:13 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/11/16 10:28:31 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2009/08/10 22:59:51 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2009/08/10 22:28:44 | 000,000,000 | ---D | M] -- C:\Program Files\Registry Mechanic
[2006/12/02 22:35:36 | 000,000,000 | ---D | M] -- C:\Program Files\SecondLife
[2009/08/10 23:13:37 | 000,000,000 | ---D | M] -- C:\Program Files\Security Task Manager
[2010/01/16 16:13:48 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2011/10/16 14:41:37 | 000,000,000 | ---D | M] -- C:\Program Files\SpeedFan
[2009/08/12 10:25:52 | 000,000,000 | ---D | M] -- C:\Program Files\Spyware Doctor
[2006/10/13 23:24:08 | 000,000,000 | ---D | M] -- C:\Program Files\Synaptics
[2007/02/28 22:37:48 | 000,000,000 | ---D | M] -- C:\Program Files\TextPad 4
[2010/07/22 21:29:22 | 000,000,000 | ---D | M] -- C:\Program Files\TomTom DesktopSuite
[2010/07/22 21:46:23 | 000,000,000 | ---D | M] -- C:\Program Files\TomTom HOME 2
[2010/07/22 21:46:31 | 000,000,000 | ---D | M] -- C:\Program Files\TomTom International B.V
[2006/10/13 22:38:16 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2006/12/11 21:11:49 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2011/10/16 20:09:07 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2006/10/13 22:33:35 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2006/10/13 22:34:30 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2006/10/13 22:35:29 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2009/08/17 20:05:07 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!


< MD5 for: AGP440.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:disk.sys
[2004/08/04 13:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\system32\drivers\disk.sys
[2008/04/13 19:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\disk.sys

< MD5 for: IASTOR.SYS >
[2006/05/11 10:30:52 | 000,247,808 | ---- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\WINDOWS\I386\$oem$\textmode\iaStor.sys
[2006/05/11 10:30:52 | 000,247,808 | ---- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\WINDOWS\OemDir\iaStor.sys
[2006/05/11 10:30:52 | 000,247,808 | ---- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\iaStor.sys
[2005/10/12 12:07:12 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389$\netlogon.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-10-04 15:04:42

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/05/16 15:01:23 | 000,711,672 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/05/16 15:01:23 | 000,711,672 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/05/16 15:01:23 | 000,711,672 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/05/16 15:01:16 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/05/16 15:01:16 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/05/16 15:01:16 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2004/08/04 13:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2004/08/04 13:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2004/08/04 13:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2004/08/04 13:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/05/16 15:01:23 | 000,711,672 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/05/16 15:01:23 | 000,711,672 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/05/16 15:01:23 | 000,711,672 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/05/16 15:01:16 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/05/16 15:01:16 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/05/16 15:01:16 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2004/08/04 13:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2004/08/04 13:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2004/08/04 13:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2004/08/04 13:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation)

========== Alternate Data Streams ==========

@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FA5F15C4
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0E08FC17

< End of report >


** NOTE: 3 more log files to come in reply to this post.

lsmith

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2011-10-17
Operating System : WindowsXP

View user profile

Back to top Go down

Other 3 log files

Post by lsmith on Mon 17 Oct 2011, 7:55 am

The log files are too long to go in a single post. Here are the remaining 3 log files:


** FILE: extras.txt
OTL Extras logfile created on: 16/10/2011 20:50:11 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Luke\Desktop\Fixup
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.49 Gb Total Physical Memory | 0.64 Gb Available Physical Memory | 42.66% Memory free
2.08 Gb Paging File | 1.40 Gb Available in Paging File | 67.37% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 2.01 Gb Free Space | 2.69% Space Free | Partition Type: NTFS
Drive F: | 479.44 Mb Total Space | 1.31 Mb Free Space | 0.27% Space Free | Partition Type: FAT

Computer Name: AMILO | User Name: Luke | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"5353:UDP" = 5353:UDP:*:Enabled:Bonjour

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- ()
"C:\Program Files\InterVideo\DVD7\WinDVD.exe" = C:\Program Files\InterVideo\DVD7\WinDVD.exe:*:Enabled:WinDVD -- ()
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Palm\Hotsync.exe" = C:\Program Files\Palm\Hotsync.exe:*:Enabled:HotSync® Manager Application -- ()
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe" = C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process -- ()
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe" = C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater -- (Nokia Corporation)
"C:\Program Files\AirPort\APAgent.exe" = C:\Program Files\AirPort\APAgent.exe:*:Enabled:AirPort -- (Apple Inc.)
"C:\Program Files\Airfoil\Airfoil.exe" = C:\Program Files\Airfoil\Airfoil.exe:*:Enabled:Airfoil -- (Rogue Amoeba)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\TomTom HOME 2\xulrunner\TomTomHOMERuntime.exe" = C:\Program Files\TomTom HOME 2\xulrunner\TomTomHOMERuntime.exe:*:Enabled:TomTom HOME -- (Mozilla Foundation)
"C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe" = C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe:*:Enabled:3 USB Modem -- ()
"C:\Documents and Settings\Luke\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Luke\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgdiagex.exe" = C:\Program Files\AVG\AVG10\avgdiagex.exe:*:Enabled:AVG Diagnostics 2011 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02B71D92-A84B-4DFB-9A10-D12BB01AC1F2}" = Nokia N73 highlights
"{0C973594-7DDF-4BD0-84ED-3517F7622037}" = PC Connectivity Solution
"{1197E65C-6B3F-A93D-38CA-769CB9A5A966}" = Balsamiq Mockups For Desktop
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java(TM) 6 Update 15
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D39E775-DDDA-4327-B747-0BDC5F191331}" = Nokia PC Suite
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}" = Nokia Software Updater
"{52D02A2B-03D2-4E34-A358-DC5D951FD296}" = Nokia Connectivity Cable Driver
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{59359B3D-ABE7-46BF-AB55-43B67A64DC68}" = Nokia MTP driver
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{637AF5A9-CFD1-43D7-A622-8F93954E92E3}" = AirPort
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{695B13B2-7919-4EC5-8601-092F0D2DE069}" = AVG 2011
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{727DAFCB-E3AF-46E3-8A38-EB9C3EAA0A88}" = AVG 2011
"{73E30715-9EC4-4DAE-BE67-64500AEB8012}" = Nokia Nseries Skin for Microsoft Windows Media Player
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{77F5816C-64A6-4FBE-BBE5-52EFE5EB84E8}" = Nokia themes for your device
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{82705358-3BD6-3CD5-AA9A-B8F058BE3A29}" = Google Talk Plugin
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{903B0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Professional 2003
"{90885A82-9673-49EA-AB39-AF776639C67C}" = InterVideo WinDVD 7
"{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 CRT (x86) WinSXS MSM
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}" = Palm
"{B510A987-487E-4C66-9F4F-D386AC275715}" = TextPad 4.7
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D95F0670-EBA8-46B2-8ABE-9DDA2BC3DC7E}" = Philips SPC315NC Webcam
"{EB807EB6-5179-48B7-98D4-7B4934A57A81}" = Documents To Go
"{EE565795-2776-415A-B31C-EB3A8D7C6FA4}" = Nokia Lifeblog 2.1
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"010D072E91408D6B7C6FC65489B6D30C027605F5" = Windows Driver Package - Nokia Modem (04/06/2006 6.8.0.17)
"3 USB Modem" = 3 USB Modem
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Airfoil" = Airfoil
"AVG" = AVG 2011
"BalsamiqMockupsForDesktop.EDE15CF69E11F7F7D45B5430C7D37CC6C3545E3C.1" = Balsamiq Mockups For Desktop
"BatteryMon_is1" = BatteryMon V2.1
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_PCI_VEN_14F1&DEV_5045&SUBSYS_152D0755" = Soft Data Fax Modem with SmartCP
"E8A6D621B6D3FC5D43C68C549D959DE76EEF5D84" = Windows Driver Package - Nokia Modem (06/01/2009 4.1)
"F779F5541ABD99C95C03B0FD5E3C058B22DA0FF7" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"LastFM_is1" = Last.fm 1.5.4.24567
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 4.0.1 (x86 en-GB)" = Mozilla Firefox 4.0.1 (x86 en-GB)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero BurnRights!UninstallKey" = Nero BurnRights
"NeroVision!UninstallKey" = Nero Digital
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia PC Suite" = Nokia PC Suite
"NVEContent!UninstallKey" = NeroVision Express Content
"Nvu_is1" = Nvu 1.0
"Picasa 3" = Picasa 3
"PROSet" = Intel(R) PRO Network Connections Drivers
"RealPlayer 12.0" = RealPlayer
"Registry Mechanic_is1" = Registry Mechanic 8.0
"SecondLife" = SecondLife (remove only)
"Security Task Manager" = Security Task Manager 1.7e
"SpeedFan" = SpeedFan (remove only)
"Spyware Doctor" = Spyware Doctor 6.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TomTom HOME" = TomTom HOME 2.7.5.2014
"Tweak UI 2.10" = Tweak UI
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Networks_Cache_Cleaner 6.5.0" = Juniper Networks Cache Cleaner 6.5.0
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 16/10/2011 09:28:26 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:28:26 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

Error - 16/10/2011 09:41:17 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:41:17 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

Error - 16/10/2011 09:41:17 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:41:17 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

Error - 16/10/2011 09:41:19 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:41:19 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

Error - 16/10/2011 09:43:24 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:43:24 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

[ Application Events ]
Error - 16/10/2011 09:28:26 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:28:26 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

Error - 16/10/2011 09:41:17 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:41:17 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

Error - 16/10/2011 09:41:17 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:41:17 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

Error - 16/10/2011 09:41:19 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:41:19 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

Error - 16/10/2011 09:43:24 | Computer Name = AMILO | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The configuration registry database
is corrupt. for C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Error - 16/10/2011 09:43:24 | Computer Name = AMILO | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The configuration
registry database is corrupt.

[ System Events ]
Error - 16/10/2011 09:27:37 | Computer Name = AMILO | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1009

Error - 16/10/2011 09:27:37 | Computer Name = AMILO | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1009

Error - 16/10/2011 09:27:37 | Computer Name = AMILO | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1009

Error - 16/10/2011 09:27:37 | Computer Name = AMILO | Source = Service Control Manager | ID = 7023
Description = The Windows Time service terminated with the following error: %%127

Error - 16/10/2011 09:28:26 | Computer Name = AMILO | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1009

Error - 16/10/2011 09:41:39 | Computer Name = AMILO | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1009

Error - 16/10/2011 09:41:39 | Computer Name = AMILO | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1009

Error - 16/10/2011 09:41:39 | Computer Name = AMILO | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1009

Error - 16/10/2011 09:41:39 | Computer Name = AMILO | Source = Service Control Manager | ID = 7023
Description = The Windows Time service terminated with the following error: %%127

Error - 16/10/2011 09:43:25 | Computer Name = AMILO | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1009


< End of report >



** FILE: aswMBR.txt
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-16 21:16:37
-----------------------------
21:16:37.578 OS Version: Windows 5.1.2600 Service Pack 2
21:16:37.578 Number of processors: 2 586 0xF06
21:16:37.578 ComputerName: AMILO UserName: Luke
21:16:42.890 Initialize success
21:17:01.968 AVAST engine download error: 0
21:17:18.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
21:17:18.343 Disk 0 Vendor: ST98823A 3.04 Size: 76319MB BusType: 3
21:17:18.343 Disk 1 \Device\Harddisk1\DR2 -> \Device\0000007f
21:17:18.343 Disk 1 Vendor: RICOH 02 Size: 479MB BusType: 0
21:17:18.390 Disk 0 MBR read successfully
21:17:18.390 Disk 0 MBR scan
21:17:18.390 Disk 0 Windows XP default MBR code
21:17:18.437 Disk 0 scanning sectors +156296385
21:17:18.531 Disk 0 PE file @ sector 156296385 !
21:17:18.625 Disk 0 scanning C:\WINDOWS\system32\drivers
21:17:51.093 Service scanning
21:17:53.046 Modules scanning
21:18:29.828 Disk 0 trace - called modules:
21:18:29.859 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
21:18:29.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a41dab8]
21:18:29.859 3 CLASSPNP.SYS[ba0f905b] -> nt!IofCallDriver -> \Device\00000075[0x8a4bfa28]
21:18:29.859 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a41c030]
21:18:29.859 Scan finished successfully
21:19:06.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Luke\Desktop\Fixup\Logs\MBR.dat"
21:19:06.796 The log file has been saved successfully to "C:\Documents and Settings\Luke\Desktop\Fixup\Logs\aswMBR.txt"



** FILE: checkup.txt
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 2011
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 15
Out of date Java installed!
Adobe Flash Player ( 10.0.42.34) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


****************
Thank you very much.

lsmith

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2011-10-17
Operating System : WindowsXP

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by Belahzur on Sun 23 Oct 2011, 10:14 am

Hi,
Sorry for the delay.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to Belahzur.exe to prevent it from being blocked by malware.


Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click Belahzur.exe to run it.

    You will see the following image:


Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by lsmith on Tue 25 Oct 2011, 6:39 am

Hi Belahzur,

Thanks for getting back to me. I was wondering if I'd done something wrong in my post. I've run combofix as suggested. It hasn't stopped the virus messages, but hopefully you can help with that! here is the log file:

ComboFix 11-10-24.03 - Luke 24/10/2011 19:57:40.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.602 [GMT 1:00]
Running from: c:\documents and settings\Luke\Desktop\Belahzur.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Luke\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Luke\Local Settings\Application Data\{3A987241-0C34-45A4-AAB9-EB66AE5985DF}
c:\documents and settings\Luke\Local Settings\Application Data\{3A987241-0C34-45A4-AAB9-EB66AE5985DF}\chrome.manifest
c:\documents and settings\Luke\Local Settings\Application Data\{3A987241-0C34-45A4-AAB9-EB66AE5985DF}\chrome\content\_cfg.js
c:\documents and settings\Luke\Local Settings\Application Data\{3A987241-0C34-45A4-AAB9-EB66AE5985DF}\chrome\content\overlay.xul
c:\documents and settings\Luke\Local Settings\Application Data\{3A987241-0C34-45A4-AAB9-EB66AE5985DF}\install.rdf
c:\documents and settings\Luke\Local Settings\Application Data\bnotldgt.log
c:\documents and settings\Luke\Local Settings\Application Data\dgfqxcjl.log
c:\documents and settings\Luke\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe
c:\documents and settings\Luke\Local Settings\Application Data\huxgdlku.log
c:\documents and settings\Luke\Local Settings\Application Data\oxnsrnxg.log
c:\documents and settings\Luke\Local Settings\Application Data\pougnnfd.log
c:\documents and settings\Luke\Local Settings\Application Data\qlkvlufw.log
c:\documents and settings\Luke\Local Settings\Application Data\thinwgox.log
.
.
((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))
.
.
2011-10-11 15:55 . 2011-10-11 15:55 -------- d-----w- C:\92932102741bbb635c9516
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 16:00 . 2010-10-27 19:45 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 14:01 . 2011-05-16 14:01 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\w32time.dll
[-] 2004-08-04 . 8E052C9728FEF0E76BC8F82252E66B4C . 174592 . . [5.1.2600.2180] . . c:\windows\system32\w32time.dll
[7] 2004-08-04 . 2B281958F5D0CF99ED626E3EF39D5C8D . 174592 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\w32time.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-13 761946]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-01-05 61952]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-17 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\Luke\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2007-2-28 2796544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Luke\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe"
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TrayMin315.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TrayMin315.exe.lnk
backup=c:\windows\pss\TrayMin315.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2004-06-09 15:37 40960 ----a-w- c:\windows\VM_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2004-08-04 12:00 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 15:08 421160 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-06-30 10:00 2836376 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-26 21:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-02-17 18:03 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Airfoil\\Airfoil.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Documents and Settings\\Luke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 04:48 32592]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [25/05/2009 13:24 130424]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [08/12/2010 05:12 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [12/11/2010 14:19 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/08/2011 01:33 7390560]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [08/02/2011 05:33 269520]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27/10/2010 20:45 366152]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 15:41 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [03/08/2010 16:23 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [03/08/2010 16:23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [03/08/2010 16:23 27216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27/10/2010 20:45 22216]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [02/11/2009 22:07 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [02/11/2009 22:07 8320]
S3 usb2vcom;DKU-5 Connectivity Adapter Cable;c:\windows\system32\drivers\usb2vcom.sys [10/01/2007 19:33 28704]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GUSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-10-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-30 19:13]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1920139289-2278258733-2505583037-1007Core.job
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-30 09:54]
.
2011-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1920139289-2278258733-2505583037-1007UA.job
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-30 09:54]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\f6mcp1kf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Jcowa - c:\windows\mshdbds.dll
HKCU-Run-NwkWfmrb - c:\documents and settings\Luke\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe
HKLM-Run-Cdudapojuyi - c:\windows\eyedageqewipe.dll
HKU-Default-Run-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-PCSuiteTrayApplication - c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-3 USB Modem - c:\progra~1\HUAWEI~1\HUAWEI~1\Uninstall.exe
AddRemove-CNXT_HDAUDIO - c:\program files\CONEXANT\CNXT_HDAUDIO\HXFSETUP.EXE
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_5045&SUBSYS_152D0755 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_5045&SUBSYS_152D0755\HXFSETUP.EXE
AddRemove-HijackThis - c:\documents and settings\Luke\Desktop\HijackThis.exe
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
AddRemove-Nokia PC Suite - c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng_web.exe
AddRemove-{90885A82-9673-49EA-AB39-AF776639C67C} - c:\program files\InstallShield Installation Information\{90885A82-9673-49EA-AB39-AF776639C67C}\setup.exe
AddRemove-{F37167DD-4436-4641-90B6-329D60632DDA} - c:\program files\InstallShield Installation Information\{F37167DD-4436-4641-90B6-329D60632DDA}\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-10-24 20:13
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Luke\Start Menu\Programs\Startup\nwkwfmrb.exe 112638 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4384)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\windows\system32\browselc.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG10\avgnsx.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\windows\system32\rundll32.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2011-10-24 20:25:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-24 19:24
.
Pre-Run: 2,247,684,096 bytes free
Post-Run: 3,449,618,432 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 446412F7FE0FB47E45196136D6BA8182



lsmith

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2011-10-17
Operating System : WindowsXP

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by Belahzur on Tue 25 Oct 2011, 8:11 am

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    FCopy::
    c:\windows\system32\dllcache\w32time.dll | c:\windows\system32\w32time.dll

    File::
    c:\documents and settings\Luke\Start Menu\Programs\Startup\nwkwfmrb.exe

    Folder::
    c:\documents and settings\Luke\Local Settings\Application Data\fqvlgojq

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,"
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by lsmith on Tue 25 Oct 2011, 9:55 am

Hi There.

thanks for the snappy response. Here's the latest log file:


ComboFix 11-10-24.03 - Luke 24/10/2011 23:22:20.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.747 [GMT 1:00]
Running from: c:\documents and settings\Luke\Desktop\Belahzur.exe
Command switches used :: c:\documents and settings\Luke\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\documents and settings\Luke\Start Menu\Programs\Startup\nwkwfmrb.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Luke\Local Settings\Application Data\bnotldgt.log
c:\documents and settings\Luke\Local Settings\Application Data\dgfqxcjl.log
c:\documents and settings\Luke\Local Settings\Application Data\fqvlgojq
c:\documents and settings\Luke\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe
c:\documents and settings\Luke\Local Settings\Application Data\huxgdlku.log
c:\documents and settings\Luke\Local Settings\Application Data\pougnnfd.log
c:\documents and settings\Luke\Local Settings\Application Data\qlkvlufw.log
c:\documents and settings\Luke\Start Menu\Programs\Startup\nwkwfmrb.exe
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\system32\drivers\etc\lmhosts
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\w32time.dll --> c:\windows\system32\w32time.dll
.
((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))
.
.
2011-10-24 22:37 . 2011-10-24 22:37 112638 --s---w- C:\nwkwfmrb.exe
2011-10-11 15:55 . 2011-10-11 15:55 -------- d-----w- C:\92932102741bbb635c9516
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 16:00 . 2010-10-27 19:45 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 14:01 . 2011-05-16 14:01 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"NwkWfmrb"="c:\documents and settings\Luke\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-13 761946]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-01-05 61952]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-17 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"NwkWfmrb"="c:\documents and settings\NetworkService\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe" [2011-10-24 112638]
.
c:\documents and settings\Luke\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2007-2-28 2796544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\NetworkService\Local Settings\Application Data\fqvlgojq\nwkwfmrb.exe"
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TrayMin315.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TrayMin315.exe.lnk
backup=c:\windows\pss\TrayMin315.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2004-06-09 15:37 40960 ----a-w- c:\windows\VM_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2004-08-04 12:00 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 15:08 421160 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-06-30 10:00 2836376 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-26 21:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-02-17 18:03 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Airfoil\\Airfoil.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Documents and Settings\\Luke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 04:48 32592]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [25/05/2009 13:24 130424]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [08/12/2010 05:12 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [12/11/2010 14:19 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/08/2011 01:33 7390560]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [08/02/2011 05:33 269520]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27/10/2010 20:45 366152]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 15:41 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [03/08/2010 16:23 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [03/08/2010 16:23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [03/08/2010 16:23 27216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27/10/2010 20:45 22216]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [02/11/2009 22:07 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [02/11/2009 22:07 8320]
S3 usb2vcom;DKU-5 Connectivity Adapter Cable;c:\windows\system32\drivers\usb2vcom.sys [10/01/2007 19:33 28704]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-10-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-30 19:13]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1920139289-2278258733-2505583037-1007Core.job
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-30 09:54]
.
2011-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1920139289-2278258733-2505583037-1007UA.job
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-30 09:54]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\f6mcp1kf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-10-24 23:36
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2296)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG10\avgnsx.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2011-10-24 23:44:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-24 22:44
ComboFix2.txt 2011-10-24 19:25
.
Pre-Run: 3,399,835,648 bytes free
Post-Run: 3,382,235,136 bytes free
.
- - End Of File - - CC217610A1BAC2223D9006280845665B

lsmith

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2011-10-17
Operating System : WindowsXP

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by Belahzur on Tue 25 Oct 2011, 10:03 am

Hello.
Please download SafeBootKeyRepair from here

Double click it to run it, allow it to run and once it's finished, it will open a log file, please copy/paste that back here.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by lsmith on Tue 25 Oct 2011, 10:23 am

I've done that...


Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]

========================


SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\Base
~~\SafeBoot\Minimal\Boot Bus Extender
~~\SafeBoot\Minimal\Boot file system
~~\SafeBoot\Minimal\dmboot.sys
~~\SafeBoot\Minimal\dmio.syas
~~\SafeBoot\Minimal\dmload.sys
~~\SafeBoot\Minimal\dmserver
~~\SafeBoot\Minimal\File system
~~\SafeBoot\Minimal\Filter
~~\SafeBoot\Minimal\PCI Configuration
~~\SafeBoot\Minimal\Primary disk
~~\SafeBoot\Minimal\RpcSs
~~\SafeBoot\Minimal\SCSI Class
~~\SafeBoot\Minimal\sermouse.sys
~~\SafeBoot\Minimal\System Bus Extender
~~\SafeBoot\Minimal\vga.sys
~~\SafeBoot\Minimal\vgasave.sys
~~\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

========================

Error: Key: system\currentcontrolset\control\safeboot\minimal does not exist!

lsmith

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2011-10-17
Operating System : WindowsXP

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by Belahzur on Tue 25 Oct 2011, 10:42 am

Hello.
Next, please download this version of safebootkeyrepair:
[You must be registered and logged in to see this link.]

Run it and post log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by lsmith on Tue 25 Oct 2011, 11:41 am

Hi,

I've done that. Still seems a bit stuck. I'm beginning to lose hope!

Considering formatting the hard drive and reinstalling XP.

Can you give me any hope that this malware removal process is going to be successful?

Many. many thanks,

Here is the log file....

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]

========================


SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\Base
~~\SafeBoot\Minimal\Boot Bus Extender
~~\SafeBoot\Minimal\Boot file system
~~\SafeBoot\Minimal\dmboot.sys
~~\SafeBoot\Minimal\dmio.sys
~~\SafeBoot\Minimal\dmload.sys
~~\SafeBoot\Minimal\dmserver
~~\SafeBoot\Minimal\File system
~~\SafeBoot\Minimal\Filter
~~\SafeBoot\Minimal\PCI Configuration
~~\SafeBoot\Minimal\Primary disk
~~\SafeBoot\Minimal\RpcSs
~~\SafeBoot\Minimal\SCSI Class
~~\SafeBoot\Minimal\sermouse.sys
~~\SafeBoot\Minimal\System Bus Extender
~~\SafeBoot\Minimal\vga.sys
~~\SafeBoot\Minimal\vgasave.sys
~~\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

========================

Error: Key: system\currentcontrolset\control\safeboot\minimal does not exist!

lsmith

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2011-10-17
Operating System : WindowsXP

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by Belahzur on Mon 31 Oct 2011, 12:34 pm

Hello.
Hmm, not sure what's going on here, looking into it now. For now though, please run this next script.

A format may be needed, this infection looks quite suspicious, not 100% sure what it is but I know what it does look like, but I'm trying my best to reverse the damage it's caused.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    File::
    C:\nwkwfmrb.exe

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NwkWfmrb"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,"
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Zbot.G and trojan horse Cryptic.BGF

Post by Sponsored content Today at 8:01 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum