Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winAV2008 infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 J Lippard

J Lippard

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 30 May 2009 - 07:15 AM

Hi There,

About a week ago I started getting pop ups from win antivirus 2008 claiming my computer was infected, the spelling mistakes on the pop up gave it away as an intuder and a quick search on the net confirmed. Apparently winAV opens a back door to let in other viruses/trojans and worms.

I stopped win Av with task manager and msconfig, along with anything else I could find that looked suspicious as nothing was picked up in comodo scans, however I'am still having issues with suspicious browser activity (search results being redirected via 'windowsclick.com' and random crashes) and I'm having trouble installing extra security programs.

Any advice on what I can do to rectify the situation would be much apprieciated, my hijackthis log is bellow, if you need any further info I will gladly provide whatever i can.

Thanks very much for reading.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:24, on 30/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Mxvgautil.EXE
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\IR Connect\Utils\Firebird\bin\fbserver.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\IR Connect\Live\irTill-mmf.exe
C:\IR Connect\jre6\bin\javaw.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\IR Connect\Ocius for PC\OCIUS4PC.exe
C:\IR Connect\Live\interconnect.exe
C:\IR Connect\jre6\bin\javaw.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rockyhorrors.co.uk/
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Mxvgautil] C:\WINDOWS\system32\Mxvgautil.EXE
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183634509812
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Biometric Authentication Service (DpHost) - Digital Persona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\IR Connect\Utils\Firebird\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5944 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 31 May 2009 - 09:57 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 J Lippard

J Lippard
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 01 June 2009 - 05:54 AM

Hi Sam,

Thanks for your reply...



After much reading and research I've managed to manually delete a number of suspicious files over the last few days, which has eliviated quite a few of the problems. However I think there is still some work to be done and any help you can give me would be very much apprieciated.

I tried installing MBAM last week when this problem first arrose, and I was able to instal it but it would not run. I just tried uninstalling the old version, re-downloading it from the link you gave me and installing again, but I had exactly the same problem. Any Suggestions?



Here is an updated HJT log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:19, on 01/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\IR Connect\Utils\Firebird\bin\fbserver.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Mxvgautil.EXE
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\IR Connect\Live\irTill-mmf.exe
C:\IR Connect\jre6\bin\javaw.exe
C:\IR Connect\Ocius for PC\OCIUS4PC.exe
C:\IR Connect\Live\interconnect.exe
C:\IR Connect\jre6\bin\javaw.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rockyhorrors.co.uk/
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Mxvgautil] C:\WINDOWS\system32\Mxvgautil.EXE
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\Rocky Horrors\Application Data\Google\uqrke8412012.exe" 2
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183634509812
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Biometric Authentication Service (DpHost) - Digital Persona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\IR Connect\Utils\Firebird\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

--
End of file - 5809 bytes

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 01 June 2009 - 03:37 PM

I will need to see the other log that I requested (from OTListIt) before we can proceed with a fix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 J Lippard

J Lippard
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 04 June 2009 - 04:23 AM

Ok, Thanks Sam...

OTListIt logfile created on: 04/06/2009 10:17:43 - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Rocky Horrors\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1007.48 Mb Total Physical Memory | 478.62 Mb Available Physical Memory | 47.51% Memory free
2.37 Gb Paging File | 1.77 Gb Available in Paging File | 74.89% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 21.05 Gb Free Space | 28.25% Space Free | Partition Type: NTFS
Drive D: | 122.72 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-85BCE904C0
Current User Name: Rocky Horrors
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/02/08 14:45:44 | 00,618,232 | ---- | M] () -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
PRC - [2006/01/19 13:46:56 | 00,282,624 | ---- | M] (Digital Persona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpHost.exe
PRC - [2006/03/23 10:20:46 | 00,045,056 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\EloSrvce.exe
PRC - [2008/07/10 19:10:22 | 01,531,989 | ---- | M] (The Firebird Project) -- C:\IR Connect\Utils\Firebird\bin\fbserver.exe
PRC - [2005/09/30 20:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2007/06/13 11:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/02/10 10:55:32 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2004/02/10 10:51:30 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2004/04/28 17:19:50 | 00,066,048 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/12/20 14:29:36 | 00,061,440 | ---- | M] (Generic Provider) -- C:\WINDOWS\system32\Mxvgautil.EXE
PRC - [2008/11/12 11:37:17 | 00,278,264 | ---- | M] (COMODO) -- C:\Program Files\COMODO\SafeSurf\cssurf.exe
PRC - [2009/02/08 14:45:48 | 01,797,880 | ---- | M] () -- C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
PRC - [2009/05/30 12:23:20 | 00,045,740 | ---- | M] (Mozilla Corporation) -- C:\WINDOWS\system32\drivers\svchost.exe
PRC - [2006/03/23 10:20:56 | 00,118,784 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\EloDkMon.exe
PRC - [2006/03/23 10:20:40 | 00,147,456 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\EloTTray.exe
PRC - [2009/02/06 17:39:29 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/02/10 11:10:22 | 00,403,968 | ---- | M] () -- C:\IR Connect\Live\irTill-mmf.exe
PRC - [2007/07/12 02:22:04 | 00,135,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\IR Connect\jre6\bin\javaw.exe
PRC - [2006/02/10 15:15:10 | 00,036,864 | ---- | M] (Commidea LTD) -- C:\IR Connect\Ocius for PC\OCIUS4PC.exe
PRC - [2009/02/10 11:10:10 | 00,403,456 | ---- | M] () -- C:\IR Connect\Live\interconnect.exe
PRC - [2007/07/12 02:22:04 | 00,135,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\IR Connect\jre6\bin\javaw.exe
PRC - [2009/04/24 07:00:56 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/02/28 05:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\Iexplore.exe
PRC - [2009/06/04 10:15:04 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rocky Horrors\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/01/09 15:14:17 | 00,068,096 | ---- | M] () -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2005/09/30 20:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Running])
SRV - [2009/02/08 14:45:44 | 00,618,232 | ---- | M] () -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe -- (cmdAgent [Auto | Running])
SRV - [2006/01/19 13:46:56 | 00,282,624 | ---- | M] (Digital Persona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpHost.exe -- (DpHost [Auto | Running])
SRV - [2006/03/23 10:20:46 | 00,045,056 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\EloSrvce.exe -- (EloSystemService [Auto | Running])
SRV - [2008/07/10 19:10:22 | 01,531,989 | ---- | M] (The Firebird Project) -- C:\IR Connect\Utils\Firebird\bin\fbserver.exe -- (FirebirdServerDefaultInstance [Auto | Running])
SRV - File not found -- -- (gusvc [Disabled | Stopped])
SRV - [2006/02/28 13:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2004/02/24 11:08:52 | 00,400,384 | ---- | M] (Sensaura) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS [On_Demand | Running])
DRV - [2004/04/28 18:10:22 | 00,616,124 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2009/02/08 14:45:52 | 00,101,776 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdguard.sys -- (cmdGuard [System | Running])
DRV - [2008/11/26 11:18:02 | 00,031,504 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdhlp.sys -- (cmdHlp [System | Running])
DRV - [2004/10/12 15:51:16 | 00,041,856 | ---- | M] (DigitalPersona, Inc.) -- C:\WINDOWS\system32\DRIVERS\dpK00701.sys -- (dpK00701 [On_Demand | Stopped])
DRV - [2004/06/22 08:32:34 | 00,154,112 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2006/03/23 10:13:40 | 00,014,848 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\DRIVERS\EloBus.sys -- (EloBus [On_Demand | Running])
DRV - [2006/03/23 10:13:42 | 00,081,408 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\DRIVERS\EloSer.sys -- (EloSer [On_Demand | Running])
DRV - [2004/02/10 11:17:06 | 00,681,469 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2008/11/26 11:18:02 | 00,079,504 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect [Boot | Running])
DRV - [2006/02/28 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
DRV - [2004/10/12 15:53:14 | 00,045,056 | ---- | M] (DigitalPersona, Inc.) -- C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys -- (UsbdpFP [On_Demand | Stopped])
DRV - [2004/05/18 04:10:00 | 00,070,656 | ---- | M] (WIBU-SYSTEMS AG) -- C:\WINDOWS\SYSTEM32\DRIVERS\WibuKey.sys -- (WIBUKEY [Auto | Running])
DRV - [2003/09/30 04:00:00 | 00,017,408 | ---- | M] (WIBU-SYSTEMS AG) -- C:\WINDOWS\system32\drivers\wibukey2.sys -- (Wibukey2 [On_Demand | Running])
DRV - [2004/12/16 17:35:16 | 00,230,784 | ---- | M] (Generic Provider.) -- C:\WINDOWS\system32\DRIVERS\xVgaMini.sys -- (xVGAMINI [On_Demand | Stopped])
DRV - [2004/12/16 17:35:06 | 00,022,016 | ---- | M] (Generic Provider.) -- C:\WINDOWS\system32\drivers\xvgausb.sys -- (xVGAUSB [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.rockyhorrors.co.uk/
IE - URLSearchHook: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\S-1-5-21-98158670-3228987636-2600416680-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.rockyhorrors.co.uk"
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/05/23 14:50:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/23 14:50:31 | 00,000,000 | ---D | M]

[2009/05/23 14:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Extensions
[2009/05/23 14:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/11/12 11:37:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Firefox\extensions
[2008/11/12 11:37:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2009/05/23 14:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Firefox\Profiles\qc7jcctf.default\extensions
[2009/05/23 14:50:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/05/23 14:50:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/24 07:00:58 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/24 07:00:58 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/01/04 16:36:50 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2006/07/05 19:47:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/01/04 16:36:50 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2008/03/08 10:35:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/09/22 20:14:04 | 00,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2008/04/16 05:08:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/03/28 19:11:14 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/01/04 16:36:50 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h ()
O4 - HKLM..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s (COMODO)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Mxvgautil] C:\WINDOWS\system32\Mxvgautil.EXE (Generic Provider)
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-98158670-3228987636-2600416680-1005..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe (Mozilla Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} http://www.bebo.com/files/BeboUploader.5.1.4.cab (Bebo Uploader Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1183634509812 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll ()
O20 - AppInit_DLLs: (C:\WINDOWS\system32\cssdll32.dll) - C:\WINDOWS\system32\cssdll32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/05 11:50:29 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{d2f4c47a-71ab-11dc-9574-000bca91801c}\Shell - "" = Autorun
O33 - MountPoints2\{d2f4c47a-71ab-11dc-9574-000bca91801c}\Shell\AutoRun\command - "" = E:\SSCVIHOST.exe -- File not found
O33 - MountPoints2\{d2f4c47a-71ab-11dc-9574-000bca91801c}\Shell\Open\command - "" = E:\SSCVIHOST.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/04 10:15:04 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/06/04 10:15:03 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rocky Horrors\Desktop\OTListIt2.exe
[2009/06/01 11:09:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\_comodo_
[2009/06/01 10:28:54 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/01 10:28:51 | 00,040,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/01 10:28:49 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/01 10:28:49 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/01 10:28:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/01 10:25:31 | 03,371,384 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Rocky Horrors\Desktop\mbam-setup.exe
[2009/05/31 15:43:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/05/30 16:03:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rocky Horrors\Desktop\tweaks
[2009/05/30 12:23:26 | 00,045,740 | ---- | C] (Mozilla Corporation) -- C:\WINDOWS\System32\drivers\svchost.exe
[2009/05/27 13:39:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\VertusTech
[2009/05/24 11:27:39 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/05/23 14:50:30 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/05/19 15:39:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/05/19 15:21:18 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/05/19 15:21:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/05/07 14:15:06 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\nglksu9.tgz
[2009/05/07 11:02:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rocky Horrors\Desktop\new banners
[2008/11/12 11:35:26 | 00,147,192 | ---- | C] () -- C:\WINDOWS\System32\guard32.dll
[2007/10/11 15:16:33 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/07/30 15:41:52 | 00,458,752 | ---- | C] () -- C:\WINDOWS\System32\wibuKJni.dll
[2007/07/26 09:16:47 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/07/05 12:12:00 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\nglksu9.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2006/02/28 13:00:00 | 00,000,461 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 13:00:00 | 00,000,340 | ---- | C] () -- C:\WINDOWS\System32\qievy86.dll
[2006/02/28 13:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/02/28 13:00:00 | 00,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2006/02/28 13:00:00 | 00,000,072 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2006/02/28 13:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\sllvsws.dll
[2004/06/21 14:22:08 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/06/04 10:15:04 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rocky Horrors\Desktop\OTListIt2.exe
[2009/06/04 10:05:40 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Rocky Horrors\Local Settings\desktop.ini
[2009/06/04 10:02:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/04 10:02:05 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/01 14:37:30 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/01 14:35:31 | 00,000,461 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/06/01 14:35:31 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/06/01 14:35:31 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/06/01 10:28:54 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/01 10:25:37 | 03,371,384 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Rocky Horrors\Desktop\mbam-setup.exe
[2009/05/30 12:23:20 | 00,045,740 | ---- | M] (Mozilla Corporation) -- C:\WINDOWS\System32\drivers\svchost.exe
[2009/05/27 17:39:25 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ctfmon.exe
[2009/05/27 17:39:25 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ctfmon.exe
[2009/05/27 13:51:05 | 00,000,354 | ---- | M] () -- C:\WINDOWS\System32\qievy86.tgz
[2009/05/27 13:51:05 | 00,000,114 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.tgz
[2009/05/27 13:51:05 | 00,000,100 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.dll
[2009/05/27 13:51:05 | 00,000,086 | ---- | M] () -- C:\WINDOWS\System32\ssprs.tgz
[2009/05/26 13:20:08 | 00,040,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/26 13:19:56 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/07 14:15:06 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\nglksu9.tgz
[2009/05/07 14:15:06 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\nglksu9.dll
[2009/05/07 14:15:04 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\grcauth2.dll
[2009/05/07 14:15:04 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\grcauth1.dll
[2009/05/07 14:15:02 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\clauth2.dll
[2009/05/07 14:15:02 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\clauth1.dll
[2009/05/07 14:15:02 | 00,000,072 | ---- | M] () -- C:\WINDOWS\System32\ssprs.dll
[2009/05/07 08:16:29 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\WINDOWS\System32\ctfmonTrojan.txt.exe:SummaryInformation
< End of report >







OTListIt Extras logfile created on: 04/06/2009 10:17:43 - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Rocky Horrors\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1007.48 Mb Total Physical Memory | 478.62 Mb Available Physical Memory | 47.51% Memory free
2.37 Gb Paging File | 1.77 Gb Available in Paging File | 74.89% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 21.05 Gb Free Space | 28.25% Space Free | Partition Type: NTFS
Drive D: | 122.72 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-85BCE904C0
Current User Name: Rocky Horrors
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"3050:TCP" = 3050:TCP:LocalSubNet:Enabled:firebird
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2006/10/10 13:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2009/05/30 12:23:20 | 00,045,740 | ---- | M] (Mozilla Corporation) -- %windir%\system32\drivers\svchost.exe:*:Enabled:svchost

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2006/10/10 13:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/07/30 16:52:17 | 00,135,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\IR Connect\Live\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary
[2007/07/30 15:42:17 | 00,135,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\IR Connect\Live\jre\bin\javaw.exe:*:Enabled:Java™ Platform SE binary
[2007/05/07 19:28:58 | 00,589,824 | ---- | M] (TightVNC Group) -- C:\Program Files\TightVNC\WinVNC.exe:*:Enabled:TightVNC Win32 Server
[2009/02/10 11:10:10 | 00,403,456 | ---- | M] () -- C:\IR Connect\Live\interconnect.exe:*:Enabled:interconnect
[2007/07/30 16:52:17 | 00,135,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\IR Connect\Training\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary
[2007/07/30 15:42:17 | 00,135,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\IR Connect\Training\jre\bin\javaw.exe:*:Disabled:Java™ Platform SE binary
File not found -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2007/07/12 02:22:04 | 00,135,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\IR Connect\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary
[2009/05/30 12:23:20 | 00,045,740 | ---- | M] (Mozilla Corporation) -- %windir%\system32\drivers\svchost.exe:*:Enabled:svchost

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00060000-0000-1004-8002-0000C06B5161}" = WIBU-KEY Setup (WIBU-KEY Remove)
"{1B3F405A-0F57-4E73-9AED-95B1DE87AC7D}" = USB 2.0 SVGA Adapter v5.1005.1220.01
"{30B5F3AB-0992-4882-88B3-D1022A4A2857}" = Ocius Installer
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{43112657-F829-4F73-92BD-70E3309D9534}" = DigitalPersona Platinum SDK 3.0.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B9E1F148-DCB6-4B18-9AB0-6E855ED809D1}" = DigitalPersona Platinum Fingerprint Recognition Software 3.2.0
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CAL" = Canon Camera Access Library
"COMODO Internet Security" = COMODO Internet Security
"COMODO SafeSurf" = COMODO SafeSurf
"CSCLIB" = Canon Camera Support Core Library
"DPP" = Canon Utilities Digital Photo Professional 2.2
"EditPlus 2" = EditPlus 2
"EloTouchscreen" = Elo XP Universal Driver
"EOS Utility" = Canon Utilities EOS Utility
"FBDBServer_1_5_is1" = Firebird 1.5.3.4870
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{30B5F3AB-0992-4882-88B3-D1022A4A2857}" = Ocius Installer
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel® PRO Network Adapters and Drivers
"TightVNC_is1" = TightVNC 1.3.9
"VLC media player" = VLC media player 0.9.8a
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 19/05/2009 06:35:47 | Computer Name = USER-85BCE904C0 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 19/05/2009 11:02:58 | Computer Name = USER-85BCE904C0 | Source = Application Error | ID = 1000
Description = Faulting application superantispyware.exe, version 4.26.0.1002, faulting
module superantispyware.exe, version 4.26.0.1002, fault address 0x000039e0.

Error - 21/05/2009 06:26:26 | Computer Name = USER-85BCE904C0 | Source = Application Hang | ID = 1002
Description = Hanging application SDFiles.exe, version 1.6.0.4, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 21/05/2009 08:29:14 | Computer Name = USER-85BCE904C0 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 21/05/2009 08:29:26 | Computer Name = USER-85BCE904C0 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 23/05/2009 08:00:06 | Computer Name = USER-85BCE904C0 | Source = Application Error | ID = 1000
Description = Faulting application spywareterminatorshield.exe, version 2.5.0.484,
faulting module spywareterminatorshield.exe, version 2.5.0.484, fault address 0x000eba7c.

Error - 23/05/2009 10:10:07 | Computer Name = USER-85BCE904C0 | Source = Application Hang | ID = 1002
Description = Hanging application BOC427.EXE, version 4.2.7.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 24/05/2009 07:42:05 | Computer Name = USER-85BCE904C0 | Source = Application Error | ID = 1000
Description = Faulting application spywareterminatorshield.exe, version 2.5.0.484,
faulting module spywareterminatorshield.exe, version 2.5.0.484, fault address 0x000eba7c.

Error - 30/05/2009 07:36:15 | Computer Name = USER-85BCE904C0 | Source = Application Hang | ID = 1002
Description = Hanging application notepad.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 31/05/2009 09:39:15 | Computer Name = USER-85BCE904C0 | Source = Application Hang | ID = 1002
Description = Hanging application msconfig.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 19/04/2009 07:50:47 | Computer Name = USER-85BCE904C0 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the WZCSVC service.

Error - 26/04/2009 06:11:44 | Computer Name = USER-85BCE904C0 | Source = Service Control Manager | ID = 7023
Description = The Firebird Guardian - DefaultInstance service terminated with the
following error: %%1061

Error - 27/04/2009 07:26:20 | Computer Name = USER-85BCE904C0 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000098'
while processing the file 'Services.lnk' on the volume 'HarddiskVolume1'. It has
stopped monitoring the volume.

Error - 27/04/2009 07:27:17 | Computer Name = USER-85BCE904C0 | Source = Service Control Manager | ID = 7034
Description = The Windows Installer service terminated unexpectedly. It has done
this 1 time(s).

Error - 01/06/2009 05:52:24 | Computer Name = USER-85BCE904C0 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 01/06/2009 09:37:50 | Computer Name = USER-85BCE904C0 | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2147500053

Error - 01/06/2009 09:42:30 | Computer Name = USER-85BCE904C0 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 02/06/2009 05:07:51 | Computer Name = USER-85BCE904C0 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 03/06/2009 05:07:57 | Computer Name = USER-85BCE904C0 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 04/06/2009 05:07:22 | Computer Name = USER-85BCE904C0 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460


< End of report >

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 04 June 2009 - 10:22 AM

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - [2009/05/30 12:23:20 | 00,045,740 | ---- | M] (Mozilla Corporation) -- C:\WINDOWS\system32\drivers\svchost.exe
    O3 - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - Reg Error: Key error. File not found
    O4 - HKU\S-1-5-21-98158670-3228987636-2600416680-1005..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe (Mozilla Corporation)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
    O33 - MountPoints2\{d2f4c47a-71ab-11dc-9574-000bca91801c}\Shell - "" = Autorun
    O33 - MountPoints2\{d2f4c47a-71ab-11dc-9574-000bca91801c}\Shell\AutoRun\command - "" = E:\SSCVIHOST.exe -- File not found
    O33 - MountPoints2\{d2f4c47a-71ab-11dc-9574-000bca91801c}\Shell\Open\command - "" = E:\SSCVIHOST.exe -- File not found
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL2 log.


=================




Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 J Lippard

J Lippard
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 04 June 2009 - 11:52 AM

Thanks Sam, you're a star!

Here's the results and new log..
I run the javara next.



========== OTLISTIT ==========
Process explorer.exe killed successfully!
Process svchost.exe killed successfully!
Registry value HKEY_USERS\S-1-5-21-98158670-3228987636-2600416680-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_USERS\S-1-5-21-98158670-3228987636-2600416680-1005\Software\Microsoft\Windows\CurrentVersion\Run\\SVCHOST.EXE deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe moved successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d2f4c47a-71ab-11dc-9574-000bca91801c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d2f4c47a-71ab-11dc-9574-000bca91801c}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d2f4c47a-71ab-11dc-9574-000bca91801c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d2f4c47a-71ab-11dc-9574-000bca91801c}\ not found.
File E:\SSCVIHOST.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d2f4c47a-71ab-11dc-9574-000bca91801c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d2f4c47a-71ab-11dc-9574-000bca91801c}\ not found.
File E:\SSCVIHOST.exe not found.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Rocky Horrors\Local Settings\Temp\hsperfdata_Rocky Horrors\2508 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rocky Horrors\Local Settings\Temp\hsperfdata_Rocky Horrors\3112 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rocky Horrors\Local Settings\Temp\etilqs_VaK0R4Kdon9KnT9MES2k scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rocky Horrors\Local Settings\Temp\Perflib_Perfdata_acc.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.8 log created on 06042009_173504

Files moved on Reboot...
File C:\Documents and Settings\Rocky Horrors\Local Settings\Temp\hsperfdata_Rocky Horrors\2508 not found!
File C:\Documents and Settings\Rocky Horrors\Local Settings\Temp\hsperfdata_Rocky Horrors\3112 not found!
File C:\Documents and Settings\Rocky Horrors\Local Settings\Temp\etilqs_VaK0R4Kdon9KnT9MES2k not found!
File C:\Documents and Settings\Rocky Horrors\Local Settings\Temp\Perflib_Perfdata_acc.dat not found!

Registry entries deleted on Reboot...










OTListIt logfile created on: 04/06/2009 17:49:56 - Run 2
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Rocky Horrors\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1007.48 Mb Total Physical Memory | 677.93 Mb Available Physical Memory | 67.29% Memory free
2.37 Gb Paging File | 2.12 Gb Available in Paging File | 89.31% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 21.11 Gb Free Space | 28.32% Space Free | Partition Type: NTFS
Drive D: | 122.72 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-85BCE904C0
Current User Name: Rocky Horrors
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/02/08 14:45:44 | 00,618,232 | ---- | M] () -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
PRC - [2006/01/19 13:46:56 | 00,282,624 | ---- | M] (Digital Persona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpHost.exe
PRC - [2006/03/23 10:20:46 | 00,045,056 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\EloSrvce.exe
PRC - [2008/07/10 19:10:22 | 01,531,989 | ---- | M] (The Firebird Project) -- C:\IR Connect\Utils\Firebird\bin\fbserver.exe
PRC - [2005/09/30 20:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2007/06/13 11:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/28 05:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\Iexplore.exe
PRC - [2004/02/10 10:55:32 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2004/02/10 10:51:30 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2004/04/28 17:19:50 | 00,066,048 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/12/20 14:29:36 | 00,061,440 | ---- | M] (Generic Provider) -- C:\WINDOWS\system32\Mxvgautil.EXE
PRC - [2008/11/12 11:37:17 | 00,278,264 | ---- | M] (COMODO) -- C:\Program Files\COMODO\SafeSurf\cssurf.exe
PRC - [2009/02/08 14:45:48 | 01,797,880 | ---- | M] () -- C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
PRC - [2006/03/23 10:20:56 | 00,118,784 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\EloDkMon.exe
PRC - [2006/03/23 10:20:40 | 00,147,456 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\EloTTray.exe
PRC - [2009/02/06 17:39:29 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/04/24 07:00:56 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/06/04 10:15:04 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rocky Horrors\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/01/09 15:14:17 | 00,068,096 | ---- | M] () -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2005/09/30 20:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Running])
SRV - [2009/02/08 14:45:44 | 00,618,232 | ---- | M] () -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe -- (cmdAgent [Auto | Running])
SRV - [2006/01/19 13:46:56 | 00,282,624 | ---- | M] (Digital Persona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpHost.exe -- (DpHost [Auto | Running])
SRV - [2006/03/23 10:20:46 | 00,045,056 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\EloSrvce.exe -- (EloSystemService [Auto | Running])
SRV - [2008/07/10 19:10:22 | 01,531,989 | ---- | M] (The Firebird Project) -- C:\IR Connect\Utils\Firebird\bin\fbserver.exe -- (FirebirdServerDefaultInstance [Auto | Running])
SRV - File not found -- -- (gusvc [Disabled | Stopped])
SRV - [2006/02/28 13:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2004/02/24 11:08:52 | 00,400,384 | ---- | M] (Sensaura) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS [On_Demand | Running])
DRV - [2004/04/28 18:10:22 | 00,616,124 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2009/02/08 14:45:52 | 00,101,776 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdguard.sys -- (cmdGuard [System | Running])
DRV - [2008/11/26 11:18:02 | 00,031,504 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdhlp.sys -- (cmdHlp [System | Running])
DRV - [2004/10/12 15:51:16 | 00,041,856 | ---- | M] (DigitalPersona, Inc.) -- C:\WINDOWS\system32\DRIVERS\dpK00701.sys -- (dpK00701 [On_Demand | Stopped])
DRV - [2004/06/22 08:32:34 | 00,154,112 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2006/03/23 10:13:40 | 00,014,848 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\DRIVERS\EloBus.sys -- (EloBus [On_Demand | Running])
DRV - [2006/03/23 10:13:42 | 00,081,408 | R--- | M] (Elo Touchsystems, Inc.) -- C:\WINDOWS\system32\DRIVERS\EloSer.sys -- (EloSer [On_Demand | Running])
DRV - [2004/02/10 11:17:06 | 00,681,469 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2008/11/26 11:18:02 | 00,079,504 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect [Boot | Running])
DRV - [2006/02/28 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
DRV - [2004/10/12 15:53:14 | 00,045,056 | ---- | M] (DigitalPersona, Inc.) -- C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys -- (UsbdpFP [On_Demand | Stopped])
DRV - [2004/05/18 04:10:00 | 00,070,656 | ---- | M] (WIBU-SYSTEMS AG) -- C:\WINDOWS\SYSTEM32\DRIVERS\WibuKey.sys -- (WIBUKEY [Auto | Running])
DRV - [2003/09/30 04:00:00 | 00,017,408 | ---- | M] (WIBU-SYSTEMS AG) -- C:\WINDOWS\system32\drivers\wibukey2.sys -- (Wibukey2 [On_Demand | Running])
DRV - [2004/12/16 17:35:16 | 00,230,784 | ---- | M] (Generic Provider.) -- C:\WINDOWS\system32\DRIVERS\xVgaMini.sys -- (xVGAMINI [On_Demand | Stopped])
DRV - [2004/12/16 17:35:06 | 00,022,016 | ---- | M] (Generic Provider.) -- C:\WINDOWS\system32\drivers\xvgausb.sys -- (xVGAUSB [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.rockyhorrors.co.uk/
IE - URLSearchHook: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\S-1-5-21-98158670-3228987636-2600416680-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.rockyhorrors.co.uk"
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/05/23 14:50:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/23 14:50:31 | 00,000,000 | ---D | M]

[2009/05/23 14:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Extensions
[2009/05/23 14:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/11/12 11:37:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Firefox\extensions
[2008/11/12 11:37:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2009/05/23 14:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rocky Horrors\Application Data\mozilla\Firefox\Profiles\qc7jcctf.default\extensions
[2009/05/23 14:50:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/05/23 14:50:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/24 07:00:58 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/24 07:00:58 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/01/04 16:36:50 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2006/07/05 19:47:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/01/04 16:36:50 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2008/03/08 10:35:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/09/22 20:14:04 | 00,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2008/04/16 05:08:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/03/28 19:11:14 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/01/04 16:36:50 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h ()
O4 - HKLM..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s (COMODO)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Mxvgautil] C:\WINDOWS\system32\Mxvgautil.EXE (Generic Provider)
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-98158670-3228987636-2600416680-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} http://www.bebo.com/files/BeboUploader.5.1.4.cab (Bebo Uploader Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1183634509812 (WUWebControl Class)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll ()
O20 - AppInit_DLLs: (C:\WINDOWS\system32\cssdll32.dll) - C:\WINDOWS\system32\cssdll32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/05 11:50:29 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/04 17:42:59 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/06/04 17:35:04 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/06/04 10:15:03 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rocky Horrors\Desktop\OTListIt2.exe
[2009/06/01 11:09:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\_comodo_
[2009/06/01 10:28:54 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/01 10:28:51 | 00,040,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/01 10:28:49 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/01 10:28:49 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/01 10:28:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/01 10:25:31 | 03,371,384 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Rocky Horrors\Desktop\mbam-setup.exe
[2009/05/31 15:43:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/05/30 16:03:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rocky Horrors\Desktop\tweaks
[2009/05/27 13:39:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\VertusTech
[2009/05/24 11:27:39 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/05/23 14:50:30 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/05/19 15:39:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/05/19 15:21:18 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/05/19 15:21:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/05/07 14:15:06 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\nglksu9.tgz
[2009/05/07 11:02:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rocky Horrors\Desktop\new banners
[2008/11/12 11:35:26 | 00,147,192 | ---- | C] () -- C:\WINDOWS\System32\guard32.dll
[2007/10/11 15:16:33 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/07/30 15:41:52 | 00,458,752 | ---- | C] () -- C:\WINDOWS\System32\wibuKJni.dll
[2007/07/26 09:16:47 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/07/05 12:12:00 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\nglksu9.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2006/02/28 13:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2006/02/28 13:00:00 | 00,000,461 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 13:00:00 | 00,000,340 | ---- | C] () -- C:\WINDOWS\System32\qievy86.dll
[2006/02/28 13:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/02/28 13:00:00 | 00,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2006/02/28 13:00:00 | 00,000,072 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2006/02/28 13:00:00 | 00,000,016 | -H-- | C] () -- C:\WINDOWS\System32\sllvsws.dll
[2004/06/21 14:22:08 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/06/04 17:42:20 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Rocky Horrors\Local Settings\desktop.ini
[2009/06/04 17:38:28 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/04 17:38:25 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/04 10:15:04 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rocky Horrors\Desktop\OTListIt2.exe
[2009/06/01 14:37:30 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/01 14:35:31 | 00,000,461 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/06/01 14:35:31 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/06/01 14:35:31 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/06/01 10:28:54 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/01 10:25:37 | 03,371,384 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Rocky Horrors\Desktop\mbam-setup.exe
[2009/05/27 17:39:25 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ctfmon.exe
[2009/05/27 17:39:25 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ctfmon.exe
[2009/05/27 13:51:05 | 00,000,354 | ---- | M] () -- C:\WINDOWS\System32\qievy86.tgz
[2009/05/27 13:51:05 | 00,000,114 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.tgz
[2009/05/27 13:51:05 | 00,000,100 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.dll
[2009/05/27 13:51:05 | 00,000,086 | ---- | M] () -- C:\WINDOWS\System32\ssprs.tgz
[2009/05/26 13:20:08 | 00,040,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/26 13:19:56 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/07 14:15:06 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\nglksu9.tgz
[2009/05/07 14:15:06 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\nglksu9.dll
[2009/05/07 14:15:04 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\grcauth2.dll
[2009/05/07 14:15:04 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\grcauth1.dll
[2009/05/07 14:15:02 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\clauth2.dll
[2009/05/07 14:15:02 | 00,001,024 | ---- | M] () -- C:\WINDOWS\System32\clauth1.dll
[2009/05/07 14:15:02 | 00,000,072 | ---- | M] () -- C:\WINDOWS\System32\ssprs.dll
[2009/05/07 08:16:29 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\WINDOWS\System32\ctfmonTrojan.txt.exe:SummaryInformation
< End of report >

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 05 June 2009 - 10:22 AM

Looks much better. Let's go back to Malwarebytes now and see if you can get it running.


Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 J Lippard

J Lippard
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 09 June 2009 - 06:10 AM

Hi Sam,


Sorry about late reply, been away this weekend.

I Still can't get malwearbytes to start, I tried unistalling re-downloaded and reinstalled but still no luck - Any suggestions?

Thanks

jamie

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 09 June 2009 - 08:06 AM

We need to run Combofix.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 J Lippard

J Lippard
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 09 June 2009 - 10:27 AM

mmmm, can't get that to run either, its installed and when I double click on the desktop I can see it in the taskmanager processes but nothing else happens , just like Mbam.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 09 June 2009 - 04:17 PM

Combofix does get blocked by some malware, so we need to work around that. Go ahead and delete Combofix.exe off your desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 J Lippard

J Lippard
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 17 June 2009 - 04:59 AM

Hi Sam,

Sorry about late reply,

How safe is it to use combo fix, just a bit concerned by the warning in one of your previous messages ( in red) and the fact that you have to instal it with comodo off. I'll be getting a second computer very soon so have been thinking of waiting till then to carry out this next step as if this computer goes down now I won't be able to get back on the net to sort it out, it seems reasonably stable for the moment at least. Thoughts?

Cheers

J

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 17 June 2009 - 10:51 AM

I've advised users in your situation to run Combofix perhaps thousands of times and only had two where we had to perform a repair installation. Combofix is very powerful, but usually the issues come when people try to run scripts on it when they aren't knowledgeable enough to know what they're doing. I don't want you to do anything that you're not comfortable with, but I do feel that the chance of a serious issue occurring is very small. But I'll be here to assist you however you wish to proceed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:47 PM

Posted 26 June 2009 - 01:19 PM

Unfortunately there has been no response. :thumbup2:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users