Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Virus and Trojan Infections!


  • This topic is locked This topic is locked
2 replies to this topic

#1 ridgedale

ridgedale

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 23 April 2009 - 01:40 AM

I don't know whether I'm doing the right thing here as I have already posted logs in the Malware Removal (virus; trojan; hijackware; etc.) forum on http://aumha.net over 23 hours ago and have had no response so far. I appreciate that the contributors are giving their valuable time freely but I would really like to get the problems with this computer resolved and am hoping I might be able to get a quicker response from this forum.

Please let me know if I'm doing the wrong thing here.

Below is a copy of what I posted in the AumHa Malware Removal forum:

I've been handed an Asus Eee PC that has multiple virus/trojan infections. The machine is running XP Sp2 with all updates up to but not including Sp3 on account of only about 600Mb of disk space remaining available. I have followed the READ FIRST! instructions by Jim Eshelman and produced the OTListIt2 and SecurityCheck output logs. (The Malicious Software Removal Tool did remove 11 infected files - see log below - and I also ran a subsequent ClamWin Anti-Virus full scan which picked up a further 14 infections the log file of which is also below! Any assistance would be greatly appreciated.

Dene

======================================================================

OTListIt logfile created on: 22/04/2009 07:18:07 - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Tommy\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1015.05 Mb Total Physical Memory | 711.55 Mb Available Physical Memory | 70.10% Memory free
918.55 Mb Paging File | 725.95 Mb Available in Paging File | 79.03% Paging File free
Paging file location(s):

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 3.73 Gb Total Space | 0.65 Gb Free Space | 17.32% Space Free | Partition Type: NTFS
Drive D: | 7.50 Gb Total Space | 5.90 Gb Free Space | 78.68% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOMANDLARA
Current User Name: Tommy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2007/06/14 02:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/04/22 03:12:37 | 00,000,000 | ---D | M] -- C:\WINDOWS\system32
PRC - [2006/03/01 04:00:00 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2007/09/24 08:43:36 | 00,104,984 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2007/09/24 08:43:36 | 00,121,368 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2007/09/24 08:43:36 | 00,100,888 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/03/06 22:14:20 | 16,858,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008/03/27 22:20:38 | 00,102,400 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\Asus\EeePC ACPI\AsTray.exe
PRC - [2008/03/20 17:52:38 | 00,544,768 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
PRC - [2009/04/14 11:52:58 | 00,086,016 | ---- | M] (alch) -- C:\Program Files\ClamWin\bin\ClamTray.exe
PRC - [2004/10/13 17:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2007/09/24 08:43:36 | 00,199,192 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2007/09/24 08:43:36 | 00,129,560 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2006/03/01 04:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dwwin.exe
PRC - [2006/03/01 04:00:00 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/04/22 07:06:25 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tommy\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/22 20:42:12 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])
SRV - [2004/07/15 06:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/03/01 04:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/01/05 00:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr [Disabled | Stopped])
SRV - [2009/03/06 23:57:59 | 00,148,480 | RHS- | M] (UTool) -- C:\WINDOWS\system32\drivers\RegSrv.exe -- (RegSrv Service Controler [Disabled | Stopped])
SRV - [2007/10/25 20:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2007/05/02 21:00:58 | 00,546,976 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\system32\DRIVERS\ar5211.sys -- (AR5211 [On_Demand | Running])
DRV - [2007/07/27 01:00:38 | 00,011,264 | ---- | M] (ASUSTeK Computer Inc.) -- C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys -- (AsusACPI [On_Demand | Running])
DRV - [2007/10/19 06:12:00 | 00,030,720 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\system32\DRIVERS\l251x86.sys -- (AtcL002 [On_Demand | Running])
DRV - [2005/01/07 10:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2006/10/10 08:24:00 | 01,181,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
DRV - [2008/03/18 23:21:32 | 04,744,704 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/04/03 20:27:46 | 00,025,088 | ---- | M] (ELANTECH Devices Corp.) -- C:\WINDOWS\system32\DRIVERS\ETD.sys -- (Ktp [On_Demand | Running])
DRV - [2006/03/01 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/07/22 20:32:44 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.worldinslowmotion.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.8

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/29 15:58:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/29 15:58:31 | 00,000,000 | ---D | M]

[2009/02/23 02:14:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\mozilla\Extensions
[2009/02/23 02:14:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/02/23 02:14:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\mozilla\Firefox\Profiles\ozn4wqwp.default\extensions
[2009/02/23 02:14:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/02/23 02:14:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/29 15:57:47 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/29 15:57:47 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/01/20 00:28:04 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/01/20 00:28:04 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/01/20 00:28:04 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/01/20 00:28:04 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/01/20 00:28:04 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/01/20 00:28:04 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/01/20 00:28:04 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\Asus\EeePC ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon (alch)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [vcrt80.dll] C:\WINDOWS\system32:vcrt80.exe [2009/04/22 03:12:37 | 00,000,000 | ---D | M]
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMovingBands = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCloseDragDropBands = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarsOnTaskbar = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/fl ... wflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:AutorunsDisabled () -
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/13 06:14:16 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2112cb4c-2131-11de-a880-0015af94fedb}\Shell - "" = AutoRun
O33 - MountPoints2\{2112cb4c-2131-11de-a880-0015af94fedb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2112cb4c-2131-11de-a880-0015af94fedb}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{2112cb4d-2131-11de-a880-0015af94fedb}\Shell\AutoRun\command - "" = G:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{2112cb4d-2131-11de-a880-0015af94fedb}\Shell\open\command - "" = G:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{308382d6-b94b-11dd-a6d4-0015af94fedb}\Shell - "" = AutoRun
O33 - MountPoints2\{308382d6-b94b-11dd-a6d4-0015af94fedb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{308382d6-b94b-11dd-a6d4-0015af94fedb}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\{88af1146-1981-11de-a852-0015af94fedb}\Shell\AutoRun\command - "" = F:\RECYCLER\S-53-4-22-3434476501-1644491937-600003330-1213\DrsCh.exe -- File not found
O33 - MountPoints2\{88af1146-1981-11de-a852-0015af94fedb}\Shell\open\command - "" = F:\RECYCLER\S-53-4-22-3434476501-1644491937-600003330-1213\DrsCh.exe -- File not found
O33 - MountPoints2\{a0dc01c6-4ded-11dd-a586-0015af94fedb}\Shell\AutoRun\command - "" = F:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{a0dc01c6-4ded-11dd-a586-0015af94fedb}\Shell\open\command - "" = F:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{a0dc01c9-4ded-11dd-a586-0015af94fedb}\Shell\AutoRun\command - "" = F:\RECYCLER\S-53-4-22-3434476501-1644491937-600003330-1213\DrsCh.exe -- File not found
O33 - MountPoints2\{a0dc01c9-4ded-11dd-a586-0015af94fedb}\Shell\open\command - "" = F:\RECYCLER\S-53-4-22-3434476501-1644491937-600003330-1213\DrsCh.exe -- File not found
O33 - MountPoints2\{cfda587e-175f-11de-a849-0015af94fedb}\Shell\AutoRun\command - "" = F:\RECYCLER\S-53-6-22-3434476501-1644491937-600003330-1213\DelSrv.exe -- File not found
O33 - MountPoints2\{cfda587e-175f-11de-a849-0015af94fedb}\Shell\open\command - "" = F:\RECYCLER\S-53-6-22-3434476501-1644491937-600003330-1213\DelSrv.exe -- File not found
O33 - MountPoints2\{f4c494c8-4f5b-11dd-a58a-0015af94fedb}\Shell\AutoRun\command - "" = F:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{f4c494c8-4f5b-11dd-a58a-0015af94fedb}\Shell\open\command - "" = F:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{f6df12f4-4f21-11dd-a588-0015af94fedb}\Shell\AutoRun\command - "" = H:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{f6df12f4-4f21-11dd-a588-0015af94fedb}\Shell\open\command - "" = H:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/04/22 07:07:11 | 00,532,626 | ---- | C] () -- C:\Documents and Settings\Tommy\Desktop\SecurityCheck.exe
[2009/04/22 07:06:23 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tommy\Desktop\OTListIt2.exe
[2009/04/22 06:45:22 | 00,002,521 | ---- | C] () -- C:\Documents and Settings\Tommy\Desktop\xp_taskbar_desktop_fixall.vbs
[2009/04/22 03:13:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/04/22 02:55:28 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2009/04/21 22:59:05 | 09,924,040 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Tommy\Desktop\windows-kb890830-v2.9.exe
[2009/04/21 17:34:50 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mouhid.sys
[2009/04/21 17:34:44 | 00,009,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hidusb.sys
[2009/04/21 11:13:05 | 00,184,365 | ---- | C] () -- C:\b3p3b1o6f7l4.exe
[2009/04/20 10:28:41 | 00,040,493 | ---- | C] () -- C:\r6u9k2l4e6a4.exe
[2009/04/11 18:38:18 | 00,011,776 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\The wonders of WISM etc.wps
[2009/04/03 01:28:15 | 00,028,205 | ---- | C] (Software) -- C:\d6u8d7y9c2k8.exe
[2009/03/30 13:57:02 | 00,012,800 | ---- | C] () -- C:\murkrow.exe
[2009/03/30 13:57:00 | 00,061,958 | ---- | C] () -- C:\x9r5w5s2ye.exe
[2009/03/28 02:01:32 | 00,045,101 | ---- | C] (Microsoft) -- C:\x9r5w5s2y2x6.exe
[2009/03/27 16:34:05 | 00,045,101 | ---- | C] (Microsoft) -- C:\m2u8g3w9e4i1.exe
[2009/03/23 20:39:55 | 00,000,000 | ---D | C] -- C:\sna
[2008/04/07 21:07:56 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/03/26 21:56:16 | 00,229,376 | ---- | C] () -- C:\WINDOWS\System32\DreyeSkinCtrls.dll
[2008/03/26 21:56:16 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Text32.dll
[2008/03/26 21:56:16 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\DictInfo.dll
[2008/03/26 21:56:16 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\exeProc.dll
[2008/03/26 21:56:16 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\DreyeMT.dll
[2008/03/26 21:56:15 | 00,026,112 | ---- | C] () -- C:\WINDOWS\System32\LevelApi.dll
[2008/03/26 21:55:02 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/03/26 21:55:02 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/03/26 21:55:02 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/03/26 21:55:02 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/03/26 21:55:02 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/03/26 21:55:02 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/03/20 04:34:19 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
[2008/03/17 20:54:36 | 00,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2008/03/13 20:27:35 | 00,005,318 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/03/13 20:26:53 | 00,000,477 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/03/13 20:26:48 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2008/03/13 20:25:57 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2007/08/17 23:07:40 | 00,000,032 | ---- | C] () -- C:\WINDOWS\asusacpi.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/04/22 07:16:31 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/22 07:16:27 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/22 07:07:14 | 00,532,626 | ---- | M] () -- C:\Documents and Settings\Tommy\Desktop\SecurityCheck.exe
[2009/04/22 07:06:25 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tommy\Desktop\OTListIt2.exe
[2009/04/22 06:45:23 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\Tommy\Desktop\xp_taskbar_desktop_fixall.vbs
[2009/04/22 03:13:02 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/22 03:12:17 | 00,184,365 | ---- | M] () -- C:\b3p3b1o6f7l4.exe
[2009/04/21 22:59:23 | 09,924,040 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Tommy\Desktop\windows-kb890830-v2.9.exe
[2009/04/21 13:46:41 | 00,046,762 | ---- | M] () -- C:\Documents and Settings\Tommy\Application Data\wklnhst.dat
[2009/04/20 10:28:42 | 00,040,493 | ---- | M] () -- C:\r6u9k2l4e6a4.exe
[2009/04/16 13:04:17 | 00,128,000 | ---- | M] () -- C:\Documents and Settings\Tommy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/11 19:04:07 | 00,011,776 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\The wonders of WISM etc.wps
[2009/04/10 19:23:24 | 00,002,281 | ---- | M] () -- C:\Documents and Settings\Tommy\Desktop\Microsoft Works Word Processor (2).lnk
[2009/04/09 18:18:37 | 00,430,524 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/09 18:18:37 | 00,374,632 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/09 18:18:37 | 00,050,934 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/06 17:53:05 | 00,028,205 | ---- | M] (Software) -- C:\d6u8d7y9c2k8.exe
[2009/04/06 07:57:26 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/31 16:39:13 | 00,045,101 | ---- | M] (Microsoft) -- C:\x9r5w5s2y2x6.exe
[2009/03/30 16:04:23 | 00,045,101 | ---- | M] (Microsoft) -- C:\m2u8g3w9e4i1.exe
[2009/03/30 14:23:50 | 00,012,800 | ---- | M] () -- C:\murkrow.exe
[2009/03/30 14:23:48 | 00,061,958 | ---- | M] () -- C:\x9r5w5s2ye.exe
[2009/03/24 16:06:58 | 00,026,157 | ---- | M] (XTH) -- C:\k8m1l3e9f4n7.exe

========== LOP Check ==========

[2009/04/22 03:13:02 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/09/14 08:42:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/09/09 10:08:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/03/18 00:21:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/02/26 23:17:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/08/18 12:38:39 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2008/03/20 08:01:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/02/23 02:44:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/22 03:13:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/03/20 06:53:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLInstaller
[2009/04/21 13:46:10 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Tommy\Application Data
[2008/07/01 11:07:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\.clamwin
[2008/07/24 20:22:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Adobe
[2009/01/23 20:53:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Apple Computer
[2009/02/25 18:05:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Help
[2008/03/20 04:27:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Identities
[2008/03/20 04:35:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\InstallShield
[2008/03/26 22:03:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\InterVideo
[2008/07/03 22:03:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Macromedia
[2009/02/26 23:17:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Malwarebytes
[2008/08/18 12:28:22 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Tommy\Application Data\Microsoft
[2009/02/23 02:14:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Mozilla
[2009/03/06 23:58:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Skype
[2009/03/06 22:46:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\skypePM
[2009/02/23 00:21:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\StarSuite8
[2008/10/04 12:32:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Sun
[2008/07/06 16:29:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Template
[2009/04/11 15:17:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\U3
[2008/09/10 13:09:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tommy\Application Data\Windows Live Writer
[2006/03/01 04:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/04/22 07:16:31 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

< End of report >

======================================================================

OTListIt Extras logfile created on: 22/04/2009 07:18:07 - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Tommy\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1015.05 Mb Total Physical Memory | 716.59 Mb Available Physical Memory | 70.60% Memory free
918.55 Mb Paging File | 731.31 Mb Available in Paging File | 79.62% Paging File free
Paging file location(s):

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 3.73 Gb Total Space | 0.64 Gb Free Space | 17.10% Space Free | Partition Type: NTFS
Drive D: | 7.50 Gb Total Space | 5.90 Gb Free Space | 78.68% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOMANDLARA
Current User Name: Tommy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
File not found -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
File not found -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
File not found -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
File not found -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/02/13 01:08:14 | 21,898,024 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A755762-EED8-47AB-A446-505766F93D43}" = Atheros Communications Inc.® L2 Fast Ethernet Driver
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}" = Windows Live Photo Gallery
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{5C52CED3-D45C-4DA9-932F-B91BD44BB461}" = Adabas D 13.01.00
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{84E2AA5A-8BA3-4F08-9F6F-C14E4C679FF0}" = Asus OS Cleaner
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo XPack (DVD Only)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.95.1
"Elantech" = ETD Ware PS/2-x86 7.0.1.3
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0." = Mozilla Firefox (3.0.
"Shavlik NetChk Analyzer" = Shavlik NetChk Analyzer
"WIC" = Windows Imaging Component

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 21/04/2009 21:42:32 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 21/04/2009 21:42:32 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2147500053

Error - 21/04/2009 21:55:13 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 21/04/2009 22:09:59 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 21/04/2009 23:43:06 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7034
Description = The Regview Controler service terminated unexpectedly. It has done
this 1 time(s).

Error - 22/04/2009 01:23:34 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 22/04/2009 01:29:29 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 22/04/2009 01:34:32 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 22/04/2009 01:44:42 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 22/04/2009 02:05:22 | Computer Name = TOMANDLARA | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747


< End of report >

=============================================================================

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Disabled!
ClamWinFreeAntivirus0.95.1
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Spybot - Search & Destroy
Asus OS Cleaner
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
Spybot SDHelper is disabled!
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

Scan took 34 seconds.
`````````End of Log```````````

=============================================================================

Microsoft Windows Malicious Software Removal Tool v2.9, April 2009
Started On Wed Apr 22 04:12:41 2009

Extended Scan Results
----------------
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\WINDOWS\system32\drivers\Regview.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\WINDOWS\system32\drivers\WinMgmt.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\WINDOWS\system32\drivers\DelSrv.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\WINDOWS\system32\drivers\DllSrv.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\WINDOWS\system32\drivers\dllview.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\WINDOWS\system32\drivers\DrsCh.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\Documents and Settings\Tommy\bm2m9o4vp9.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\Documents and Settings\Tommy\c4m2m9o4vp9.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\Documents and Settings\Tommy\setupdc.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\Documents and Settings\Tommy\v3z7t1l1m4.exe
Found malware: Backdoor:Win32/IRCbot.gen!O in file://C:\Program Files\Outlook Express\xcm1l3e9f4n7.exe

Extended Scan Removal Results
----------------
Start 'remove' for process://pid:1204
Operation succeeded !

Start 'remove' for service://WinSoft Service Controler
Operation succeeded !

Start 'remove' for service://Regview Controler
Operation succeeded !

Start 'remove' for winlogonshell://HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe %windir%\system32\drivers\Regview.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\WinMgmt.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\Regview.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\DrsCh.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\dllview.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\DllSrv.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\DelSrv.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\Program Files\Outlook Express\xcm1l3e9f4n7.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\Documents and Settings\Tommy\v3z7t1l1m4.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\Documents and Settings\Tommy\setupdc.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\Documents and Settings\Tommy\c4m2m9o4vp9.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\Documents and Settings\Tommy\bm2m9o4vp9.exe
Operation succeeded !


Results Summary:
----------------
Found Backdoor:Win32/IRCbot.gen!O and Removed!

Return code: 6
Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 22 04:50:53 2009

=============================================================================

ClamWin Full Scan:

Scan Started Wed Apr 22 05:08:20 2009

-------------------------------------------------------------------------------



C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied

C:\WINDOWS\system32\config\default: Permission denied

C:\WINDOWS\system32\config\SAM: Permission denied

C:\WINDOWS\system32\config\SECURITY: Permission denied

C:\WINDOWS\system32\config\software: Permission denied

C:\WINDOWS\system32\config\system: Permission denied



C:\Documents and Settings\Tommy\3z7t1l1m4.exe: Trojan.Agent-86871 FOUND

C:\Documents and Settings\Tommy\athayt5.exe: Trojan.Agent-81492 FOUND

C:\Documents and Settings\Tommy\b2e5i6o6r1i8.exe: Trojan.Agent-86871 FOUND

C:\Documents and Settings\Tommy\bm1l3e9f4n7.exe: Trojan.Poison-60 FOUND

C:\Documents and Settings\Tommy\kshd.exe: Trojan.Agent-87162 FOUND

C:\Documents and Settings\Tommy\vdshd.exe: Trojan.Agent-87162 FOUND

C:\m2u8g3w9e4i1.exe: Trojan.Poison-60 FOUND

C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND

C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.4518\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND

C:\WINDOWS\Installer\9c031f.msp: W32.Virut.Gen.D-163 FOUND

C:\x9r5w5s2y2x6.exe: Trojan.Poison-60 FOUND

C:\x9y9d3e5l9y.exe: Trojan.Agent-81492 FOUND

C:\x9y9d3e5l9y8.exe: Trojan.Agent-81492 FOUND

C:\y3q2s3w17m5.exe: Trojan.Agent-86871 FOUND


----------- SCAN SUMMARY -----------

Known viruses: 544200

Engine version: 0.95.1

Scanned directories: 2439

Scanned files: 17032

Infected files: 14



Data scanned: 5728.74 MB

Data read: 3378.80 MB (ratio 1.70:1)

Time: 4108.703 sec (68 m 28 s)

--------------------------------------

Completed

--------------------------------------

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 28 April 2009 - 04:02 AM

OTListIt2 Fix step

Open OTListIt2 then do below..

Copy/paste the following into the Costum Scans/Fixes box and then click on Run Fix button.

:processes
explorer.exe

:OTLI
O33 - MountPoints2\{2112cb4c-2131-11de-a880-0015af94fedb}\Shell - "" = AutoRun
O33 - MountPoints2\{2112cb4c-2131-11de-a880-0015af94fedb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2112cb4c-2131-11de-a880-0015af94fedb}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{2112cb4d-2131-11de-a880-0015af94fedb}\Shell\AutoRun\command - "" = G:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{2112cb4d-2131-11de-a880-0015af94fedb}\Shell\open\command - "" = G:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{308382d6-b94b-11dd-a6d4-0015af94fedb}\Shell - "" = AutoRun
O33 - MountPoints2\{308382d6-b94b-11dd-a6d4-0015af94fedb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{308382d6-b94b-11dd-a6d4-0015af94fedb}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\{88af1146-1981-11de-a852-0015af94fedb}\Shell\AutoRun\command - "" = F:\RECYCLER\S-53-4-22-3434476501-1644491937-600003330-1213\DrsCh.exe -- File not found
O33 - MountPoints2\{88af1146-1981-11de-a852-0015af94fedb}\Shell\open\command - "" = F:\RECYCLER\S-53-4-22-3434476501-1644491937-600003330-1213\DrsCh.exe -- File not found
O33 - MountPoints2\{a0dc01c6-4ded-11dd-a586-0015af94fedb}\Shell\AutoRun\command - "" = F:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{a0dc01c6-4ded-11dd-a586-0015af94fedb}\Shell\open\command - "" = F:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{a0dc01c9-4ded-11dd-a586-0015af94fedb}\Shell\AutoRun\command - "" = F:\RECYCLER\S-53-4-22-3434476501-1644491937-600003330-1213\DrsCh.exe -- File not found
O33 - MountPoints2\{a0dc01c9-4ded-11dd-a586-0015af94fedb}\Shell\open\command - "" = F:\RECYCLER\S-53-4-22-3434476501-1644491937-600003330-1213\DrsCh.exe -- File not found
O33 - MountPoints2\{cfda587e-175f-11de-a849-0015af94fedb}\Shell\AutoRun\command - "" = F:\RECYCLER\S-53-6-22-3434476501-1644491937-600003330-1213\DelSrv.exe -- File not found
O33 - MountPoints2\{cfda587e-175f-11de-a849-0015af94fedb}\Shell\open\command - "" = F:\RECYCLER\S-53-6-22-3434476501-1644491937-600003330-1213\DelSrv.exe -- File not found
O33 - MountPoints2\{f4c494c8-4f5b-11dd-a58a-0015af94fedb}\Shell\AutoRun\command - "" = F:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{f4c494c8-4f5b-11dd-a58a-0015af94fedb}\Shell\open\command - "" = F:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{f6df12f4-4f21-11dd-a588-0015af94fedb}\Shell\AutoRun\command - "" = H:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\{f6df12f4-4f21-11dd-a588-0015af94fedb}\Shell\open\command - "" = H:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
[2009/04/21 11:13:05 | 00,184,365 | ---- | C] () -- C:\b3p3b1o6f7l4.exe
[2009/04/20 10:28:41 | 00,040,493 | ---- | C] () -- C:\r6u9k2l4e6a4.exe
[2009/04/03 01:28:15 | 00,028,205 | ---- | C] (Software) -- C:\d6u8d7y9c2k8.exe
[2009/03/30 13:57:02 | 00,012,800 | ---- | C] () -- C:\murkrow.exe
[2009/03/30 13:57:00 | 00,061,958 | ---- | C] () -- C:\x9r5w5s2ye.exe
[2009/03/28 02:01:32 | 00,045,101 | ---- | C] (Microsoft) -- C:\x9r5w5s2y2x6.exe
[2009/03/27 16:34:05 | 00,045,101 | ---- | C] (Microsoft) -- C:\m2u8g3w9e4i1.exe
[2009/04/22 03:12:17 | 00,184,365 | ---- | M] () -- C:\b3p3b1o6f7l4.exe
[2009/04/20 10:28:42 | 00,040,493 | ---- | M] () -- C:\r6u9k2l4e6a4.exe
[2009/04/06 17:53:05 | 00,028,205 | ---- | M] (Software) -- C:\d6u8d7y9c2k8.exe
[2009/03/31 16:39:13 | 00,045,101 | ---- | M] (Microsoft) -- C:\x9r5w5s2y2x6.exe
[2009/03/30 16:04:23 | 00,045,101 | ---- | M] (Microsoft) -- C:\m2u8g3w9e4i1.exe
[2009/03/30 14:23:50 | 00,012,800 | ---- | M] () -- C:\murkrow.exe
[2009/03/30 14:23:48 | 00,061,958 | ---- | M] () -- C:\x9r5w5s2ye.exe
[2009/03/24 16:06:58 | 00,026,157 | ---- | M] (XTH) -- C:\k8m1l3e9f4n7.exe

:files
C:\Documents and Settings\Tommy\3z7t1l1m4.exe
C:\Documents and Settings\Tommy\athayt5.exe
C:\Documents and Settings\Tommy\b2e5i6o6r1i8.exe
C:\Documents and Settings\Tommy\bm1l3e9f4n7.exe
C:\Documents and Settings\Tommy\kshd.exe
C:\Documents and Settings\Tommy\vdshd.exe
C:\m2u8g3w9e4i1.exe
C:\WINDOWS\Installer\9c031f.msp
C:\x9r5w5s2y2x6.exe
C:\x9y9d3e5l9y.exe
C:\x9y9d3e5l9y8.exe
C:\y3q2s3w17m5.exe

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]

Let it run the fix. A log will then pop-up to your screen after the fix finish.. If it needs a reboot, just let it.. Post that log in your next reply...




Please download Dr.Web CureIt to the Desktop:
  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    • Now, go to Settings >> Change Settings
    • Go to Actions tab >> under Objects section, change the settings to below
      • Infected objects - Cure
        Incurable objects - Report
        Suspicious objects - Report
    • Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 03 May 2009 - 05:49 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users