WiredWX Hobby Weather ToolsLog in

 


Security Tool 2010 - Infected on Windows XP Home Edition SP3

2 posters

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptySecurity Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hi,
I've been trying for a couple of days to sort this out before I found this forum. Prior to finding this forum and running OTL I have tried:

- Running the RKill to stop the main program pop up....that's didn't work.

- Ran MBAM in normal mode which found some infected files and removed. This was early days with the problem so I thought it had worked....booted back up and low and behold it was still there.

- Loaded up in normal mode, opened task manager straight away, noted down the random string of numbers which was the program running, stopped the program running. Found the folder containing the program, deleted and emptied the recycle bin.

- Booted up in Safe mode and ran Combofix....which found loads of infected files and did its thing which I believe was delete the infected files and restore them.

- After Combofix booted up in normal mode...the main program doesn't load up anymore, however I still can't run any programs or do a system restore to prior to having the infection.


So, now I've found this forum, downloaded and run OTL off a USB key in the infected computer, and here is the log file and the Extras file...

LOG:

OTL logfile created on: 15/09/2010 05:03:44 - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = F:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,015.00 Mb Total Physical Memory | 794.00 Mb Available Physical Memory | 78.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 1522 1522 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40.00 Gb Total Space | 1.76 Gb Free Space | 4.40% Space Free | Partition Type: NTFS
Drive D: | 34.49 Gb Total Space | 0.79 Gb Free Space | 2.29% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 14.92 Gb Total Space | 1.05 Gb Free Space | 7.07% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARTLIN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- F:\OTL.com
PRC - [2009/03/25 17:25:20 | 000,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/03/25 17:25:20 | 000,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/03/19 11:42:02 | 000,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- F:\OTL.com
MOD - [2008/04/14 13:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\pleasework329596p\PEV.cfx -- (PEVSystemStart)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/04/01 14:21:30 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/03/25 17:25:20 | 000,797,864 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/03/25 11:05:48 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/03/24 00:03:18 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/03/19 11:42:02 | 000,884,360 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/01/09 13:05:26 | 000,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/01/09 11:31:16 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/01/09 09:22:10 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/01/09 08:06:52 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2008/07/23 18:52:06 | 000,206,112 | ---- | M] () [Auto | Stopped] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2007/01/05 03:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\epfwtdir.sys -- (epfwtdir)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\easdrv.sys -- (easdrv)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\DRIVERS\eamon.sys -- (eamon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2009/05/23 00:08:32 | 000,029,696 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VClone.sys -- (VClone)
DRV - [2009/03/25 11:06:30 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/03/25 11:06:28 | 000,214,024 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/03/25 11:06:28 | 000,079,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/03/25 11:06:28 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/03/25 11:05:54 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/02/17 18:11:30 | 000,024,232 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2008/10/23 13:08:54 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/08/12 10:30:54 | 000,007,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/07/16 11:52:00 | 004,747,776 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/14 07:12:06 | 000,025,088 | ---- | M] (ELANTECH Devices Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ETD.sys -- (Ktp)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2008/04/14 13:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/12 03:37:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2007/07/27 04:00:38 | 000,011,264 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2007/05/03 12:00:58 | 000,546,976 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2006/10/10 23:24:00 | 001,181,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2001/08/17 15:05:16 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OVCD.sys -- (QCDonner)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://eeepc.asus.com/global
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/03/03 01:28:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0FED6A9D-2712-4322-8209-E040FCB5E084}: C:\Documents and Settings\Web\Local Settings\Application Data\{0FED6A9D-2712-4322-8209-E040FCB5E084}
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/12 16:25:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/10 06:03:36 | 000,000,000 | ---D | M]

[2010/09/12 02:29:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/11/10 19:21:00 | 001,499,136 | ---- | M] (LizardTech) -- C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
[2009/08/22 05:00:30 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/08/22 05:00:30 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/08/22 05:00:30 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/08/22 05:00:30 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/09/14 09:15:43 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (IEButton Class) - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Save Flash) - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll (TODO: )
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe File not found
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [autodetect] C:\WINDOWS\system32\SupportAppXL\AutoDect.exe ()
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCTRL.EXE (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [ocernwasxm.tmp] C:\DOCUME~1\Web\LOCALS~1\Temp\ocernwasxm.tmp File not found
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe File not found
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKLM..\Run: [Wmimefameteq] C:\WINDOWS\onuyohuy.DLL File not found
O4 - HKLM..\Run: [wupdate] C:\WINDOWS\System32\wupdate.exe File not found
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk = C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\lspnuj.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/05 02:52:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Alcmtr - hkey= - key= - C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: AlcWzrd - hkey= - key= - C:\WINDOWS\alcwzrd.exe (RealTek Semicoductor Corp.)
MsConfig - StartUpReg: MsnMsgr - hkey= - key= - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Microsoft Corporation)
MsConfig - StartUpReg: SoundMan - hkey= - key= - C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - C:\pleasework329596p\PEV.cfx File not found
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootNet: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootNet: MpfService - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PEVSystemStart - C:\pleasework329596p\PEV.cfx File not found
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: procexp90.Sys - Driver
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/09/14 09:08:41 | 000,000,000 | ---D | C] -- C:\pleasework329596p
[2010/09/14 08:37:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/14 08:36:25 | 000,000,000 | ---D | C] -- C:\pleasework3
[2010/09/14 08:35:59 | 004,614,888 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[2010/09/14 08:25:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/14 08:25:41 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/14 08:25:41 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/14 08:25:41 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/14 08:25:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/14 08:25:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/14 07:34:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/09/14 07:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/09/14 07:33:41 | 006,084,416 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\Administrator\Desktop\HitmanPro35.exe
[2010/09/14 05:13:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/14 03:02:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/09/14 03:02:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/14 03:02:16 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/14 03:02:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/14 03:02:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/14 03:01:46 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/09/14 03:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/09/14 03:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\InstallShield
[2010/09/14 03:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2010/09/14 03:00:43 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Desktop\StarOffice 8
[2010/09/14 03:00:43 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/09/14 03:00:43 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Cookies
[2010/09/14 03:00:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2010/09/14 03:00:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Favorites
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory
[2010/09/14 03:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2010/09/14 03:00:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2010/09/14 03:00:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/09/14 03:00:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2010/09/14 03:00:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2010/09/14 03:00:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2010/09/14 03:00:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents
[2010/09/14 03:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2010/09/14 03:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2010/09/14 03:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2010/09/14 03:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2010/09/14 02:56:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/09/13 01:39:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[2010/09/11 12:14:59 | 000,000,000 | ---D | C] -- C:\Program Files\Convar
[2008/07/05 03:55:03 | 015,523,560 | ---- | C] (Macrovision Corporation) -- C:\Program Files\U1 Setup.exe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/15 05:06:30 | 000,841,216 | ---- | M] () -- C:\WINDOWS\System32\drivers\lggtctm.sys
[2010/09/15 04:30:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/15 04:29:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/15 04:29:16 | 000,020,589 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/09/15 04:29:16 | 000,008,212 | ---- | M] () -- C:\WINDOWS\mfebcdata
[2010/09/15 04:25:16 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/15 04:12:57 | 000,002,838 | ---- | M] () -- C:\WINDOWS\uyevuladiwoxewof.dll
[2010/09/15 04:10:46 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/14 15:35:26 | 004,614,888 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[2010/09/14 14:49:56 | 003,844,155 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\pleasework3.exe
[2010/09/14 14:26:38 | 006,084,416 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\Administrator\Desktop\HitmanPro35.exe
[2010/09/14 09:19:31 | 004,959,888 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/09/14 09:15:54 | 000,000,284 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/14 09:15:43 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/14 08:37:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/09/14 08:12:43 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/14 08:12:43 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/09/14 04:47:48 | 000,002,838 | ---- | M] () -- C:\WINDOWS\Ojefuyag.dat
[2010/09/14 03:59:51 | 000,000,370 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\fix.inf
[2010/09/14 03:45:05 | 000,000,354 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\fix.reg
[2010/09/14 03:02:20 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/14 03:01:40 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2010/09/14 02:48:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qtuweqetalaj.bin
[2010/09/13 11:27:42 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/09/13 11:26:24 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/09/08 12:50:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/15 04:29:16 | 000,008,212 | ---- | C] () -- C:\WINDOWS\mfebcdata
[2010/09/15 04:12:57 | 000,002,838 | ---- | C] () -- C:\WINDOWS\uyevuladiwoxewof.dll
[2010/09/14 08:37:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/09/14 08:37:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/14 08:34:25 | 003,844,155 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\pleasework3.exe
[2010/09/14 08:25:41 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 08:25:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 08:25:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 08:25:41 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 08:25:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/14 03:59:51 | 000,000,370 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\fix.inf
[2010/09/14 03:53:58 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/09/14 03:45:05 | 000,000,354 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\fix.reg
[2010/09/14 03:02:20 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/14 03:00:48 | 000,001,845 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Live Mail.lnk
[2010/09/14 03:00:48 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/14 03:00:48 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2010/09/14 03:00:47 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2010/09/14 03:00:42 | 000,303,104 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2010/09/14 03:00:42 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/09/14 03:00:41 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/13 01:43:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qtuweqetalaj.bin
[2010/09/13 01:43:48 | 000,002,838 | ---- | C] () -- C:\WINDOWS\Ojefuyag.dat
[2010/09/13 01:42:14 | 000,841,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\lggtctm.sys
[2009/05/15 13:17:11 | 000,749,568 | ---- | C] () -- C:\WINDOWS\System32\AGISSI.DLL
[2009/05/15 13:17:09 | 011,194,368 | ---- | C] () -- C:\WINDOWS\System32\ZHHP_RES.DLL
[2009/02/17 18:11:30 | 000,024,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\ElbyCDIO.sys
[2009/01/04 22:25:29 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/07/05 04:34:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/07/05 03:37:44 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/07/05 03:37:44 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/07/05 03:37:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/07/05 03:37:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/07/05 03:37:44 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/07/05 03:37:44 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/07/05 02:59:40 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
[2008/07/03 05:32:06 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/07/03 05:31:59 | 000,078,336 | ---- | C] () -- C:\WINDOWS\wimgxft.dll
[2008/03/17 23:54:36 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/09/15 05:07:30 | 000,841,216 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\lggtctm.sys

< %systemroot%\System32\config\*.sav >
[2008/07/04 19:43:58 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/07/04 19:43:57 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/07/04 19:43:57 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2008/04/14 13:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2008/04/14 13:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2008/04/14 13:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2008/04/14 13:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2008/04/14 13:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2008/04/14 13:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2008/04/14 13:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2008/04/14 13:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2008/04/14 13:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2008/04/14 13:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2008/04/14 13:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2008/04/14 13:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2008/04/14 13:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2008/04/14 13:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2008/04/14 13:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/14 13:00:00 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/04/17 13:26:40 | 001,847,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2008/07/05 03:02:43 | 000,000,157 | ---- | M] () -- C:\AsusUpdate.log
[2008/07/05 02:52:33 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/12/26 03:00:19 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/09/14 08:37:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/09/14 09:17:53 | 000,010,888 | ---- | M] () -- C:\ComboFix.txt
[2008/07/05 02:52:33 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/07/05 02:52:33 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/07/05 02:52:33 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 13:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/15 04:30:09 | 1595,932,672 | -HS- | M] () -- C:\pagefile.sys
[2008/07/05 02:59:24 | 000,000,522 | ---- | M] () -- C:\RHDSetup.log
[2010/09/14 03:55:32 | 000,000,408 | ---- | M] () -- C:\rkill.log

< %PROGRAMFILES%\*. >
[2010/03/05 04:45:02 | 000,000,000 | ---D | M] -- C:\Program Files\7-Zip
[2010/08/02 08:30:14 | 000,000,000 | ---D | M] -- C:\Program Files\Ableton
[2009/11/10 16:09:05 | 000,000,000 | ---D | M] -- C:\Program Files\Acoustic Labs Multitrack Recorder (Demo)
[2010/04/08 04:51:09 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2008/12/25 17:00:22 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/05/02 05:59:13 | 000,000,000 | ---D | M] -- C:\Program Files\Aptana
[2008/07/05 03:02:51 | 000,000,000 | ---D | M] -- C:\Program Files\Asus
[2010/07/10 05:55:44 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2009/05/15 13:13:07 | 000,000,000 | ---D | M] -- C:\Program Files\Canon
[2010/09/14 09:13:14 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2008/07/05 02:49:56 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/09/11 12:14:59 | 000,000,000 | ---D | M] -- C:\Program Files\Convar
[2008/12/25 12:28:41 | 000,000,000 | ---D | M] -- C:\Program Files\ECAP
[2008/12/25 12:30:24 | 000,000,000 | ---D | M] -- C:\Program Files\Eee Storage
[2008/07/05 03:00:28 | 000,000,000 | ---D | M] -- C:\Program Files\EeePC
[2009/07/27 14:46:05 | 000,000,000 | ---D | M] -- C:\Program Files\Elaborate Bytes
[2008/12/25 12:28:11 | 000,000,000 | ---D | M] -- C:\Program Files\Elantech
[2008/12/25 12:29:52 | 000,000,000 | ---D | M] -- C:\Program Files\ESET
[2010/01/11 11:10:37 | 000,000,000 | ---D | M] -- C:\Program Files\Flash Movie Player
[2009/12/27 05:33:41 | 000,000,000 | ---D | M] -- C:\Program Files\FLV Player
[2010/08/02 05:46:48 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/05/15 13:16:53 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2010/09/14 07:34:09 | 000,000,000 | ---D | M] -- C:\Program Files\Hitman Pro 3.5
[2009/10/17 01:36:48 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2008/07/05 02:59:32 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2009/11/08 05:53:07 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2008/07/05 03:37:38 | 000,000,000 | ---D | M] -- C:\Program Files\InterVideo
[2010/07/10 06:07:01 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/07/10 06:09:04 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/02/08 10:19:46 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/09/26 04:59:22 | 000,000,000 | ---D | M] -- C:\Program Files\JRE
[2009/11/29 10:24:01 | 000,000,000 | ---D | M] -- C:\Program Files\Kreatives.org
[2009/04/22 21:14:33 | 000,000,000 | ---D | M] -- C:\Program Files\LizardTech
[2010/09/15 04:36:23 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/15 09:19:26 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee
[2009/04/12 22:27:32 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee.com
[2010/08/02 01:18:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mediafour
[2009/11/10 10:03:33 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/11/08 05:44:29 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2008/07/05 02:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2008/07/05 03:10:00 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2009/11/10 10:39:59 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2008/07/05 03:07:56 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2009/11/08 05:50:58 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Sync Framework
[2009/11/10 10:00:46 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2008/07/05 02:50:26 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/09/13 02:00:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2008/07/05 02:49:00 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2010/07/25 15:37:40 | 000,000,000 | ---D | M] -- C:\Program Files\Music Rescue
[2008/07/05 02:50:31 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2008/07/05 02:50:45 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2009/09/26 04:59:19 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 3
[2009/11/09 08:56:03 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/03/07 16:55:05 | 000,000,000 | ---D | M] -- C:\Program Files\Project64 1.6
[2010/07/10 06:03:34 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/07/27 15:12:35 | 000,000,000 | ---D | M] -- C:\Program Files\RarZilla Free Unrar
[2009/03/06 22:46:10 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2008/12/25 12:26:03 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek
[2010/01/11 11:02:07 | 000,000,000 | ---D | M] -- C:\Program Files\Save Flash
[2009/11/14 06:43:58 | 000,000,000 | ---D | M] -- C:\Program Files\ScummVM
[2009/04/12 22:33:17 | 000,000,000 | ---D | M] -- C:\Program Files\SiteAdvisor
[2008/07/05 03:55:00 | 000,000,000 | ---D | M] -- C:\Program Files\Skype
[2009/07/19 18:26:48 | 000,000,000 | ---D | M] -- C:\Program Files\Spotify
[2010/07/30 13:54:30 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2008/07/05 03:39:55 | 000,000,000 | ---D | M] -- C:\Program Files\Sun
[2010/09/13 01:11:10 | 000,000,000 | ---D | M] -- C:\Program Files\Telstra Turbo Connection Manager
[2009/07/27 15:26:53 | 000,000,000 | ---D | M] -- C:\Program Files\The Rosetta Stone
[2010/01/30 04:41:19 | 000,000,000 | ---D | M] -- C:\Program Files\UnH Solutions
[2008/07/05 02:55:55 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/07/27 15:09:59 | 000,000,000 | ---D | M] -- C:\Program Files\UnRar for Windows
[2008/12/25 14:07:09 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2009/11/08 05:58:34 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2009/11/08 05:43:52 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2008/07/05 02:52:32 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/07/05 02:48:58 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/07/05 02:50:49 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2010/07/25 15:35:44 | 000,000,000 | ---D | M] -- C:\Program Files\WindSolutions
[2010/02/01 11:14:58 | 000,000,000 | ---D | M] -- C:\Program Files\WinHTTrack
[2008/07/05 02:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2009/11/14 10:55:20 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!

< %appdata%\*.* >
[2008/07/04 19:44:51 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:atapi.sys
[2008/04/14 13:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 13:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: DISK.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:disk.sys
[2008/04/14 13:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 13:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 13:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 13:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 13:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 13:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 13:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:usbstor.sys
[2008/04/14 13:00:00 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-11-10 09:04:18

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

So that's the log file and it looks like the Extras file will have to be posted separately....







descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
OK, so here's the text from the Extras file it created:

OTL Extras logfile created on: 15/09/2010 05:03:44 - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = F:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,015.00 Mb Total Physical Memory | 794.00 Mb Available Physical Memory | 78.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 1522 1522 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40.00 Gb Total Space | 1.76 Gb Free Space | 4.40% Space Free | Partition Type: NTFS
Drive D: | 34.49 Gb Total Space | 0.79 Gb Free Space | 2.29% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 14.92 Gb Total Space | 1.05 Gb Free Space | 7.07% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARTLIN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.js [@ = JSFile] -- C:\Program Files\Aptana\Aptana Studio 2.0\AptanaStudio.exe ()

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
jsfile [open] -- "C:\Program Files\Aptana\Aptana Studio 2.0\AptanaStudio.exe" "%1" ()
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify AB)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0990B5DF-92C3-4AD6-A18D-BF3ADF311240}" = Super Hybrid Engine
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = Lizardtech DjVu Control
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 17
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3364BD16-5A28-4862-86A1-A8FF5FD23919}" = Music Rescue
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{5C52CED3-D45C-4DA9-932F-B91BD44BB461}" = Adabas D 13.01.00
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skypeâ„¢ 3.6
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6E4DAE31-7CF3-441A-B6E5-B014D63C80CD}" = Eee Instant Key
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{85E3CFBC-9B1B-470C-AF72-54EACA0F1322}" = ECAP
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{93D34EE3-99B3-4DB1-8B0A-0A657466F90D}" = Telstra Turbo Connection Manager
"{9510AB97-A36C-4352-8725-E72E5528FA1B}" = StarOffice 8 ASUS Edition
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{9811A185-3D3D-11D6-9E14-00036D172B00}" = Adobe MPEG Encoder
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81100000003}" = Adobe Reader 8.1.1
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DEB6ACEB-C418-4880-9133-1C5EB9AFBC79}" = Eee Storage
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"7-Zip" = 7-Zip 4.65
"Ableton Live_is1" = Ableton Live v6.0.3
"Acoustic Labs Multitrack Recorder (Demo)" = Acoustic Labs Multitrack Recorder (Demo)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Premiere 6.5" = Adobe Premiere 6.5
"Aptana Studio 2.0" = Aptana Studio 2.0
"CopyTrans Suite" = CopyTrans Suite Remove Only
"Elantech" = ETDWare PS/2-x86 7.0.3.7 WHQL
"Flash Movie Player" = Flash Movie Player 1.5
"Flash Saving Plugin" = Flash Saving Plugin
"FLV Player" = FLV Player 2.0 (build 25)
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"KRISTAL Audio Engine" = KRISTAL Audio Engine
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MSC" = McAfee SecurityCenter
"RarZilla Free Unrar 2.53" = RarZilla Free Unrar 2.53
"RNCompiler 6.0" = Advanced RealMedia Export Plug-in for Premiere 6.0
"Save Flash" = Save Flash 4.1
"ScummVM_is1" = ScummVM 1.0.0rc1
"Spotify" = Spotify
"The Rosetta Stone" = The Rosetta Stone
"uneavset" = ESET NOD32 register program
"UnRAR for Windows" = UnRAR for Windows
"VirtualCloneDrive" = VirtualCloneDrive
"VLC media player" = VLC media player 0.9.8a
"WinHTTrack Website Copier_is1" = WinHTTrack Website Copier 3.43-9
"WinLiveSuite_Wave3" = Windows Live Essentials
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 14/09/2010 23:32:19 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The server name or address could not be resolved

Error - 14/09/2010 23:32:19 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:32:20 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:32:20 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:34:47 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The server name or address could not be resolved

Error - 14/09/2010 23:34:47 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:34:47 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:34:47 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 14/09/2010 23:45:34 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The server name or address could not be resolved

Error - 14/09/2010 23:45:34 | Computer Name = MARTLIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

[ System Events ]
Error - 14/09/2010 23:23:43 | Computer Name = MARTLIN | Source = DCOM | ID = 10010
Description = The server {B1DBD568-80B2-43FA-AE07-76FB23AA4650} did not register
with DCOM within the required timeout.

Error - 14/09/2010 23:32:03 | Computer Name = MARTLIN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
easdrv ElbyCDIO epfwtdir Fips intelppm mfehidk

Error - 14/09/2010 23:32:38 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 14/09/2010 23:32:44 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 14/09/2010 23:32:48 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 14/09/2010 23:34:04 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 14/09/2010 23:54:04 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 14/09/2010 23:54:41 | Computer Name = MARTLIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 15/09/2010 00:03:59 | Computer Name = MARTLIN | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 15/09/2010 00:03:59 | Computer Name = MARTLIN | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >


Hopefully someone can help me get rid of the last few security warnings that come up, and also help me getting it back to normal.

A couple of last things I remember....now when I boot up the computer it normal mode it also comes up with a dialog box headed RUNDLL saying...

"Error Loading C:\Windows\onuyohuy.dll The Specified Module Can't Be Found"

I also tried running the Spyware Doctor, but I couldn't run that as I couldn't get the infected computer online, which was also the same problem I had when trying to run HitmanPro.

The infected computer is an EEEPC with no CD drive and it came with Windows installed on it already. I am currently travelling in the North West of Australia so getting to find someone who can fix this is pretty slim, however I am somewhere with an internet cafe for the next few days so I am hoping to be able to fix it all before I leave!


I really hope someone can help. Thanks in advance, you'll be a lifesaver!

Regards,
Martin

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hi, thanks so much for replying so quickly.

I downloaded direct from your link, and tried installing MBAM in normal mode, which went fine until I clicked 'OK' after checking the update and lauch boxes as you said. The installation then failed and a dialog box from Windows Security Alert appeared saying that MBAM.exe was infected and could not be opened. (We get this same dialog box for any program - notepad, control panel etc).

I then tried the process again, this time installing MBAM onto the USB key, and the same thing happened.

So I restarted the computer to try again in safe mode. I have no access to a LAN cable to allow the update during installation, however I proceeded with the installation. It installed and I ran the scan, and below is the log it created:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

16/09/2010 06:23:11
mbam-log-2010-09-16 (06-23-11).txt

Scan type: Quick scan
Objects scanned: 119494
Time elapsed: 6 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





As you can see, it found no infected/malicious/suspicious items. However there is obviously still something dodgy going on, as we can't run any programs.

When we were first dealing with this problem, we ran MBAM in safe mode and it found some infected/malicious files and cleared them up. Below is the log from that scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

14/09/2010 03:11:59
mbam-log-2010-09-14 (03-11-59).txt

Scan type: Quick scan
Objects scanned: 123943
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsdefrag (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.127,93.188.161.217 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7514f068-ed81-41a6-9c42-c5bcf9dfd13e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.127,93.188.161.217 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7514f068-ed81-41a6-9c42-c5bcf9dfd13e}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.127,93.188.161.217 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Web\.COMMgr\complmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\sroxmnecaw.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.



After quarantining/deleting these files, we're still having problems, hence our other efforts with Combofix, OTL etc etc...

The current status of the laptop is:
- it doesn't allow us to open programs,
- Windows Security Alert pops up every time I try to open anything, and tells me it's infected.
- when I boot up the computer it normal mode it also comes up with a dialog box headed RUNDLL saying "Error Loading C:\Windows\onuyohuy.dll The Specified Module Can't Be Found"
- another Windows Security Alert graphical window opens saying something like "the computer is infected, would you like to protect now or stay unprotected?"

Feels like I'm getting closer to the solution, but there's a massive brick wall in the way! If you can shed any more light, I'd appreciate it so much.
I really need this to be fixed before I move on, and I really need to move on soon!
Thanks again, hope you can help further
Martin

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Security Tool 2010 - Infected on Windows XP Home Edition SP3 CF_download_FF

    Security Tool 2010 - Infected on Windows XP Home Edition SP3 CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Security Tool 2010 - Infected on Windows XP Home Edition SP3 Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Security Tool 2010 - Infected on Windows XP Home Edition SP3 Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hi, thanks again for replying so quickly, I really hope you'll be able to reply just as quickly today as I am needing to leave my current location tomorrow.

I had to run the above in safe mode, as normal mode would start to open the Combo-fix.exe and then close it , and bring up a dialog box saying that it was infected and did I want to open my virus software.

I did exactly what you said, and after (approximately) the 5th completed task in the scan, a windows error message appeared for PEV.exe. I didn't click on Send or Don't Send, but after a while the box just disappeared from the screen. Combofix was still scanning throughout all this.

Combofix scan completed and the log popped up...here it is

ComboFix 10-09-16.04 - Administrator 17/09/2010 3:45.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.712 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\awatahixowetohe.dll
c:\windows\igubovid.dll
c:\windows\uhupavidifex.dll
c:\windows\uyevuladiwoxewof.dll

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-17 02:20 . 2010-09-17 02:20 -------- d-----w- c:\windows\LastGood
2010-09-14 06:34 . 2010-09-14 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-09-14 06:34 . 2010-09-14 06:34 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-14 04:14 . 2010-09-14 04:14 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools
2010-09-14 04:13 . 2010-09-14 06:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-14 02:02 . 2010-09-14 02:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-14 02:02 . 2010-09-14 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-14 01:56 . 2010-09-14 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-13 00:43 . 2010-09-14 01:48 0 ----a-w- c:\windows\Qtuweqetalaj.bin
2010-09-13 00:43 . 2010-09-14 03:47 2838 ----a-w- c:\windows\Ojefuyag.dat
2010-09-13 00:42 . 2010-09-17 02:51 841216 ----a-w- c:\windows\system32\drivers\lggtctm.sys
2010-09-11 11:14 . 2010-09-11 11:14 -------- d-----w- c:\program files\Convar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 02:21 . 2010-09-14 02:00 60464 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-14 02:01 . 2010-09-14 02:00 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-09-13 00:11 . 2009-10-17 00:36 -------- d-----w- c:\program files\Telstra Turbo Connection Manager
2010-08-23 01:36 . 2009-04-12 21:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-08-04 00:11 . 2010-07-21 11:28 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-02 07:30 . 2010-08-02 07:30 -------- d-----w- c:\program files\Ableton
2010-08-02 04:46 . 2009-02-18 21:42 -------- d-----w- c:\program files\Google
2010-08-02 00:18 . 2010-07-10 10:47 -------- d-----w- c:\program files\Mediafour
2010-07-25 14:40 . 2010-07-25 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
2010-07-25 14:37 . 2010-07-25 14:37 -------- d-----w- c:\program files\Music Rescue
2010-07-25 14:35 . 2010-07-25 14:35 -------- d-----w- c:\program files\WindSolutions
2010-07-10 04:53 . 2010-07-10 04:53 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2008-05-07 08:34 . 2008-07-05 02:55 15523560 ----a-w- c:\program files\U1 Setup.exe
.

------- Sigcheck -------

[-] 2008-04-14 . 858A92ABBFA4395FDEAE9CE8404D0DF5 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . ED8230261CDBB41414A152098A5E1293 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-06-03 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-06-03 479232]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-07-23 335872]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"ocernwasxm.tmp"="c:\docume~1\Web\LOCALS~1\Temp\ocernwasxm.tmp" [BU]
"wupdate"="c:\windows\system32\wupdate.exe" [BU]
"utlegodg"="c:\documents and settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe" [BU]
"aopgomts"="c:\documents and settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe" [BU]
"Wmimefameteq"="c:\windows\onuyohuy.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\system32\cmd.exe [2008-7-3 389120]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-2-3 113664]
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-7-5 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ----a-w- c:\windows\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-06-18 10:01 77824 ----a-w- c:\windows\SoundMan.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=

S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys --> c:\windows\system32\DRIVERS\epfwtdir.sys [?]
S2 0028831284690044mcinstcleanup;McAfee Application Installer Cleanup (0028831284690044);c:\docume~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9921256115394;Google Update Service (gupdate1c9921256115394);c:\program files\Google\Update\GoogleUpdate.exe [18/02/2009 22:46 133104]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17/10/2009 01:37 7680]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0028831284690044MCINSTCLEANUP
*Deregistered* - lggtctm
.
Contents of the 'Scheduled Tasks' folder

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 21:46]

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-17 03:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lggtctm]

.
Completion time: 2010-09-17 03:53:39
ComboFix-quarantined-files.txt 2010-09-17 02:53
ComboFix2.txt 2010-09-14 08:17
ComboFix3.txt 2010-09-14 07:46

Pre-Run: 2,053,500,928 bytes free
Post-Run: 2,046,287,872 bytes free

- - End Of File - - 5D6B2A4CD5AF1018F2C28BFA724C580B



A message indicating that I couldn't run a System Restore in safe mode then popped up. After completing Combofix, I was unable to shutdown the laptop via the Start Menu.

Looking forward to your response, thanks again
Martin

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Out of interest, what time zone are you in? Just wondering so that maybe I can get to a late-night internet cafe to get your posts and action them sooner!

Thanks again
Martin

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hello.
I'm in GMT, currently on GMT +1 time because of BST/DST.

Do you have your XP disc?

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hey there once again,

As mentioned in the first couple of posts......The infected computer is an EEEPC with no CD/DVD drive that came with Windows XP already installed on it.

I'm gathering that that doesn't help.

Any clues from the logs what's wrong with it still, or how to fix it?

Had some car trouble yesterday so won't be leaving here until Tuesday now...waiting for a part to be delivered....so I have a little longer to try and sort this laptop out!

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hello.
Yeah, I can see the problem, but the problem is legit system files are infected by this malware.

There maybe backup copies on your machine, but if not, we usually resort to getting a backup of the disc, guess we can't do that though.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    /md5start
    explorer.exe
    winlogon.exe
    /md5stop


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the pink Quick Scan button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hi,

Managed to use the internet at a hotel today, so I will try your new suggestions later.

I also logged into another user account on the laptop in safe mode and ran MBAM and Comofix...both programs found something....logs below:

MBAM LOG:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

19/09/2010 04:55:34
mbam-log-2010-09-19 (04-55-34).txt

Scan type: Quick scan
Objects scanned: 126672
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com+ manager (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Web\Local Settings\Temp\hjkr1p.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\jkr2hs7fqw.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\kqt4n6dlkw.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\tpcuqc.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\u3dwyosn.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Local Settings\Temp\zmo0cie0.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Web\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.


COMBOFIX LOG:
ComboFix 10-09-16.04 - Web 19/09/2010 5:00.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.807 [GMT 1:00]
Running from: c:\documents and settings\Web\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Web\.COMMgr
c:\documents and settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
c:\documents and settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
c:\windows\atidalosa.dll
c:\windows\eputibof.dll
c:\windows\ulibiyovoxanetix.dll
c:\windows\wimgxft.dll

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-17 12:02 . 2010-09-17 12:02 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc
2010-09-17 11:51 . 2010-09-17 11:51 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Google
2010-09-17 11:44 . 2010-09-17 12:12 -------- d-----w- c:\documents and settings\Admin\Application Data\Apple Computer
2010-09-17 02:44 . 2010-09-17 02:53 -------- d-----w- C:\Combo-Fix
2010-09-14 06:34 . 2010-09-14 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-09-14 06:34 . 2010-09-14 06:34 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-14 04:14 . 2010-09-14 04:14 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools
2010-09-14 04:13 . 2010-09-14 06:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-14 02:02 . 2010-09-14 02:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-14 02:02 . 2010-09-14 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-14 01:56 . 2010-09-14 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-13 00:43 . 2010-09-14 01:48 0 ----a-w- c:\windows\Qtuweqetalaj.bin
2010-09-13 00:43 . 2010-09-14 03:47 2838 ----a-w- c:\windows\Ojefuyag.dat
2010-09-13 00:42 . 2010-09-19 04:08 841216 ----a-w- c:\windows\system32\drivers\lggtctm.sys
2010-09-11 11:14 . 2010-09-11 11:14 -------- d-----w- c:\program files\Convar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 12:12 . 2009-02-07 11:28 60464 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-17 02:21 . 2010-09-14 02:00 60464 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-14 02:01 . 2010-09-14 02:00 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-09-13 00:11 . 2009-10-17 00:36 -------- d-----w- c:\program files\Telstra Turbo Connection Manager
2010-08-23 01:36 . 2009-04-12 21:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-08-04 00:11 . 2010-07-21 11:28 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-02 07:30 . 2010-08-02 07:30 -------- d-----w- c:\program files\Ableton
2010-08-02 04:46 . 2009-02-18 21:42 -------- d-----w- c:\program files\Google
2010-08-02 00:18 . 2010-07-10 10:47 -------- d-----w- c:\program files\Mediafour
2010-07-25 14:40 . 2010-07-25 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
2010-07-25 14:37 . 2010-07-25 14:37 -------- d-----w- c:\program files\Music Rescue
2010-07-25 14:35 . 2010-07-25 14:35 -------- d-----w- c:\program files\WindSolutions
2010-07-10 04:53 . 2010-07-10 04:53 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2008-05-07 08:34 . 2008-07-05 02:55 15523560 ----a-w- c:\program files\U1 Setup.exe
.

------- Sigcheck -------

[-] 2008-04-14 . 858A92ABBFA4395FDEAE9CE8404D0DF5 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . ED8230261CDBB41414A152098A5E1293 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-06-03 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-06-03 479232]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-07-23 335872]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"wupdate"="c:\windows\system32\wupdate.exe" [BU]
"utlegodg"="c:\documents and settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe" [BU]
"aopgomts"="c:\documents and settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe" [BU]
"Wmimefameteq"="c:\windows\onuyohuy.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-2-3 113664]
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-7-5 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ----a-w- c:\windows\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-06-18 10:01 77824 ----a-w- c:\windows\SoundMan.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=

S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys --> c:\windows\system32\DRIVERS\epfwtdir.sys [?]
S2 0028831284690044mcinstcleanup;McAfee Application Installer Cleanup (0028831284690044);c:\docume~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9921256115394;Google Update Service (gupdate1c9921256115394);c:\program files\Google\Update\GoogleUpdate.exe [18/02/2009 22:46 133104]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17/10/2009 01:37 7680]

--- Other Services/Drivers In Memory ---

*Deregistered* - lggtctm
.
Contents of the 'Scheduled Tasks' folder

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 21:46]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride =
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
FF - ProfilePath - c:\documents and settings\Web\Application Data\Mozilla\Firefox\Profiles\zirmi4w0.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: XULRunner: {0FED6A9D-2712-4322-8209-E040FCB5E084} - c:\documents and settings\Web\Local Settings\Application Data\{0FED6A9D-2712-4322-8209-E040FCB5E084}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKCU-Run-Wcoluj - c:\windows\wimgxft.dll
HKCU-Run-utlegodg - c:\documents and settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe
HKCU-Run-aopgomts - c:\documents and settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe
HKCU-Run-sdsetup_aff - c:\documents and settings\Web\Desktop\sdsetup_aff.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 05:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lggtctm]

.
Completion time: 2010-09-19 05:10:25
ComboFix-quarantined-files.txt 2010-09-19 04:10
ComboFix2.txt 2010-09-17 02:53
ComboFix3.txt 2010-09-14 08:17
ComboFix4.txt 2010-09-14 07:46

Pre-Run: 2,011,340,800 bytes free
Post-Run: 2,358,132,736 bytes free

- - End Of File - - F9D228B21C98CAF298F0247ACB869F59


I'll try the OTL thing later and hopefully get online and post the log tomorrow. |Thanks so much for all your help!!

Martin

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hey,

Here's the log created by OTL:

OTL logfile created on: 19/09/2010 13:15:29 - Run 2
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Web\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,015.00 Mb Total Physical Memory | 809.00 Mb Available Physical Memory | 80.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 1522 1522 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40.00 Gb Total Space | 2.18 Gb Free Space | 5.46% Space Free | Partition Type: NTFS
Drive D: | 34.49 Gb Total Space | 0.15 Gb Free Space | 0.44% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 14.92 Gb Total Space | 0.37 Gb Free Space | 2.48% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARTLIN
Current User Name: Web
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Web\Desktop\OTL.com
PRC - [2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/05/26 06:33:26 | 000,021,185 | R--- | M] () -- F:\malware software n logs.exe


========== Modules (SafeList) ==========

MOD - [2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Web\Desktop\OTL.com
MOD - [2008/04/14 13:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Combo-Fix20529C\PEV.cfx -- (PEVSystemStart)
SRV - File not found [On_Demand | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe -- (McSysmon)
SRV - File not found [Unknown | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe -- (McShield)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\002883~1.EXE -- (0028831284690044mcinstcleanup) McAfee Application Installer Cleanup (0028831284690044)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2007/01/05 03:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\epfwtdir.sys -- (epfwtdir)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\DRIVERS\easdrv.sys -- (easdrv)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\DRIVERS\eamon.sys -- (eamon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Web\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2009/05/23 00:08:32 | 000,029,696 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VClone.sys -- (VClone)
DRV - [2009/02/17 18:11:30 | 000,024,232 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2008/08/12 10:30:54 | 000,007,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/07/16 11:52:00 | 004,747,776 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/14 07:12:06 | 000,025,088 | ---- | M] (ELANTECH Devices Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ETD.sys -- (Ktp)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2008/04/19 06:05:22 | 000,103,936 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2008/04/14 13:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/12 03:37:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2007/07/27 04:00:38 | 000,011,264 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2007/05/03 12:00:58 | 000,546,976 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2006/10/10 23:24:00 | 001,181,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2001/08/17 15:05:16 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OVCD.sys -- (QCDonner)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com.au"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {0FED6A9D-2712-4322-8209-E040FCB5E084}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{0FED6A9D-2712-4322-8209-E040FCB5E084}: C:\Documents and Settings\Web\Local Settings\Application Data\{0FED6A9D-2712-4322-8209-E040FCB5E084} [2010/09/13 01:43:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/12 16:25:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/10 06:03:36 | 000,000,000 | ---D | M]

[2008/12/25 14:05:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Mozilla\Extensions
[2010/08/21 12:03:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Mozilla\Firefox\Profiles\zirmi4w0.default\extensions
[2009/05/02 09:10:09 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Web\Application Data\Mozilla\Firefox\Profiles\zirmi4w0.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/09/12 02:29:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/11/10 19:21:00 | 001,499,136 | ---- | M] (LizardTech) -- C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
[2009/08/22 05:00:30 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/08/22 05:00:30 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/08/22 05:00:30 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/08/22 05:00:30 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/09/19 05:07:46 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (IEButton Class) - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Save Flash) - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll (TODO: )
O3 - HKCU\..\Toolbar\WebBrowser: (&Save Flash) - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll (TODO: )
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe File not found
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [autodetect] C:\WINDOWS\system32\SupportAppXL\AutoDect.exe ()
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCTRL.EXE (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [Flashy Bot] C:\WINDOWS\system32\Flashy.exe ()
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [ocernwasxm.tmp] C:\DOCUME~1\Web\LOCALS~1\Temp\ocernwasxm.tmp File not found
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe File not found
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKLM..\Run: [Wmimefameteq] C:\WINDOWS\onuyohuy.DLL File not found
O4 - HKLM..\Run: [wupdate] C:\WINDOWS\System32\wupdate.exe File not found
O4 - HKCU..\Run: [aopgomts] C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi\bpghquduqiw.exe File not found
O4 - HKCU..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe File not found
O4 - HKCU..\Run: [sdsetup_aff] C:\Documents and Settings\Web\Desktop\sdsetup_aff.exe File not found
O4 - HKCU..\Run: [utlegodg] C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg\bsuvbheuqiw.exe File not found
O4 - HKCU..\Run: [Wcoluj] C:\WINDOWS\wimgxft.DLL File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk = C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O4 - Startup: C:\Documents and Settings\Web\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Web\Start Menu\Programs\Startup\systemID.pif ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O8 - Extra context menu item: Save Flash - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O8 - Extra context menu item: Save YouTube Video - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\lspnuj.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Web\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Web\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/05 02:52:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{bf1dda54-9bba-11df-a5e5-00235411e6aa}\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{bf1dda54-9bba-11df-a5e5-00235411e6aa}\Shell\Shell00\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{bf1dda54-9bba-11df-a5e5-00235411e6aa}\Shell\Shell01\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{bf1dda54-9bba-11df-a5e5-00235411e6aa}\Shell\Shell02\Command - "" = F:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/19 13:14:34 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Web\Desktop\OTL.com
[2010/09/19 05:17:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Desktop\sort this crap
[2010/09/19 05:10:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/09/19 04:59:30 | 000,000,000 | ---D | C] -- C:\Combo-Fix20529C
[2010/09/17 03:44:44 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/09/14 08:37:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/14 08:25:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/14 08:25:41 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/14 08:25:41 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/14 08:25:41 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/14 08:25:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/14 08:25:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/14 07:34:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/09/14 07:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/09/14 05:13:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/14 03:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Application Data\Malwarebytes
[2010/09/14 03:02:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/14 02:56:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/09/13 01:43:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Local Settings\Application Data\{0FED6A9D-2712-4322-8209-E040FCB5E084}
[2010/09/13 01:40:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Local Settings\Application Data\edrsqkdmi
[2010/09/13 01:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Local Settings\Application Data\bnquqfngg
[2010/09/13 01:39:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[2010/09/13 01:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Application Data\F24339461A107A09551E960FE262B144
[2010/09/11 12:14:59 | 000,000,000 | ---D | C] -- C:\Program Files\Convar
[2010/08/02 08:30:14 | 000,000,000 | ---D | C] -- C:\Program Files\Ableton
[2010/08/02 01:18:07 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/07/25 15:37:36 | 000,000,000 | ---D | C] -- C:\Program Files\Music Rescue
[2010/07/25 15:37:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Local Settings\Application Data\Downloaded Installations
[2010/07/25 15:35:44 | 000,000,000 | ---D | C] -- C:\Program Files\WindSolutions
[2010/07/25 15:35:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Application Data\WindSolutions
[2010/07/25 15:35:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WindSolutions
[2010/07/10 11:47:18 | 000,000,000 | ---D | C] -- C:\Program Files\Mediafour
[2010/07/10 06:07:01 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/07/10 06:06:48 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/07/10 06:02:24 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/07/10 05:55:41 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/06/26 09:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Desktop\Programs
[2010/06/26 09:23:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Web\Desktop\Documents
[2008/07/05 03:55:03 | 015,523,560 | ---- | C] (Macrovision Corporation) -- C:\Program Files\U1 Setup.exe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/19 13:18:02 | 000,841,216 | ---- | M] () -- C:\WINDOWS\System32\drivers\lggtctm.sys
[2010/09/19 13:11:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/19 13:10:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/19 13:05:46 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/19 05:18:14 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\Web\NTUSER.DAT
[2010/09/19 05:18:14 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Web\ntuser.ini
[2010/09/19 05:18:07 | 004,084,248 | -H-- | M] () -- C:\Documents and Settings\Web\Local Settings\Application Data\IconCache.db
[2010/09/19 05:07:56 | 000,000,284 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/19 05:07:46 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/19 04:25:16 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/19 04:12:42 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/17 03:16:16 | 000,008,212 | ---- | M] () -- C:\WINDOWS\mfebcdata
[2010/09/16 06:53:44 | 000,003,056 | ---- | M] () -- C:\Documents and Settings\Web\Local Settings\Application Data\syssvc.exe
[2010/09/15 11:54:30 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Web\Desktop\OTL.com
[2010/09/14 08:37:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/09/14 04:47:48 | 000,002,838 | ---- | M] () -- C:\WINDOWS\Ojefuyag.dat
[2010/09/14 02:48:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qtuweqetalaj.bin
[2010/09/13 10:04:55 | 000,077,824 | ---- | M] () -- C:\Documents and Settings\Web\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/13 01:11:18 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\Web\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/08/17 10:41:19 | 000,005,360 | ---- | M] () -- C:\Documents and Settings\Web\Application Data\wklnhst.dat
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/19 13:13:46 | 000,021,185 | R--- | C] () -- C:\Documents and Settings\Web\Start Menu\Programs\Startup\systemID.pif
[2010/09/19 13:13:46 | 000,021,185 | -H-- | C] () -- C:\WINDOWS\System32\Flashy.exe
[2010/09/17 03:16:16 | 000,008,212 | ---- | C] () -- C:\WINDOWS\mfebcdata
[2010/09/16 06:53:44 | 000,003,056 | ---- | C] () -- C:\Documents and Settings\Web\Local Settings\Application Data\syssvc.exe
[2010/09/14 08:37:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/09/14 08:37:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/14 08:25:41 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 08:25:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 08:25:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 08:25:41 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 08:25:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/13 01:43:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qtuweqetalaj.bin
[2010/09/13 01:43:48 | 000,002,838 | ---- | C] () -- C:\WINDOWS\Ojefuyag.dat
[2010/09/13 01:42:14 | 000,841,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\lggtctm.sys
[2010/07/26 12:44:38 | 000,002,155 | ---- | C] () -- C:\Documents and Settings\Web\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2009/05/15 13:17:11 | 000,749,568 | ---- | C] () -- C:\WINDOWS\System32\AGISSI.DLL
[2009/05/15 13:17:09 | 011,194,368 | ---- | C] () -- C:\WINDOWS\System32\ZHHP_RES.DLL
[2009/02/17 18:11:30 | 000,024,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\ElbyCDIO.sys
[2009/01/13 12:29:15 | 000,005,360 | ---- | C] () -- C:\Documents and Settings\Web\Application Data\wklnhst.dat
[2009/01/04 22:25:29 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/12/26 23:23:10 | 000,077,824 | ---- | C] () -- C:\Documents and Settings\Web\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/26 03:00:55 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Web\Local Settings\Application Data\fusioncache.dat
[2008/12/11 13:27:24 | 000,000,259 | ---- | C] () -- C:\Documents and Settings\Web\Application Data\com.kennettnet.MusicRescue4.Profiles.plist
[2008/12/11 12:53:20 | 000,000,207 | ---- | C] () -- C:\Documents and Settings\Web\Application Data\com.kennettnet.MusicRescue4.plist
[2008/07/05 04:34:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/07/05 03:37:44 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/07/05 03:37:44 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/07/05 03:37:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/07/05 03:37:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/07/05 03:37:44 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/07/05 03:37:44 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/07/05 02:59:40 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
[2008/07/03 05:32:06 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/03/17 23:54:36 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini

========== LOP Check ==========

[2010/06/11 14:14:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ableton
[2008/12/25 16:56:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ECAP
[2008/12/25 12:29:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/09/14 07:34:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/09/14 07:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/07/25 15:40:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WindSolutions
[2010/08/02 08:30:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Ableton
[2009/08/20 10:52:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\avidemux
[2009/06/04 22:08:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2010/09/13 01:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\F24339461A107A09551E960FE262B144
[2010/01/05 13:13:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\InterVideo
[2009/09/26 05:03:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\OpenOffice.org
[2009/11/08 12:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\ScummVM
[2009/07/19 18:51:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Spotify
[2009/01/13 12:29:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\Template
[2010/07/25 15:40:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Web\Application Data\WindSolutions

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=ED8230261CDBB41414A152098A5E1293 -- C:\WINDOWS\explorer.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 13:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=858A92ABBFA4395FDEAE9CE8404D0DF5 -- C:\WINDOWS\system32\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


Hope this helps.
Thanks, once it's all fixed I'll definately be making a donation!

Martin

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Hello.
Do you have an XP disc you can borrow from a friend?

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Unfortunately not, and even if I found someone with an XP disc, as I mentioned in the first post, this EEEpc doesn't have a CD or DVD drive Sad tearing

Seems like I'm right by the finish line but I just can't cross it.

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
Aslong as you have USB ports, external CD drives can be bought.

descriptionSecurity Tool 2010 - Infected on Windows XP Home Edition SP3 EmptyRe: Security Tool 2010 - Infected on Windows XP Home Edition SP3

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum