WiredWX Hobby Weather ToolsLog in

 


Nasty Virus

3 posters

descriptionNasty Virus EmptyNasty Virus29th June 2011, 7:41 am

more_horiz
I have a virus or something nasty, cant use microsoft malicious scanner, Hijack this, or any other scanner. Need some help here.

descriptionNasty Virus EmptyRe: Nasty Virus29th June 2011, 10:16 am

more_horiz
Hi there mandrews!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

I´m not sure what exactly is happening with your computer without a more specified description.

If you have something nasty that is prohibiting you from running any software, we are probably looking at a rogue and you should do the following:

====================

Please download RKill by Grinler from Download Mirror #1 and save it to your desktop.
Download Mirror #1 (rkill.exe)
Download Mirror #2 (rkill.scr)
Download Mirror #3 (rkill.com)
Download Mirror #4 (WiNlOgOn.exe)
Download Mirror #5 (uSeRiNiT.exe)
Download Mirror #6 (iExplore.exe)
Download Mirror #7 (eXplorer.exe)

  • Double click the RKill desktop icon (rightclick > Run as Administrator for Vista/WIN7).
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and try using Mirror #2
  • Continue process until the tool runs.
  • Important: RKill only temporarily disables the malware. If you reboot the computer, it will be active again. So do not reboot until we kill the infection.

====================

Please download OTL by OldTimer from here and save it to your desktop.
  • Close all windows and double click OTL.exe.
  • The Extra Registry setting should be Use Safelist
  • Copy and paste the following text into the Custom Scans/Fixes box:

Code:

%APPDATA%\Microsoft\*.*
%systemroot%\system32\config\systemprofile\*.dat /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\winn32\*.*
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%PROGRAMFILES%\Mozilla Firefox\*.exe
%ProgramFiles%\TinyProxy.
%systemroot%\system32\*.* /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.* /lockedfiles
%PROGRAMFILES%\*.
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
/md5start
netlogon.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
disk.sys
explorer.exe
userinit.exe
winlogon.exe
/md5stop
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

  • Click the Run Scan button and allow it to run.
  • It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  • You may need multiple posts to get it all.


descriptionNasty Virus EmptyRe: Nasty Virus29th June 2011, 5:39 pm

more_horiz
OTL would not start, erorr windows cannot access the specified device,path, or file. You may not have the appropriate permissions to access the item

descriptionNasty Virus Emptyran aswMBR here is report30th June 2011, 4:08 am

more_horiz
aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-29 23:20:59
-----------------------------
23:20:59.812 OS Version: Windows 6.0.6002 Service Pack 2
23:20:59.812 Number of processors: 2 586 0x6802
23:20:59.814 ComputerName: MUSICMATT-PC UserName: musicmatt
23:21:12.439 Initialize success
23:23:30.387 AVAST engine defs: 11062900
23:23:34.958 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:23:34.962 Disk 0 Vendor: Hitachi_HTS542516K9SA00 BBCOC31P Size: 152627MB BusType: 3
23:23:37.000 Disk 0 MBR read successfully
23:23:37.003 Disk 0 MBR scan
23:23:37.006 Disk 0 unknown MBR code
23:23:39.011 Disk 0 scanning sectors +312578048
23:23:39.044 Disk 0 scanning C:\Windows\system32\drivers
23:23:44.489 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-E [Rtk]
23:23:53.748 Service scanning
23:23:55.610 Disk 0 trace - called modules:
23:23:55.633 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8cf16890]<<
23:23:55.638 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861b0030]
23:23:55.643 3 CLASSPNP.SYS[83fa48b3] -> nt!IofCallDriver -> [0x8775a880]
23:23:55.650 \Driver\disk[0x874b7b08] -> IRP_MJ_CREATE -> 0x8cf16890
23:23:56.089 AVAST engine scan C:\Windows
23:27:30.593 File: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe **INFECTED** Win32:Patched-WQ [Trj]
23:30:07.771 File: C:\Windows\System32\agrsmsvc.exe **INFECTED** Win32:Patched-WQ [Trj]
23:30:09.899 File: C:\Windows\System32\Ati2evxx.exe **INFECTED** Win32:Patched-WQ [Trj]
23:35:19.444 File: C:\Windows\System32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-E [Rtk]
23:42:50.048 File: C:\Windows\System32\lxdecoms.exe **INFECTED** Win32:Patched-WQ [Trj]
23:58:49.582 Disk 0 MBR has been saved successfully to "C:\Users\musicmatt\Desktop\MBR.dat"
23:58:49.617 The log file has been saved successfully to "C:\Users\musicmatt\Desktop\aswMBR.txt"


aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-29 23:20:59
-----------------------------
23:20:59.812 OS Version: Windows 6.0.6002 Service Pack 2
23:20:59.812 Number of processors: 2 586 0x6802
23:20:59.814 ComputerName: MUSICMATT-PC UserName: musicmatt
23:21:12.439 Initialize success
23:23:30.387 AVAST engine defs: 11062900
23:23:34.958 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:23:34.962 Disk 0 Vendor: Hitachi_HTS542516K9SA00 BBCOC31P Size: 152627MB BusType: 3
23:23:37.000 Disk 0 MBR read successfully
23:23:37.003 Disk 0 MBR scan
23:23:37.006 Disk 0 unknown MBR code
23:23:39.011 Disk 0 scanning sectors +312578048
23:23:39.044 Disk 0 scanning C:\Windows\system32\drivers
23:23:44.489 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-E [Rtk]
23:23:53.748 Service scanning
23:23:55.610 Disk 0 trace - called modules:
23:23:55.633 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8cf16890]<<
23:23:55.638 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861b0030]
23:23:55.643 3 CLASSPNP.SYS[83fa48b3] -> nt!IofCallDriver -> [0x8775a880]
23:23:55.650 \Driver\disk[0x874b7b08] -> IRP_MJ_CREATE -> 0x8cf16890
23:23:56.089 AVAST engine scan C:\Windows
23:27:30.593 File: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe **INFECTED** Win32:Patched-WQ [Trj]
23:30:07.771 File: C:\Windows\System32\agrsmsvc.exe **INFECTED** Win32:Patched-WQ [Trj]
23:30:09.899 File: C:\Windows\System32\Ati2evxx.exe **INFECTED** Win32:Patched-WQ [Trj]
23:35:19.444 File: C:\Windows\System32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-E [Rtk]
23:42:50.048 File: C:\Windows\System32\lxdecoms.exe **INFECTED** Win32:Patched-WQ [Trj]
23:58:49.582 Disk 0 MBR has been saved successfully to "C:\Users\musicmatt\Desktop\MBR.dat"
23:58:49.617 The log file has been saved successfully to "C:\Users\musicmatt\Desktop\aswMBR.txt"
23:59:08.807 Disk 0 MBR has been saved successfully to "C:\Users\musicmatt\Desktop\MBR.dat"
23:59:08.815 The log file has been saved successfully to "C:\Users\musicmatt\Desktop\aswMBR.txt"


descriptionNasty Virus EmptyRe: Nasty Virus30th June 2011, 6:37 am

more_horiz
OK, this looks ugly. Please try the following:

Time to bring out ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that proceed to download ComboFix, but rename it during the download, to make sure the malware does not interfere.

The easiest is to download using Internet Explorer. If you insist on using Mozilla Firefox, you have to make a change to its configuration:
Tools >> Options >> General >> Downloads >> select Always ask me where to save files.

Use one of the links in the guide to download ComboFix and when your browser asks you where to save it, change the name of the file to svchost.exe and save it to your desktop.

Nasty Virus 2aflf5z

Doubleclick svchost.exe to run the tool. Please post its log back here.

descriptionNasty Virus EmptyCombofix30th June 2011, 6:08 pm

more_horiz
It gets as far as this should take 10 min maybe longer, after waiting an hr. Nothing changed.

descriptionNasty Virus EmptyRe: Nasty Virus30th June 2011, 6:56 pm

more_horiz
Forgot to mention its a vista system if that matters

descriptionNasty Virus Emptybump1st July 2011, 2:35 am

more_horiz
bump

descriptionNasty Virus EmptyRe: Nasty Virus1st July 2011, 6:14 am

more_horiz
Two persons are replying to this thread: mandrews and kf4nxs.
Are you one and the same person or am I looking at two different cases here?

Please make sure that only one case is handled per thread.

====================

This computer appears to be massively infected. Therefore I think it is a good idea to try and approach it from a boot CD and see if we can disable the worst of it.
You will need a clean computer with access to the internet to proceed with the following:

  • You will need a blank CD to burn the boot CD
  • Download OTLPEStd.exe by OldTimer from here (a big download)
  • Double-click on OTLPEStd.exe to burn the boot CD
  • Reboot your system using the boot CD you just created. If you don´t know how to boot from CD, check out this page
  • Booting will take quite some time, so please be patient
  • Finally you should see the REATOGO-X-PE desktop. Find the OTLPE icon and double click it to run OTLPE
  • Answer Yes and OK to all prompts
  • Ensure the option Automatically Load All Remaining Users is checked
  • OTL should now start. Set the option Drivers to Non-Microsoft
  • Copy and paste the following text into the Custom Scans/Fixes field:
    /md5start
    atapi.sys
    iastor.sys
    ndis.sys
    userinit.exe
    winlogon.exe
    dfsc.sys
    agrsmsvc.exe
    Ati2evxx.exe
    lxdecoms.exe
    /md5stop

  • Click Run Scan to start the scan
  • When finished, a log file C:\OTL.txt will be created
  • Please post the contents of the file in your next reply

descriptionNasty Virus EmptyRe: Nasty Virus1st July 2011, 8:47 am

more_horiz
Yes it is the same, just logging in from different source, I will get back with you when I have this done.



OTL logfile created on: 7/1/2011 6:44:11 AM - Run
OTLPE by OldTimer - Version 3.1.46.0 Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 80.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.65 Gb Total Space | 33.27 Gb Free Space | 47.78% Space Free | Partition Type: NTFS
Drive E: | 69.64 Gb Total Space | 65.68 Gb Free Space | 94.32% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - (szserver) -- C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe ()
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (NisSrv) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe ()
SRV - (Tether) -- C:\Program Files\Tether\TBService.exe ()
SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (eDataSecurity Service) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
SRV - (eNet Service) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe (Acer Inc.)
SRV - (eSettingsService) -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
SRV - (MobilityService) -- C:\Acer\Mobility Center\MobilityService.exe ()
SRV - (eLockService) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe (Acer Inc.)
SRV - (WMIService) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (acer)
SRV - (eRecoveryService) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
SRV - (lxde_device) -- C:\Windows\System32\lxdecoms.exe ( )
SRV - (lxdeCATSCustConnectService) -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxdeserv.exe ()
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)


========== Driver Services (SafeList) ==========

DRV - (ute3mty1) -- File not found
DRV - (NwlnkFwd) -- File not found
DRV - (NwlnkFlt) -- File not found
DRV - (MEMSWEEP2) -- File not found
DRV - (IpInIp) -- File not found
DRV - (catchme) -- File not found
DRV - (Aspi32) -- File not found
DRV - (F-Secure Standalone Minifilter) -- C:\Users\musicmatt\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys ()
DRV - (1206856434) -- C:\Windows\System32\drivers\1206856434.sys (VIA Technologies)
DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)
DRV - (DfsC) -- C:\Windows\System32\drivers\dfsc.sys ()
DRV - (kl2) -- C:\Windows\System32\drivers\kl2.sys (Kaspersky Lab ZAO)
DRV - (qrkis) -- C:\Windows\System32\drivers\qrkis.sys (Tether)
DRV - (szkgfs) -- C:\Windows\System32\drivers\SZKGFS.sys (iS3, Inc.)
DRV - (KLIM6) -- C:\Windows\System32\drivers\klim6.sys (Kaspersky Lab ZAO)
DRV - (szkg5) -- C:\Windows\System32\drivers\SZKG.sys (iS3 Inc.)
DRV - (is3srv) -- C:\Windows\System32\drivers\is3srv.sys (iS3 Inc.)
DRV - (klmouflt) -- C:\Windows\System32\drivers\klmouflt.sys (Kaspersky Lab)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (int15) -- C:\Acer\Empowering Technology\eRecovery\int15.sys (Acer, Inc.)
DRV - (O2MDRDR) -- C:\Windows\System32\drivers\o2media.sys (O2Micro )
DRV - (O2SDRDR) -- C:\Windows\System32\drivers\o2sd.sys (O2Micro )
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\System32\drivers\AtiPcie.sys (ATI Technologies Inc.)
DRV - (WSVD) -- C:\Windows\System32\drivers\WSVD.sys (Wasay)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\musicmatt_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z039&form=ZGAPHP
IE - HKU\musicmatt_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Restore = http://home.jzip.com
IE - HKU\musicmatt_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\musicmatt_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0





O1 HOSTS File: ([2011/04/12 23:26:27 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (no name) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - No CLSID value found.
O2 - BHO: (Freecorder Toolbar) - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files\freecordertoolbar\vmntemplateX.dll ()
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll (iS3, Inc.)
O2 - BHO: (no name) - {E33CF602-D945-461A-83F0-819F76A199F8} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (Freecorder Toolbar) - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files\freecordertoolbar\vmntemplateX.dll ()
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\musicmatt_ON_C\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKU\musicmatt_ON_C\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe (Leader Technologies Inc.)
O4 - HKLM..\Run: [lxdeamon] C:\Program Files\Lexmark 4800 Series\lxdeamon.exe ()
O4 - HKLM..\Run: [lxdemon.exe] C:\Program Files\Lexmark 4800 Series\lxdemon.exe ()
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKU\musicmatt_ON_C..\Run: [RocketDock] C:\Program Files\RocketDock\RocketDock.exe ()
O4 - Startup: Error locating startup folders.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\musicmatt_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 205.152.128.23 205.152.37.23
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\Windows\system32\klogon.dll - C:\Windows\System32\klogon.dll (Kaspersky Lab ZAO)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/30 23:13:23 | 000,000,000 | --SD | C] -- C:\nchost26863n
[2011/06/30 22:41:05 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/30 18:38:58 | 000,000,000 | --SD | C] -- C:\nchost22291n
[2011/06/30 14:34:33 | 000,000,000 | --SD | C] -- C:\nchost3682n
[2011/06/30 14:20:31 | 000,000,000 | --SD | C] -- C:\nchost17059n
[2011/06/30 14:19:58 | 000,000,000 | --SD | C] -- C:\nchost
[2011/06/30 14:09:25 | 004,130,198 | R--- | C] (Swearware) -- C:\Users\musicmatt\Desktop\nchost.exe
[2011/06/30 13:54:31 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/06/30 13:54:31 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/06/30 13:54:31 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/06/30 13:54:26 | 000,000,000 | --SD | C] -- C:\Commy8405C
[2011/06/30 13:53:57 | 000,000,000 | --SD | C] -- C:\Commy31465C
[2011/06/30 13:53:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/30 13:53:11 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/06/29 22:42:22 | 000,000,000 | --SD | C] -- C:\Commy
[2011/06/29 04:11:19 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\f-secure
[2011/06/29 04:10:39 | 000,000,000 | ---D | C] -- C:\ProgramData\F-Secure
[2011/06/29 04:08:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/06/29 03:20:26 | 000,000,000 | ---D | C] -- C:\Windows\TempBC33A0E8-0AC2-22D1-303C-C46234BCB4E2-Signatures
[2011/06/29 03:19:24 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/29 02:57:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
[2011/06/29 02:56:58 | 000,000,000 | ---D | C] -- C:\Program Files\STOPzilla!
[2011/06/29 02:56:57 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
[2011/06/29 02:56:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2011/06/29 02:49:00 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/29 02:49:00 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/06/29 02:45:03 | 000,015,872 | ---- | C] (VIA Technologies) -- C:\Windows\System32\drivers\1206856434.sys
[2011/06/29 01:47:48 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/06/28 17:58:32 | 000,132,560 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3HTUI5.dll
[2011/06/28 17:58:30 | 000,546,256 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\SZComp5.dll
[2011/06/28 17:58:30 | 000,456,144 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\SZBase5.dll
[2011/06/28 17:58:30 | 000,398,800 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3DBA5.dll
[2011/06/28 17:58:30 | 000,028,624 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3XDat5.dll
[2011/06/28 17:58:30 | 000,022,992 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\SZIO5.dll
[2011/06/28 17:58:28 | 000,390,608 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3UI5.dll
[2011/06/28 17:58:28 | 000,230,864 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Win325.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Svc5.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Inet5.dll
[2011/06/28 17:58:28 | 000,067,024 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Hks5.dll
[2011/06/28 17:58:26 | 000,738,768 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Base5.dll
[2011/06/24 02:23:41 | 000,000,000 | ---D | C] -- C:\Program Files\WXWarning
[2011/06/24 02:23:20 | 000,000,000 | ---D | C] -- C:\Program Files\WXSpots
[2011/06/22 21:28:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java(7)
[2011/06/22 21:27:30 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/22 21:27:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/22 21:27:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/22 20:30:37 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\Desktop\camera
[2011/06/22 01:03:24 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Weather Defender
[2011/06/20 15:40:59 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\FileZilla
[2011/06/20 15:40:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
[2011/06/20 15:40:38 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2011/06/20 15:38:31 | 000,000,000 | ---D | C] -- C:\Program Files\Scanner Recorder
[2011/06/18 23:22:23 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Local\Apple Computer
[2011/06/18 23:22:11 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Apple Computer
[2011/06/18 11:58:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/06/18 03:07:17 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/18 03:07:15 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/06/18 03:07:14 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/06/18 03:07:14 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/06/16 23:25:08 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Interbank FX Trader 4
[2011/06/16 23:24:51 | 000,000,000 | ---D | C] -- C:\InterbankFX_1-Click
[2011/06/15 20:12:51 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\SpotterNetwork
[2011/06/15 20:07:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spotter Network
[2011/06/15 20:07:48 | 001,355,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvbvm50.dll
[2011/06/15 20:07:48 | 000,132,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Msinet.ocx
[2011/06/15 20:07:42 | 000,368,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbar332.dll
[2011/06/15 20:07:42 | 000,000,000 | ---D | C] -- C:\Program Files\SpotterNetwork
[2011/06/15 20:07:41 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.005
[2011/06/15 20:07:40 | 001,376,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.004
[2011/06/15 20:07:40 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.003
[2011/06/15 20:07:39 | 000,569,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.000
[2011/06/15 20:07:39 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.001
[2011/06/15 20:07:39 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.002
[2011/06/15 01:02:57 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011/06/15 01:02:52 | 000,000,000 | ---D | C] -- C:\Program Files\TweetDeck
[2011/06/09 14:37:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/06/09 14:37:32 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/06/09 14:37:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2011/06/05 12:01:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
[2011/04/01 15:25:51 | 000,434,176 | ---- | C] ( ) -- C:\Windows\System32\lxdehcp.dll
[2011/01/16 16:17:52 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe
[2007/05/29 12:08:10 | 000,320,432 | ---- | C] ( ) -- C:\Windows\System32\lxdeih.exe
[2007/05/29 12:07:58 | 000,598,960 | ---- | C] ( ) -- C:\Windows\System32\lxdecoms.exe
[2007/05/29 12:07:48 | 000,365,488 | ---- | C] ( ) -- C:\Windows\System32\lxdecfg.exe
[2007/05/17 17:08:58 | 000,647,168 | ---- | C] ( ) -- C:\Windows\System32\lxdepmui.dll
[2007/05/17 17:06:40 | 001,200,128 | ---- | C] ( ) -- C:\Windows\System32\lxdeserv.dll
[2007/05/17 17:00:32 | 000,565,248 | ---- | C] ( ) -- C:\Windows\System32\lxdelmpm.dll
[2007/05/17 17:00:32 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxdecomm.dll
[2007/05/17 17:00:32 | 000,356,352 | ---- | C] ( ) -- C:\Windows\System32\lxdeinpa.dll
[2007/05/17 16:59:34 | 000,663,552 | ---- | C] ( ) -- C:\Windows\System32\lxdehbn3.dll
[2007/05/17 16:57:52 | 000,950,272 | ---- | C] ( ) -- C:\Windows\System32\lxdeusb1.dll
[2007/05/17 16:56:56 | 000,860,160 | ---- | C] ( ) -- C:\Windows\System32\lxdecomc.dll
[2007/05/17 16:52:56 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxdeiesc.dll
[2007/05/17 16:51:30 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\lxdeprox.dll
[6 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/01 05:11:30 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/01 05:11:30 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/01 05:11:23 | 000,067,584 | ---- | M] () -- C:\Windows\bootstat.dat
[2011/07/01 04:56:59 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/01 04:12:00 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-880227785-1377843364-700853731-1003UA.job
[2011/06/30 23:35:09 | 000,656,214 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/30 23:35:09 | 000,123,536 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/30 23:30:11 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/30 23:30:00 | 1877,065,728 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/30 21:12:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-880227785-1377843364-700853731-1003Core.job
[2011/06/30 14:20:14 | 004,130,198 | R--- | M] (Swearware) -- C:\Users\musicmatt\Desktop\nchost.exe
[2011/06/30 01:15:51 | 000,302,592 | ---- | M] () -- C:\Users\musicmatt\Desktop\so44z52z.exe
[2011/06/29 22:55:57 | 205,789,499 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/06/29 17:15:30 | 000,000,072 | ---- | M] () -- C:\Users\musicmatt\Desktop\gwrra.sc.t.url
[2011/06/29 17:14:36 | 000,000,072 | ---- | M] () -- C:\Users\musicmatt\Desktop\kf4nxs.url
[2011/06/29 17:13:34 | 000,000,078 | ---- | M] () -- C:\Users\musicmatt\Desktop\whenpigsflypro.url
[2011/06/29 13:21:06 | 000,002,713 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LTCM Client.lnk
[2011/06/29 04:08:28 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/06/29 03:30:55 | 000,002,198 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/06/29 03:27:36 | 000,001,772 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/06/29 03:19:24 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/29 03:18:33 | 000,395,608 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/06/29 02:57:04 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
[2011/06/29 02:45:03 | 000,015,872 | ---- | M] (VIA Technologies) -- C:\Windows\System32\drivers\1206856434.sys
[2011/06/29 01:47:50 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2011/06/28 17:58:32 | 000,132,560 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3HTUI5.dll
[2011/06/28 17:58:30 | 000,546,256 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\SZComp5.dll
[2011/06/28 17:58:30 | 000,456,144 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\SZBase5.dll
[2011/06/28 17:58:30 | 000,398,800 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3DBA5.dll
[2011/06/28 17:58:30 | 000,028,624 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3XDat5.dll
[2011/06/28 17:58:30 | 000,022,992 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\SZIO5.dll
[2011/06/28 17:58:28 | 000,390,608 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3UI5.dll
[2011/06/28 17:58:28 | 000,230,864 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Win325.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Svc5.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Inet5.dll
[2011/06/28 17:58:28 | 000,067,024 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Hks5.dll
[2011/06/28 17:58:26 | 000,738,768 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Base5.dll
[2011/06/27 00:48:42 | 000,000,894 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/26 21:44:14 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GRLevelX
[2011/06/26 02:45:56 | 000,256,000 | ---- | M] () -- C:\Windows\PEV.exe
[2011/06/21 03:07:50 | 000,000,196 | ---- | M] () -- C:\Windows\System32\~.inf
[2011/06/21 03:07:22 | 004,212,452 | ---- | M] () -- C:\Users\musicmatt\Desktop\United_States_Frequency_Allocations_Chart_2003_-_The_Radio_Spectrum.jpg
[2011/06/20 15:40:43 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
[2011/06/20 15:38:31 | 000,001,888 | ---- | M] () -- C:\Users\Public\Desktop\Scanner Recorder.lnk
[2011/06/20 15:38:31 | 000,001,888 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Scanner Recorder.lnk
[2011/06/18 11:58:36 | 000,001,804 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/16 23:25:09 | 000,001,499 | ---- | M] () -- C:\Users\musicmatt\Desktop\Interbank FX Trader 4.lnk
[2011/06/16 15:37:26 | 000,000,066 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chasing the Southeast.url
[2011/06/15 20:08:02 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spotter Network
[2011/06/15 20:07:56 | 000,001,620 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Spotter Network.lnk
[2011/06/15 01:02:53 | 000,000,738 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweetDeck.lnk
[2011/06/15 01:02:53 | 000,000,726 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TweetDeck.lnk
[2011/06/12 05:46:03 | 000,001,356 | ---- | M] () -- C:\Users\musicmatt\AppData\Local\d3d9caps.dat
[2011/06/09 14:37:54 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/06/06 18:11:35 | 000,000,258 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/06/05 12:01:00 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
[6 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/30 13:54:31 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/06/30 13:54:31 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/06/30 13:54:31 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/06/30 13:54:31 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/06/30 13:54:31 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/06/30 01:17:12 | 000,302,592 | ---- | C] () -- C:\Users\musicmatt\Desktop\so44z52z.exe
[2011/06/29 23:06:55 | 1877,065,728 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/29 22:55:57 | 205,789,499 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/06/29 17:15:30 | 000,000,072 | ---- | C] () -- C:\Users\musicmatt\Desktop\gwrra.sc.t.url
[2011/06/29 17:14:18 | 000,000,072 | ---- | C] () -- C:\Users\musicmatt\Desktop\kf4nxs.url
[2011/06/29 17:13:34 | 000,000,078 | ---- | C] () -- C:\Users\musicmatt\Desktop\whenpigsflypro.url
[2011/06/29 03:27:36 | 000,001,772 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/06/21 03:08:03 | 004,212,452 | ---- | C] () -- C:\Users\musicmatt\Desktop\United_States_Frequency_Allocations_Chart_2003_-_The_Radio_Spectrum.jpg
[2011/06/20 15:38:31 | 000,001,888 | ---- | C] () -- C:\Users\Public\Desktop\Scanner Recorder.lnk
[2011/06/20 15:38:31 | 000,001,888 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Scanner Recorder.lnk
[2011/06/18 11:58:36 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/17 07:11:35 | 000,075,264 | ---- | C] () -- C:\Windows\System32\drivers\dfsc.sys
[2011/06/16 23:25:09 | 000,001,499 | ---- | C] () -- C:\Users\musicmatt\Desktop\Interbank FX Trader 4.lnk
[2011/06/16 14:41:49 | 000,000,066 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chasing the Southeast.url
[2011/06/15 20:07:56 | 000,001,620 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Spotter Network.lnk
[2011/06/15 01:02:53 | 000,000,738 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweetDeck.lnk
[2011/06/15 01:02:53 | 000,000,726 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TweetDeck.lnk
[2011/06/06 18:11:35 | 000,000,258 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/05/06 14:00:10 | 000,246,094 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\census.cache
[2011/05/06 13:59:50 | 000,182,006 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\ars.cache
[2011/05/06 13:48:06 | 000,000,036 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\housecall.guid.cache
[2011/04/24 15:15:00 | 000,098,816 | ---- | C] () -- C:\Windows\System32\FGWVB32.DLL
[2011/04/01 15:25:51 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdeinst.dll
[2011/03/29 20:45:53 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2011/03/29 19:33:19 | 000,580,096 | ---- | C] () -- C:\Windows\System32\lame.exe
[2011/03/29 19:33:19 | 000,496,640 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2011/03/29 19:33:19 | 000,307,200 | ---- | C] () -- C:\Windows\System32\Mp3Ctrl.dll
[2011/03/29 19:33:19 | 000,131,176 | ---- | C] () -- C:\Windows\System32\mp3gain.exe
[2011/03/29 19:33:19 | 000,086,016 | ---- | C] () -- C:\Windows\System32\akrip32.dll
[2011/03/29 16:56:23 | 000,000,047 | ---- | C] () -- C:\Windows\WinInit.Ini
[2011/03/29 16:24:12 | 000,000,416 | ---- | C] () -- C:\ProgramData\lxde
[2011/03/13 23:05:38 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2011/01/21 04:51:26 | 000,001,356 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\d3d9caps.dat
[2011/01/19 04:43:58 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/01/19 04:43:57 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/01/18 02:15:50 | 000,669,002 | ---- | C] () -- C:\Windows\unins000.exe
[2011/01/18 02:15:50 | 000,001,103 | ---- | C] () -- C:\Windows\unins000.dat
[2011/01/17 22:23:02 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/01/17 02:56:42 | 000,000,000 | ---- | C] () -- C:\Windows\PROTOCOL.INI
[2011/01/16 23:26:26 | 000,027,648 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/16 23:15:44 | 000,036,864 | ---- | C] () -- C:\Windows\System32\lxf3oem.dll
[2011/01/16 23:15:44 | 000,012,288 | ---- | C] () -- C:\Windows\System32\LXF3PMRC.DLL
[2011/01/16 18:44:22 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2011/01/16 18:44:22 | 000,168,886 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011/01/16 18:44:22 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2011/01/16 18:44:22 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe
[2011/01/16 17:51:11 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/01/16 17:12:37 | 000,115,267 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat
[2011/01/16 17:12:36 | 000,097,859 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat
[2011/01/16 16:17:52 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2011/01/16 16:17:04 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2011/01/16 16:16:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2009/09/09 19:01:40 | 000,027,675 | ---- | C] () -- C:\Windows\System32\drivers\klopp.dat
[2008/03/30 02:41:02 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008/03/29 23:28:22 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/03/29 23:28:06 | 000,872,448 | ---- | C] () -- C:\Windows\iconv.dll
[2008/03/29 23:28:06 | 000,743,424 | ---- | C] () -- C:\Windows\libxml2.dll
[2008/03/29 23:28:05 | 000,000,040 | ---- | C] () -- C:\Windows\Prelaunch.ini
[2008/03/29 22:51:04 | 000,001,132 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2008/03/29 22:51:04 | 000,000,008 | ---- | C] () -- C:\Windows\System32\drivers\RtkHDAud.dat
[2007/05/28 01:02:38 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdegrd.dll
[2007/05/24 16:24:26 | 000,692,224 | ---- | C] () -- C:\Windows\System32\lxdedrs.dll
[2007/05/22 10:09:42 | 000,065,536 | ---- | C] () -- C:\Windows\System32\lxdecaps.dll
[2007/05/03 18:50:10 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdecoin.dll
[2007/04/17 10:17:06 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdecnv4.dll
[2006/11/02 08:57:28 | 000,067,584 | ---- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,395,608 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,656,214 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,123,536 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/08/01 04:53:18 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxdevs.dll
[2001/12/26 18:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 01:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/30 18:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 00:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2011/06/29 01:15:37 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\.purple
[2011/01/16 16:21:59 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Acer
[2011/03/05 21:12:14 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Audacity
[2011/06/29 02:24:48 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\BitTorrent
[2011/05/06 00:07:35 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\DriverCure
[2011/06/29 04:11:19 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\f-secure
[2011/06/29 02:24:48 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\FileZilla
[2011/04/22 18:53:39 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\GetRightToGo
[2011/06/27 15:00:46 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\GRLevel3
[2011/06/16 22:09:08 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\gtk-2.0
[2011/01/16 16:21:58 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Leadertech
[2011/03/13 23:20:33 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Leawo
[2011/04/25 19:44:24 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Lexmark Productivity Studio
[2011/03/13 23:20:37 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Moyea
[2011/01/18 03:31:26 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\OpenOffice.org
[2011/05/06 00:07:34 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\ParetoLogic
[2011/01/16 22:08:06 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\PCDJ
[2011/01/16 21:21:34 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Shareaza
[2011/05/10 18:19:09 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Sony
[2011/05/10 17:51:02 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Sony Setup
[2011/06/24 02:33:23 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\SpotterNetwork
[2011/04/12 14:47:34 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\SumatraPDF
[2011/04/27 12:38:04 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\TeamViewer
[2011/04/08 10:40:13 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Tether
[2011/06/15 01:02:57 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011/05/06 02:00:49 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Uniblue
[2011/06/29 02:24:48 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\uTorrent
[2011/06/24 02:18:26 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Weather Defender
[2011/05/05 11:59:36 | 000,000,000 | ---D | M] -- C:\ProgramData\Alwil Software
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2011/04/24 21:53:37 | 000,000,000 | ---D | M] -- C:\ProgramData\Digital Entertainer
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2011/06/29 04:10:39 | 000,000,000 | ---D | M] -- C:\ProgramData\F-Secure
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2011/03/13 23:07:48 | 000,000,000 | ---D | M] -- C:\ProgramData\Leawo
[2011/05/09 12:36:59 | 000,000,000 | ---D | M] -- C:\ProgramData\Lx_cats
[2011/01/17 15:07:30 | 000,000,000 | ---D | M] -- C:\ProgramData\musicmatt
[2011/05/06 00:50:26 | 000,000,000 | ---D | M] -- C:\ProgramData\ParetoLogic
[2011/01/16 22:08:03 | 000,000,000 | ---D | M] -- C:\ProgramData\PCDJ
[2011/05/10 18:19:09 | 000,000,000 | ---D | M] -- C:\ProgramData\Sony
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2011/06/29 03:03:48 | 000,000,000 | ---D | M] -- C:\ProgramData\STOPzilla!
[2011/06/27 15:00:46 | 000,000,000 | ---D | M] -- C:\ProgramData\TEMP
[2006/11/02 09:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2011/05/06 02:00:53 | 000,000,000 | ---D | M] -- C:\ProgramData\Uniblue
[2008/03/29 23:11:48 | 000,000,000 | ---D | M] -- C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2011/07/01 05:11:11 | 000,032,646 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: AGRSMSVC.EXE >
[2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) MD5=39E435C90C9C4F780FA0ED05CA3C3A1B -- C:\Windows\System32\DriverStore\FileRepository\agrmdv32.inf_0ddf652a\agrsmsvc.exe
[2006/10/05 16:10:12 | 000,011,264 | ---- | M] (Agere Systems) MD5=D094FF2360F0F6937E8D162AA98A6B4C -- C:\Windows\System32\agrsmsvc.exe

< MD5 for: ATAPI.SYS >
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: ATI2EVXX.EXE >
[2008/03/10 01:59:02 | 000,655,360 | ---- | M] (ATI Technologies Inc.) MD5=05D9E2AF577D85F089C55780CDC41EE3 -- C:\Windows\System32\Ati2evxx.exe
[2008/03/10 01:59:02 | 000,655,360 | ---- | M] (ATI Technologies Inc.) MD5=B886D349AFAD502DE4F6EA0C64B1CC4D -- C:\Windows\System32\DriverStore\FileRepository\cl_61295.inf_f4ec1680\B_60953\Ati2evxx.exe

< MD5 for: DFSC.SYS >
[2009/04/11 00:14:12 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=218D8AE46C88E82014F5D73D0236D9B2 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18005_none_8985a6e9e33db02a\dfsc.sys
[2011/04/14 10:36:03 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=3A3436F7DFE0E0C58CD5C3B6C9F21634 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys
[2008/01/20 22:24:55 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=9E635AE5E8AD93E2B5989E2E23679F97 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.18000_none_879a2ddde61be4de\dfsc.sys
[2011/04/14 10:24:14 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=A3E9FA213F443AC77C7746119D13FEEC -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.18633_none_877cca5be63173a0\dfsc.sys
[2011/04/14 10:59:03 | 000,075,264 | ---- | M] () MD5=BE3E3DC3A2C04A0F2D2BF98B34F4B94C -- C:\Windows\System32\drivers\dfsc.sys
[2011/04/14 10:59:03 | 000,075,264 | ---- | M] () MD5=BE3E3DC3A2C04A0F2D2BF98B34F4B94C -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys
[2011/04/13 09:22:40 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=E20FB30D720810646ED24FB7CA9899A2 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.22899_none_87cb8b40ff7a5041\dfsc.sys

< MD5 for: LXDECOMS.EXE >
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=1A195D6B59A4F79C6B182C3B4A81535A -- C:\Windows\System32\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\config\systemprofile\{4a452778-f0bb-4a38-940c-1cc99117d899}\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\config\systemprofile\{f48ced33-c68e-430f-80ed-9a2ea4ef228f}\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\DriverStore\FileRepository\lxdeprc.inf_7b84dc0b\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\spool\drivers\w32x86\{2C4DFD08-EF95-4C6A-9F2A-885FB012BA44}\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\spool\drivers\w32x86\{E94154B4-8774-497D-9EEC-81A38EA9F76A}\i386\lxdecoms.exe

< MD5 for: NDIS.SYS >
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\ERDNT\cache\ndis.sys
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\System32\drivers\ndis.sys
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_a9b2a4d31930d864\ndis.sys
[2008/01/20 22:23:50 | 000,529,464 | ---- | M] (Microsoft Corporation) MD5=9BDC71790FA08F0A0B5F10462B1BD0B1 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18\ndis.sys

< MD5 for: USERINIT.EXE >
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 22:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 85 bytes -> C:\ProgramData\Application Data:$SS_DESCRIPTOR_1VPTV9VVMVFBVLVHKV6FYJ6VDVPMF7LBWK96HUTVVVVKVVBVLVV5
@Alternate Data Stream - 85 bytes -> C:\ProgramData:$SS_DESCRIPTOR_1VPTV9VVMVFBVLVHKV6FYJ6VDVPMF7LBWK96HUTVVVVKVVBVLVV5
@Alternate Data Stream - 164 bytes -> C:\ProgramData\TEMP:53829683
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:B63300D1
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:8331D35A
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:EBC2DB92
< End of report >

descriptionNasty Virus Emptybump2nd July 2011, 7:52 am

more_horiz
bump

descriptionNasty Virus EmptyRe: Nasty Virus2nd July 2011, 3:48 pm

more_horiz
kf4nxs wrote:
bump

You don´t need to up your thread - you will not be forgotten.
I am currently enjoying the weekend with my family Smile...
I will get back and analyze your log when I can.

descriptionNasty Virus EmptyRe: Nasty Virus2nd July 2011, 7:17 pm

more_horiz
Well, that was an interesting log. The good news it that clean copies of all infected files are available, so we are going to replace infected files with clean files in the following step:

  • Double click OTLPE to run
  • Under the Custom Scans/Fixes box at the bottom, type or copy/paste the following:
    :files
    C:\Windows\System32\drivers\1206856434.sys
    copy "C:\Windows\System32\DriverStore\FileRepository\lxdeprc.inf_7b84dc0b\i386\lxdecoms.exe" "C:\Windows\System32\lxdecoms.exe" /c
    copy "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys" C:\Windows\System32\drivers\dfsc.sys /c
    copy "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys" "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys" /c
    copy "C:\Windows\System32\DriverStore\FileRepository\cl_61295.inf_f4ec1680\B_60953\Ati2evxx.exe" C:\Windows\System32\Ati2evxx.exe /c
    copy "C:\Windows\System32\DriverStore\FileRepository\agrmdv32.inf_0ddf652a\agrsmsvc.exe" C:\Windows\System32\agrsmsvc.exe /c


    :services
    1206856434

    :otl
    O2 - BHO: (no name) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - No CLSID value found.
    O2 - BHO: (no name) - {E33CF602-D945-461A-83F0-819F76A199F8} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

  • Then click the Run Fix button at the top (not the Run Scan!)
  • Allow it to run. If you get any error message or your computer freezes, let me know.
  • Finally, post the contents of the log (located at C:\_OTL\Moved Files)


====================

A good idea may be to copy the script text and paste it into a text file and take that to your infected computer running the REATOGO-X-PE windows environment with an USB disk and paste it into the OTLPE custom fixes field.

If you have such a USB stick, it is also a good idea to do this:

Please download MBRCheck by a_d_13 from either of the following mirrors and save it to the USB stick
  • Mirror #1
  • Mirror #2
  • Mirror #3

Take that USB drive to the infected computer running the REATOGO-X-PE environment and run mbrcheck. Post the log back here.

====================

There is another infected file we have not dealt with yet. With the following step I want to find clean backup copies.
  • Run OTLPE
  • Answer Yes and OK to all prompts
  • Ensure the option Automatically Load All Remaining Users is checked
  • OTL should now start. Set the option Drivers to Non-Microsoft
  • Copy and paste the following text into the Custom Scans/Fixes field:
    /md5start
    atapi.sys
    iastor.sys
    ndis.sys
    userinit.exe
    winlogon.exe
    dfsc.sys
    agrsmsvc.exe
    Ati2evxx.exe
    lxdecoms.exe
    mscorsvw.exe
    /md5stop

  • Click Run Scan to start the scan
  • When finished, a log file C:\OTL.txt will be created
  • Please post the contents of the file in your next reply

====================

These are some complicated scripts we are running. I hope I made no error in the scripts, so we will verify all carefully before booting your computer in a normal way.

Let me know how that all went.

descriptionNasty Virus Emptysome errors4th July 2011, 7:22 am

more_horiz
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
========== SERVICES/DRIVERS ==========
Service\Driver key 1206856434 not found.
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E33CF602-D945-461A-83F0-819F76A199F8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E33CF602-D945-461A-83F0-819F76A199F8}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.

OTLPE by OldTimer - Version 3.1.46.0 log created on 07042011_040121

descriptionNasty Virus EmptyRe: Nasty Virus4th July 2011, 8:50 am

more_horiz
hmmm ... something went wrong with that script.
We´ll do it in another way.

Create a text file with the name fix.bat with the following content:

Code:

copy "C:\Windows\System32\DriverStore\FileRepository\lxdeprc.inf_7b84dc0b\i386\lxdecoms.exe" "C:\Windows\System32\lxdecoms.exe"
copy "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys" C:\Windows\System32\drivers\dfsc.sys
copy "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys" "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys"
copy "C:\Windows\System32\DriverStore\FileRepository\cl_61295.inf_f4ec1680\B_60953\Ati2evxx.exe" C:\Windows\System32\Ati2evxx.exe
copy "C:\Windows\System32\DriverStore\FileRepository\agrmdv32.inf_0ddf652a\agrsmsvc.exe" C:\Windows\System32\agrsmsvc.exe
pause

(Note that there should be six lines in this script, 5 starting with the word "copy" and one with pause)

You can create fix.bat on another computer and transfer it to the problem computer with a USB disk, for example.

Run fix.bat in the REATOGO-X-PE environment by doubleclicking it. It should show 5 successful copies and no error messages.

After that follow the second and third instruction of my previous post, please.

descriptionNasty Virus EmptyRe: Nasty Virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum