Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected and unable to complete scan


  • Please log in to reply
15 replies to this topic

#1 TonyLee

TonyLee

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 21 August 2009 - 11:49 AM

I have this computer that got infected and I can't seem to do much about it. I can't install any antivirus, malware or even hijackthis. I followed the directions and I have the two text files but when I went to run RootRepeal, it terminated half way through the scan.

This computer is critical and needs to be fixed. This computer needs to be up 24/7 so down time needs to be minimum.
Thanks.


Logs
__________________________


DDS (Ver_09-07-30.01) - NTFSx86
Run by maplerow at 11:41:42.25 on Fri 08/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.746 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\DairyPln\DPProcessControl.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\DairyPln\DPBRID~1.EXE
C:\DairyPln\DPMenue.exe
C:\DairyPln\DPList.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DairyPln\DPSingle.exe
C:\Documents and Settings\maplerow\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PC Antispyware 2010] "c:\program files\pc_antispyware2010\PC_Antispyware2010.exe" /hide
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [braviax] braviax.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dairyp~1.lnk - c:\dairypln\DPProcessControl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://westfaliasurge.webex.com/client/T27L/support/ieatgpc.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: cbfbfcecaebf - c:\windows\system32\cbfbfcecaebf.dll

============= SERVICES / DRIVERS ===============

R1 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [2008-1-3 16512]
R1 oxpar;OX16PCI95x Parallel port driver;c:\windows\system32\drivers\oxpar.sys [2008-1-3 76416]
R1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [2008-1-3 53376]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [2008-1-3 5376]
R3 XlonPci;XLON PCI Device Driver;c:\windows\system32\drivers\xlonpci2.sys [2008-1-3 44521]
S2 crbaluscc;Update Driver;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-20 29744]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]

=============== Created Last 30 ================

2009-08-21 09:15 2,855 a------- c:\windows\system32\MRT.PIF
2009-08-21 09:14 <DIR> --d-h--- c:\windows\PIF
2009-08-21 08:21 11,264 a------- c:\windows\system32\braviax.exe
2009-08-21 08:20 116,224 -------- c:\windows\system32\eed5ae935eb1863a334ea3267b9127e2.TMP
2009-08-21 08:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-21 08:06 <DIR> --d----- c:\docume~1\maplerow\applic~1\SUPERAntiSpyware.com
2009-08-20 18:08 16,414 a------- c:\windows\dygynos.com
2009-08-20 18:08 15,565 a------- c:\windows\aseg.inf
2009-08-20 18:08 14,429 a------- c:\windows\system32\ekiwu.lib
2009-08-20 18:08 14,330 a------- c:\program files\common files\giliba.dat
2009-08-20 18:08 14,316 a------- c:\windows\urenaf._sy
2009-08-20 18:08 14,120 a------- c:\windows\yweku.com
2009-08-20 18:08 12,697 a------- c:\windows\system32\madeb._sy
2009-08-20 18:08 11,490 a------- c:\windows\system32\eqetyzego.vbs
2009-08-20 18:08 10,652 a------- c:\docume~1\maplerow\applic~1\tokywa.vbs
2009-08-20 18:08 10,534 a------- c:\program files\common files\awulubag.bat
2009-08-20 18:08 10,489 a------- c:\windows\amyjuleq.reg
2009-08-20 18:07 348,399 a------- c:\windows\system32\_scui.cpl
2009-08-20 16:59 11,264 a------- c:\windows\braviax.exe
2009-08-20 16:59 6,144 a------- c:\windows\system32\cru629.dat
2009-08-20 16:59 6,144 a------- c:\windows\cru629.dat
2009-08-20 16:58 190,539 a------- c:\windows\system32\wisdstr.exe
2009-08-20 16:58 29,184 a------- c:\windows\system32\dllcache\beep.sys
2009-08-20 16:54 147,456 a------- c:\windows\msa.exe
2009-08-05 15:06 150,544 a------- c:\windows\system32\ff242b5ae9bb6072db784de71dbde5b7.exe
2009-08-05 15:06 124,448 a------- c:\windows\system32\fbb41911f6dd0077145dc92caba2412c.exe
2009-08-05 15:06 244,752 a------- c:\windows\system32\f2fb45d62b63da14552dfebec5c1dc84.exe
2009-08-03 14:58 372 a------- c:\windows\system32\DPAlarm.dpx
2009-07-31 14:38 <DIR> --d----- C:\DairyPln
2009-07-31 07:03 0 a------- c:\windows\system32\WebEx Document Loader Port
2009-07-30 10:37 40,934,024 a------- C:\prengers.dpb
2009-07-30 10:29 40,929,052 a------- C:\cd row.dpb
2009-07-29 15:16 <DIR> --d----- C:\dpupdate
2009-07-29 10:23 150,544 a------- c:\windows\system32\abf47eb5ee7139b54cbe7768b90139d1.exe
2009-07-29 10:23 124,448 a------- c:\windows\system32\9c40a2663de5acf80addd02fd0ccbc7b.exe
2009-07-29 10:23 244,752 a------- c:\windows\system32\7be51a00f58ce39c3b855af44043e326.exe
2009-07-28 10:19 116,224 -------- c:\windows\system32\cbfbfcecaebf.dll

==================== Find3M ====================

2009-08-20 18:08 16,493 a------- c:\program files\common files\oborovag.inf
2009-08-20 18:08 15,955 a------- c:\program files\common files\fyly.ban
2009-08-20 18:08 14,412 a------- c:\program files\common files\imaqos.db
2009-08-20 18:08 14,108 a------- c:\program files\common files\ajiqe.inf
2009-08-20 17:58 29,184 a------- c:\windows\system32\drivers\beep.sys
2009-08-06 15:07 192,529 a------- c:\windows\system32\kdpini.dll
2008-01-17 14:59 56,912 a------- c:\documents and settings\maplerow\g2mdlhlpx.exe

============= FINISH: 11:41:52.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 23 August 2009 - 04:00 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 TonyLee

TonyLee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 24 August 2009 - 02:01 PM

Ok, I did what you asked. I couldn't extract the files so I ran it on another pc and then copied the files over. I did everything that was stated but I don't think much has changed. I still can't install an antivirus or goto a antivirus website.

Here is the log from SDFix.

SDFix: Version 1.240
Run by maplerow on Mon 08/24/2009 at 02:40 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 29184 08/20/2009 05:58 PM
"C:\WINDOWS\system32\drivers\beep.sys" 29184 08/20/2009 05:58 PM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 08/07/2008 03:27 PM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 08/07/2008 03:27 PM



Checking Files :

Trojan Files Found:

C:\DOCUME~1\MAPLEROW\COOKIES\OTUPUJAH._SY - Deleted
C:\DOCUME~1\maplerow\LOCALS~1\Temp\a.exe - Deleted
C:\DOCUME~1\maplerow\LOCALS~1\Temp\b.exe - Deleted
C:\DOCUME~1\maplerow\LOCALS~1\Temp\e.exe - Deleted
C:\WINDOWS\urenaf._sy - Deleted
C:\WINDOWS\system32\madeb._sy - Deleted
C:\WINDOWS\braviax.exe - Deleted
C:\WINDOWS\cru629.dat - Deleted
C:\WINDOWS\system32\_scui.cpl - Deleted
C:\WINDOWS\system32\braviax.exe - Deleted
C:\WINDOWS\system32\cru629.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 14:43:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_9DD5BA46D7EF5FB3BD2B9F7DAA9907A7]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_9DD5BA46D7EF5FB3BD2B9F7DAA9907A7\0000]
"Service"="9dd5ba46d7ef5fb3bd2b9f7daa9907a7"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="9dd5ba46d7ef5fb3bd2b9f7daa9907a7"
"Capabilities"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9dd5ba46d7ef5fb3bd2b9f7daa9907a7]
"c"="&registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\9dd5ba46d7ef5fb3bd2b9f7daa9907a7&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=9dd5ba46d7ef5fb3bd2b9f7daa9907a7&path=system32\9dd5ba46d7ef5fb3bd2b9f7daa9907a7.sys&wmid=Dnr006&idate=2009-06-09 11:10:16:328&last_download_time=2009-8-18 7:45:2.390&first_skip=1&last_update_ip_pos=0&fails_0=1"
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"Tag"=dword:00000006
"ImagePath"=str(2):"system32\9dd5ba46d7ef5fb3bd2b9f7daa9907a7.sys"
"DisplayName"="9dd5ba46d7ef5fb3bd2b9f7daa9907a7"
"Group"="System Bus Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9dd5ba46d7ef5fb3bd2b9f7daa9907a7\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crbaluscc]
"DisplayName"="Update Driver"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crbaluscc\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\awxqsr.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_9DD5BA46D7EF5FB3BD2B9F7DAA9907A7]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_9DD5BA46D7EF5FB3BD2B9F7DAA9907A7\0000]
"Service"="9dd5ba46d7ef5fb3bd2b9f7daa9907a7"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="9dd5ba46d7ef5fb3bd2b9f7daa9907a7"
"Capabilities"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\9dd5ba46d7ef5fb3bd2b9f7daa9907a7]
"c"="&registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\9dd5ba46d7ef5fb3bd2b9f7daa9907a7&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=9dd5ba46d7ef5fb3bd2b9f7daa9907a7&path=system32\9dd5ba46d7ef5fb3bd2b9f7daa9907a7.sys&wmid=Dnr006&idate=2009-06-09 11:10:16:328&last_download_time=2009-8-18 7:45:2.390&first_skip=1&last_update_ip_pos=0&fails_0=1"
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"Tag"=dword:00000006
"ImagePath"=str(2):"system32\9dd5ba46d7ef5fb3bd2b9f7daa9907a7.sys"
"DisplayName"="9dd5ba46d7ef5fb3bd2b9f7daa9907a7"
"Group"="System Bus Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\9dd5ba46d7ef5fb3bd2b9f7daa9907a7\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\crbaluscc]
"DisplayName"="Update Driver"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Manages IP
Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AWS\\WeatherBug\\Weather.exe"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe:*:Enabled:Run WeatherBug"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 25 August 2009 - 10:03 AM

We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 TonyLee

TonyLee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 25 August 2009 - 12:16 PM

Here is the OTL log


OTL logfile created on: 8/25/2009 1:10:38 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\maplerow\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.54 Mb Total Physical Memory | 498.15 Mb Available Physical Memory | 48.76% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 4095 4095 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.44 Gb Total Space | 63.78 Gb Free Space | 85.67% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MRDROTARY
Current User Name: maplerow
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/04/17 13:42:14 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE
PRC - [2006/04/17 13:41:24 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXPPS.EXE
PRC - [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/07/26 21:03:46 | 00,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
PRC - [2009/01/22 17:16:23 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2007/08/21 17:33:22 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2006/05/12 19:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe
PRC - [2004/08/04 07:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2009/01/22 17:16:23 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2007/07/26 21:03:44 | 00,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
PRC - [2007/09/11 20:58:28 | 01,015,808 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2006/10/20 19:23:38 | 00,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/08/30 10:09:06 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2006/04/07 19:02:24 | 01,343,488 | ---- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe
PRC - [2008/10/08 02:37:57 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/03/13 15:51:06 | 00,421,888 | ---- | M] (WestfaliaSurge GmbH) -- C:\DairyPln\DPProcessControl.exe
PRC - [2008/08/30 10:09:06 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2004/11/29 11:27:36 | 00,045,056 | ---- | M] () -- C:\DairyPln\DPBridgeNTalk.exe
PRC - [2007/03/13 15:58:24 | 00,172,032 | ---- | M] (WestfaliaSurge GmbH) -- C:\DairyPln\DPMenue.exe
PRC - [2007/03/13 15:54:28 | 00,204,800 | ---- | M] (WestfaliaSurge GmbH) -- C:\DairyPln\DPList.exe
PRC - [2007/03/13 15:53:20 | 00,299,008 | ---- | M] (WestfaliaSurge GmbH) -- C:\DairyPln\DPSingle.exe
PRC - [2009/08/25 13:00:14 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\maplerow\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/06/20 16:30:18 | 00,079,168 | ---- | M] () -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon [Auto | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/08/30 10:09:06 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-061008-081103 [On_Demand | Stopped])
SRV - [2009/04/29 22:25:07 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2004/08/04 07:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/07/26 21:03:46 | 00,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe -- (IAANTMON [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/01/22 17:16:23 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2006/04/17 13:42:14 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE -- (LexBceS [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/21 17:33:22 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/05/12 19:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4 [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2007/09/11 20:58:26 | 00,306,176 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
DRV - [2001/08/17 15:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2004/08/04 01:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2001/08/17 15:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 15:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2007/09/11 21:23:54 | 00,161,792 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])
DRV - [2007/06/20 16:30:20 | 00,010,480 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND [Auto | Running])
DRV - File not found -- -- (catchme [On_Demand | Running])
DRV - [2001/08/17 15:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 15:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2001/08/17 14:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])
DRV - [2004/08/12 19:45:54 | 00,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/09/11 21:07:18 | 00,305,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2001/08/17 15:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2007/08/21 17:32:58 | 06,810,048 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2005/11/15 05:23:00 | 00,016,512 | R--- | M] (OEM) -- C:\WINDOWS\System32\DRIVERS\oxmf.sys -- (oxmf [System | Running])
DRV - [2005/11/15 05:24:00 | 00,005,376 | R--- | M] (OEM) -- C:\WINDOWS\System32\DRIVERS\oxmfuf.sys -- (Oxmfuf [On_Demand | Running])
DRV - [2005/11/15 05:24:00 | 00,076,416 | R--- | M] (OEM) -- C:\WINDOWS\System32\DRIVERS\oxpar.sys -- (oxpar [System | Running])
DRV - [2005/11/15 05:25:00 | 00,053,376 | R--- | M] (OEM) -- C:\WINDOWS\System32\DRIVERS\oxser.sys -- (oxser [System | Running])
DRV - [2004/08/04 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2001/08/17 15:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 15:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 15:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/09/11 20:58:28 | 00,392,960 | ---- | M] (Sensaura) -- C:\WINDOWS\System32\drivers\Senfilt.sys -- (SenFiltService [On_Demand | Running])
DRV - [2004/08/04 01:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2001/08/17 16:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2001/08/17 16:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 16:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 16:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 16:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2001/08/17 15:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2004/09/28 09:41:34 | 00,023,040 | R--- | M] (Thesycon GmbH, Germany) -- C:\WINDOWS\System32\Drivers\usbio.sys -- (usbio [On_Demand | Running])
DRV - [2008/01/17 15:12:38 | 00,044,521 | ---- | M] (DH electronics GmbH) -- C:\WINDOWS\System32\drivers\xlonpci2.sys -- (XlonPci [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\S-1-5-21-2364252926-392894792-758296824-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/22 17:16:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/24 14:34:32 | 00,000,000 | ---D | M]


O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-2364252926-392894792-758296824-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PC Antispyware 2010] C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe File not found
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-2364252926-392894792-758296824-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2364252926-392894792-758296824-1005..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dairy Plan Process Control.lnk = C:\DairyPln\DPProcessControl.exe (WestfaliaSurge GmbH)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2364252926-392894792-758296824-1005\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2364252926-392894792-758296824-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://westfaliasurge.webex.com/client/T27...ort/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.103
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\cbfbfcecaebf: DllName - C:\WINDOWS\system32\cbfbfcecaebf.dll - C:\WINDOWS\System32\cbfbfcecaebf.dll ()
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 19:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{65c611f2-fbf4-11dc-ac51-001d0925ea9e}\Shell - "" = AutoRun
O33 - MountPoints2\{65c611f2-fbf4-11dc-ac51-001d0925ea9e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7dae5d84-ba51-11dc-ac16-001d0925ea9e}\Shell - "" = AutoRun
O33 - MountPoints2\{7dae5d84-ba51-11dc-ac16-001d0925ea9e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7dae5d84-ba51-11dc-ac16-001d0925ea9e}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{96149d9e-84d8-11dd-acac-001d0925ea9e}\Shell\AutoRun\command - "" = F:\setupSNK.exe -- File not found
O33 - MountPoints2\{96b4d23d-04e5-11dd-ac53-001d0925ea9e}\Shell - "" = AutoRun
O33 - MountPoints2\{96b4d23d-04e5-11dd-ac53-001d0925ea9e}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/25 13:07:33 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\maplerow\Desktop\OTL.exe
[2009/08/24 14:45:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/08/24 14:45:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/08/24 14:45:16 | 00,000,000 | ---D | C] -- C:\a7d2cc2c1d58ab75fcad28777deacc93
[2009/08/24 14:44:59 | 00,000,000 | ---D | C] -- C:\e0528f5635974324e7
[2009/08/24 14:39:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2009/08/24 14:33:30 | 00,000,000 | ---D | C] -- C:\3117f8f2921fc6ba5103
[2009/08/24 14:29:35 | 00,000,000 | ---D | C] -- C:\SDFix
[2009/08/21 11:42:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\maplerow\My Documents\Tony Phillips
[2009/08/21 11:41:27 | 00,359,932 | ---- | C] () -- C:\Documents and Settings\maplerow\My Documents\dds.scr
[2009/08/21 11:03:17 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/08/21 10:50:29 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\maplerow\Desktop\zoom.exe
[2009/08/21 09:15:28 | 00,002,855 | ---- | C] () -- C:\WINDOWS\System32\MRT.PIF
[2009/08/21 09:14:55 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/08/21 09:12:00 | 08,798,656 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\maplerow\Desktop\windows-kb890830-v2.13.exe
[2009/08/21 09:01:54 | 23,635,392 | ---- | C] () -- C:\WINDOWS\System32\MRT.exe
[2009/08/21 08:27:13 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/08/21 08:11:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/08/21 08:06:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\maplerow\Application Data\SUPERAntiSpyware.com
[2009/08/20 18:08:03 | 00,019,379 | ---- | C] () -- C:\Documents and Settings\maplerow\Local Settings\Application Data\pyfexeg.dat
[2009/08/20 18:08:03 | 00,018,595 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\aganiqoc.dl
[2009/08/20 18:08:03 | 00,016,493 | ---- | C] () -- C:\Program Files\Common Files\oborovag.inf
[2009/08/20 18:08:03 | 00,016,414 | ---- | C] () -- C:\WINDOWS\dygynos.com
[2009/08/20 18:08:03 | 00,015,955 | ---- | C] () -- C:\Program Files\Common Files\fyly.ban
[2009/08/20 18:08:03 | 00,015,565 | ---- | C] () -- C:\WINDOWS\aseg.inf
[2009/08/20 18:08:03 | 00,014,429 | ---- | C] () -- C:\WINDOWS\System32\ekiwu.lib
[2009/08/20 18:08:03 | 00,014,412 | ---- | C] () -- C:\Program Files\Common Files\imaqos.db
[2009/08/20 18:08:03 | 00,014,330 | ---- | C] () -- C:\Program Files\Common Files\giliba.dat
[2009/08/20 18:08:03 | 00,014,120 | ---- | C] () -- C:\WINDOWS\yweku.com
[2009/08/20 18:08:03 | 00,014,108 | ---- | C] () -- C:\Program Files\Common Files\ajiqe.inf
[2009/08/20 18:08:03 | 00,012,070 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\fekoc.dll
[2009/08/20 18:08:03 | 00,011,490 | ---- | C] () -- C:\WINDOWS\System32\eqetyzego.vbs
[2009/08/20 18:08:03 | 00,010,652 | ---- | C] () -- C:\Documents and Settings\maplerow\Application Data\tokywa.vbs
[2009/08/20 18:08:03 | 00,010,556 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\belim.pif
[2009/08/20 18:08:03 | 00,010,534 | ---- | C] () -- C:\Program Files\Common Files\awulubag.bat
[2009/08/20 18:08:03 | 00,010,489 | ---- | C] () -- C:\WINDOWS\amyjuleq.reg
[2009/08/20 16:58:11 | 00,190,539 | ---- | C] () -- C:\WINDOWS\System32\wisdstr.exe
[2009/08/20 16:54:31 | 00,147,456 | ---- | C] () -- C:\WINDOWS\msa.exe
[2009/08/20 16:54:28 | 00,000,246 | -H-- | C] () -- C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/08/20 16:54:14 | 00,000,290 | -H-- | C] () -- C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/08/05 15:06:46 | 00,150,544 | ---- | C] () -- C:\WINDOWS\System32\ff242b5ae9bb6072db784de71dbde5b7.exe
[2009/08/05 15:06:45 | 00,124,448 | ---- | C] (Norms Inc.) -- C:\WINDOWS\System32\fbb41911f6dd0077145dc92caba2412c.exe
[2009/08/05 15:06:43 | 00,244,752 | ---- | C] (MeCamp Inc.) -- C:\WINDOWS\System32\f2fb45d62b63da14552dfebec5c1dc84.exe
[2009/08/03 15:21:21 | 01,752,576 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\c21us_5212_tcm90-38222.exe
[2009/08/03 15:12:17 | 11,140,096 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\c21update_5212-032_tcm90-38220.exe
[2009/08/03 14:58:06 | 00,000,372 | ---- | C] () -- C:\WINDOWS\System32\DPAlarm.dpx
[2009/08/03 11:22:26 | 00,000,567 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\Shortcut to DPProcessControl.exe.lnk
[2009/07/31 14:42:35 | 00,000,665 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dairy Plan Process Control.lnk
[2009/07/31 14:42:35 | 00,000,572 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DAIRYPLAN Menue.lnk
[2009/07/31 14:38:42 | 00,000,000 | ---D | C] -- C:\DairyPln
[2009/07/31 07:03:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\WebEx Document Loader Port
[2009/07/30 10:37:27 | 40,934,024 | ---- | C] () -- C:\prengers.dpb
[2009/07/30 10:35:06 | 40,932,366 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\fowler.dpb
[2009/07/30 10:29:54 | 40,929,052 | ---- | C] () -- C:\cd row.dpb
[2009/07/30 10:25:20 | 40,927,219 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\maplerow d.dpb
[2009/07/29 17:47:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/07/29 15:16:02 | 00,000,000 | ---D | C] -- C:\dpupdate
[2009/07/29 10:23:28 | 00,150,544 | ---- | C] () -- C:\WINDOWS\System32\abf47eb5ee7139b54cbe7768b90139d1.exe
[2009/07/29 10:23:25 | 00,124,448 | ---- | C] (Norms Inc.) -- C:\WINDOWS\System32\9c40a2663de5acf80addd02fd0ccbc7b.exe
[2009/07/29 10:23:22 | 00,244,752 | ---- | C] (MeCamp Inc.) -- C:\WINDOWS\System32\7be51a00f58ce39c3b855af44043e326.exe
[2009/07/28 10:19:56 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\cbfbfcecaebf.dll
[2009/06/09 11:09:49 | 00,192,529 | ---- | C] () -- C:\WINDOWS\System32\kdpini.dll
[2008/01/14 18:10:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/01/04 22:15:00 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/03 22:12:17 | 00,000,606 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2008/01/03 20:35:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\DPDataTest.INI
[2007/12/20 17:39:17 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/12/20 17:18:56 | 00,001,122 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/11 19:24:19 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 19:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 19:00:37 | 00,000,477 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/11 19:00:35 | 00,000,455 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/11 19:00:16 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/11 19:00:13 | 00,061,952 | ---- | C] () -- C:\WINDOWS\System32\eventlog.dll
[1999/01/22 14:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[2009/08/25 13:00:14 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\maplerow\Desktop\OTL.exe
[2009/08/25 08:59:28 | 00,000,606 | ---- | M] () -- C:\WINDOWS\LEXSTAT.INI
[2009/08/24 14:45:42 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/24 14:43:26 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/08/24 14:41:55 | 00,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/08/24 14:41:50 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/24 14:40:31 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/08/24 14:38:14 | 00,110,192 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/24 14:36:13 | 00,503,304 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/08/24 14:36:13 | 00,442,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/08/24 14:36:13 | 00,071,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/08/24 14:31:25 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/21 11:34:20 | 00,359,932 | ---- | M] () -- C:\Documents and Settings\maplerow\My Documents\dds.scr
[2009/08/21 10:48:33 | 00,000,455 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/21 09:15:28 | 00,002,855 | ---- | M] () -- C:\WINDOWS\System32\MRT.PIF
[2009/08/21 09:12:01 | 08,798,656 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\maplerow\Desktop\windows-kb890830-v2.13.exe
[2009/08/20 23:13:59 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\maplerow\Desktop\zoom.exe
[2009/08/20 18:08:03 | 00,019,379 | ---- | M] () -- C:\Documents and Settings\maplerow\Local Settings\Application Data\pyfexeg.dat
[2009/08/20 18:08:03 | 00,018,595 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\aganiqoc.dl
[2009/08/20 18:08:03 | 00,016,493 | ---- | M] () -- C:\Program Files\Common Files\oborovag.inf
[2009/08/20 18:08:03 | 00,016,414 | ---- | M] () -- C:\WINDOWS\dygynos.com
[2009/08/20 18:08:03 | 00,015,955 | ---- | M] () -- C:\Program Files\Common Files\fyly.ban
[2009/08/20 18:08:03 | 00,015,565 | ---- | M] () -- C:\WINDOWS\aseg.inf
[2009/08/20 18:08:03 | 00,014,429 | ---- | M] () -- C:\WINDOWS\System32\ekiwu.lib
[2009/08/20 18:08:03 | 00,014,412 | ---- | M] () -- C:\Program Files\Common Files\imaqos.db
[2009/08/20 18:08:03 | 00,014,330 | ---- | M] () -- C:\Program Files\Common Files\giliba.dat
[2009/08/20 18:08:03 | 00,014,120 | ---- | M] () -- C:\WINDOWS\yweku.com
[2009/08/20 18:08:03 | 00,014,108 | ---- | M] () -- C:\Program Files\Common Files\ajiqe.inf
[2009/08/20 18:08:03 | 00,012,070 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\fekoc.dll
[2009/08/20 18:08:03 | 00,011,490 | ---- | M] () -- C:\WINDOWS\System32\eqetyzego.vbs
[2009/08/20 18:08:03 | 00,010,652 | ---- | M] () -- C:\Documents and Settings\maplerow\Application Data\tokywa.vbs
[2009/08/20 18:08:03 | 00,010,556 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\belim.pif
[2009/08/20 18:08:03 | 00,010,534 | ---- | M] () -- C:\Program Files\Common Files\awulubag.bat
[2009/08/20 18:08:03 | 00,010,489 | ---- | M] () -- C:\WINDOWS\amyjuleq.reg
[2009/08/20 17:59:00 | 00,190,539 | ---- | M] () -- C:\WINDOWS\System32\wisdstr.exe
[2009/08/20 17:58:26 | 00,000,246 | -H-- | M] () -- C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
[2009/08/20 17:00:00 | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\Auto_ParlorsSession1.job
[2009/08/20 16:59:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/20 16:54:26 | 00,147,456 | ---- | M] () -- C:\WINDOWS\msa.exe
[2009/08/20 07:01:00 | 00,000,272 | ---- | M] () -- C:\WINDOWS\tasks\RecordFlowMeter.job
[2009/08/20 07:00:00 | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\Auto_ParlorsSession3.job
[2009/08/19 23:30:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\ArchieveFiles.job
[2009/08/19 23:00:00 | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\Auto_ParlorsSession2.job
[2009/08/06 15:07:03 | 00,192,529 | ---- | M] () -- C:\WINDOWS\System32\kdpini.dll
[2009/08/05 15:06:46 | 00,150,544 | ---- | M] () -- C:\WINDOWS\System32\ff242b5ae9bb6072db784de71dbde5b7.exe
[2009/08/05 15:06:45 | 00,124,448 | ---- | M] (Norms Inc.) -- C:\WINDOWS\System32\fbb41911f6dd0077145dc92caba2412c.exe
[2009/08/05 15:06:43 | 00,244,752 | ---- | M] (MeCamp Inc.) -- C:\WINDOWS\System32\f2fb45d62b63da14552dfebec5c1dc84.exe
[2009/08/03 15:22:37 | 00,002,471 | ---- | M] () -- C:\Documents and Settings\maplerow\Desktop\Copy of Microsoft Excel.lnk
[2009/08/03 15:08:15 | 00,000,372 | ---- | M] () -- C:\WINDOWS\System32\DPAlarm.dpx
[2009/08/03 11:22:26 | 00,000,567 | ---- | M] () -- C:\Documents and Settings\maplerow\Desktop\Shortcut to DPProcessControl.exe.lnk
[2009/08/03 06:50:01 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\WebEx Document Loader Port
[2009/07/31 14:42:35 | 00,000,665 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dairy Plan Process Control.lnk
[2009/07/31 14:42:35 | 00,000,572 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DAIRYPLAN Menue.lnk
[2009/07/30 10:37:32 | 40,934,024 | ---- | M] () -- C:\prengers.dpb
[2009/07/30 10:35:11 | 40,932,366 | ---- | M] () -- C:\Documents and Settings\maplerow\Desktop\fowler.dpb
[2009/07/30 10:30:00 | 40,929,052 | ---- | M] () -- C:\cd row.dpb
[2009/07/30 10:25:26 | 40,927,219 | ---- | M] () -- C:\Documents and Settings\maplerow\Desktop\maplerow d.dpb
[2009/07/29 10:23:28 | 00,150,544 | ---- | M] () -- C:\WINDOWS\System32\abf47eb5ee7139b54cbe7768b90139d1.exe
[2009/07/29 10:23:25 | 00,124,448 | ---- | M] (Norms Inc.) -- C:\WINDOWS\System32\9c40a2663de5acf80addd02fd0ccbc7b.exe
[2009/07/29 10:23:22 | 00,244,752 | ---- | M] (MeCamp Inc.) -- C:\WINDOWS\System32\7be51a00f58ce39c3b855af44043e326.exe
[2009/07/28 14:44:42 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\maplerow\Desktop\Metatron Rotary for sort gates.xls
[2009/07/28 10:19:56 | 00,116,224 | ---- | M] () -- C:\WINDOWS\System32\cbfbfcecaebf.dll
< End of report >

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 25 August 2009 - 01:20 PM

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [PC Antispyware 2010] C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
    O20 - Winlogon\Notify\cbfbfcecaebf: DllName - C:\WINDOWS\system32\cbfbfcecaebf.dll - C:\WINDOWS\System32\cbfbfcecaebf.dll ()
    
    
    :Files
    C:\Documents and Settings\maplerow\Local Settings\Application Data\pyfexeg.dat
    C:\Documents and Settings\All Users\Documents\aganiqoc.dl
    C:\Program Files\Common Files\oborovag.inf
    C:\WINDOWS\dygynos.com
    C:\Program Files\Common Files\fyly.ban
    C:\WINDOWS\aseg.inf
    C:\WINDOWS\System32\ekiwu.lib
    C:\Program Files\Common Files\imaqos.db
    C:\Program Files\Common Files\giliba.dat
    C:\WINDOWS\yweku.com
    C:\Program Files\Common Files\ajiqe.inf
    C:\Documents and Settings\All Users\Documents\fekoc.dll
    C:\WINDOWS\System32\eqetyzego.vbs
    C:\Documents and Settings\maplerow\Application Data\tokywa.vbs
    C:\Documents and Settings\All Users\Documents\belim.pif
    C:\Program Files\Common Files\awulubag.bat
    C:\WINDOWS\amyjuleq.reg
    C:\WINDOWS\System32\wisdstr.exe
    C:\WINDOWS\msa.exe
    C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
    C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
    C:\WINDOWS\System32\ff242b5ae9bb6072db784de71dbde5b7.exe
    C:\WINDOWS\System32\fbb41911f6dd0077145dc92caba2412c.exe
    C:\WINDOWS\System32\f2fb45d62b63da14552dfebec5c1dc84.exe
    C:\Program Files\PC_Antispyware2010
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.


======================




Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 TonyLee

TonyLee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 28 August 2009 - 01:40 PM

I ran OTC and have the requested logs but I was unable to install Malwarebytes. It shows the 'Select language' screen and then disappears.

Fix Log
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\PC Antispyware 2010 deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbfbfcecaebf\ deleted successfully.
LoadLibrary failed for C:\WINDOWS\System32\cbfbfcecaebf.dll
C:\WINDOWS\System32\cbfbfcecaebf.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\cbfbfcecaebf.dll scheduled to be moved on reboot.
========== FILES ==========
C:\Documents and Settings\maplerow\Local Settings\Application Data\pyfexeg.dat moved successfully.
C:\Documents and Settings\All Users\Documents\aganiqoc.dl moved successfully.
C:\Program Files\Common Files\oborovag.inf moved successfully.
C:\WINDOWS\dygynos.com moved successfully.
C:\Program Files\Common Files\fyly.ban moved successfully.
C:\WINDOWS\aseg.inf moved successfully.
C:\WINDOWS\System32\ekiwu.lib moved successfully.
C:\Program Files\Common Files\imaqos.db moved successfully.
C:\Program Files\Common Files\giliba.dat moved successfully.
C:\WINDOWS\yweku.com moved successfully.
C:\Program Files\Common Files\ajiqe.inf moved successfully.
LoadLibrary failed for C:\Documents and Settings\All Users\Documents\fekoc.dll
C:\Documents and Settings\All Users\Documents\fekoc.dll NOT unregistered.
C:\Documents and Settings\All Users\Documents\fekoc.dll moved successfully.
C:\WINDOWS\System32\eqetyzego.vbs moved successfully.
C:\Documents and Settings\maplerow\Application Data\tokywa.vbs moved successfully.
C:\Documents and Settings\All Users\Documents\belim.pif moved successfully.
C:\Program Files\Common Files\awulubag.bat moved successfully.
C:\WINDOWS\amyjuleq.reg moved successfully.
C:\WINDOWS\System32\wisdstr.exe moved successfully.
C:\WINDOWS\msa.exe moved successfully.
C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job moved successfully.
C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job moved successfully.
File move failed. C:\WINDOWS\System32\ff242b5ae9bb6072db784de71dbde5b7.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\fbb41911f6dd0077145dc92caba2412c.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\f2fb45d62b63da14552dfebec5c1dc84.exe scheduled to be moved on reboot.
File\Folder C:\Program Files\PC_Antispyware2010 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: DashBoard
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Default User
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 6698515 bytes

User: maplerow
->Temp folder emptied: 210853379 bytes
File delete failed. C:\Documents and Settings\maplerow\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 173548933 bytes
->Java cache emptied: 2618670 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 118801 bytes
Windows Temp folder emptied: 448 bytes
RecycleBin emptied: 134716120 bytes

Total Files Cleaned = 504.29 mb


OTL by OldTimer - Version 3.0.10.7 log created on 08282009_142842

Files\Folders moved on Reboot...
LoadLibrary failed for C:\WINDOWS\System32\cbfbfcecaebf.dll
C:\WINDOWS\System32\cbfbfcecaebf.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\cbfbfcecaebf.dll scheduled to be moved on reboot.
C:\WINDOWS\System32\ff242b5ae9bb6072db784de71dbde5b7.exe moved successfully.
C:\WINDOWS\System32\fbb41911f6dd0077145dc92caba2412c.exe moved successfully.
C:\WINDOWS\System32\f2fb45d62b63da14552dfebec5c1dc84.exe moved successfully.

Registry entries deleted on Reboot...

===================================================================
Scan log

OTL logfile created on: 8/28/2009 2:31:25 PM - Run 2
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\maplerow\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.54 Mb Total Physical Memory | 723.81 Mb Available Physical Memory | 70.85% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 4095 4095 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.44 Gb Total Space | 64.27 Gb Free Space | 86.34% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MRDROTARY
Current User Name: maplerow
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/04/17 13:42:14 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE
PRC - [2006/04/17 13:41:24 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXPPS.EXE
PRC - [2007/07/26 21:03:46 | 00,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
PRC - [2009/01/22 17:16:23 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2007/08/21 17:33:22 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/05/12 19:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe
PRC - [2004/08/04 07:00:00 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2004/08/04 07:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2009/01/22 17:16:23 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2007/07/26 21:03:44 | 00,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
PRC - [2007/09/11 20:58:28 | 01,015,808 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2006/10/20 19:23:38 | 00,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/08/30 10:09:06 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2007/10/10 23:51:56 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
PRC - [2006/04/07 19:02:24 | 01,343,488 | ---- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe
PRC - [2008/10/08 02:37:57 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/03/13 15:51:06 | 00,421,888 | ---- | M] (WestfaliaSurge GmbH) -- C:\DairyPln\DPProcessControl.exe
PRC - [2008/08/30 10:09:06 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2004/11/29 11:27:36 | 00,045,056 | ---- | M] () -- C:\DairyPln\DPBridgeNTalk.exe
PRC - [2009/08/25 13:00:14 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\maplerow\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/06/20 16:30:18 | 00,079,168 | ---- | M] () -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon [Auto | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/08/30 10:09:06 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-061008-081103 [On_Demand | Stopped])
SRV - [2009/04/29 22:25:07 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2004/08/04 07:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/07/26 21:03:46 | 00,358,936 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe -- (IAANTMON [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/01/22 17:16:23 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2006/04/17 13:42:14 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE -- (LexBceS [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/21 17:33:22 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/05/12 19:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4 [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2007/09/11 20:58:26 | 00,306,176 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
DRV - [2001/08/17 15:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2004/08/04 01:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2001/08/17 15:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 15:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2007/09/11 21:23:54 | 00,161,792 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])
DRV - [2007/06/20 16:30:20 | 00,010,480 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND [Auto | Running])
DRV - [2001/08/17 15:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 15:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2001/08/17 14:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])
DRV - [2004/08/12 19:45:54 | 00,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/09/11 21:07:18 | 00,305,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2001/08/17 15:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2007/08/21 17:32:58 | 06,810,048 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2005/11/15 05:23:00 | 00,016,512 | R--- | M] (OEM) -- C:\WINDOWS\System32\DRIVERS\oxmf.sys -- (oxmf [System | Running])
DRV - [2005/11/15 05:24:00 | 00,005,376 | R--- | M] (OEM) -- C:\WINDOWS\System32\DRIVERS\oxmfuf.sys -- (Oxmfuf [On_Demand | Running])
DRV - [2005/11/15 05:24:00 | 00,076,416 | R--- | M] (OEM) -- C:\WINDOWS\System32\DRIVERS\oxpar.sys -- (oxpar [System | Running])
DRV - [2005/11/15 05:25:00 | 00,053,376 | R--- | M] (OEM) -- C:\WINDOWS\System32\DRIVERS\oxser.sys -- (oxser [System | Running])
DRV - [2004/08/04 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2001/08/17 15:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 15:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 15:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/09/11 20:58:28 | 00,392,960 | ---- | M] (Sensaura) -- C:\WINDOWS\System32\drivers\Senfilt.sys -- (SenFiltService [On_Demand | Running])
DRV - [2004/08/04 01:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2001/08/17 16:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2001/08/17 16:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 16:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 16:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 16:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2001/08/17 15:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2004/09/28 09:41:34 | 00,023,040 | R--- | M] (Thesycon GmbH, Germany) -- C:\WINDOWS\System32\Drivers\usbio.sys -- (usbio [On_Demand | Running])
DRV - [2008/01/17 15:12:38 | 00,044,521 | ---- | M] (DH electronics GmbH) -- C:\WINDOWS\System32\drivers\xlonpci2.sys -- (XlonPci [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2071220
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKU\S-1-5-21-2364252926-392894792-758296824-1005\S-1-5-21-2364252926-392894792-758296824-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/22 17:16:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/24 14:34:32 | 00,000,000 | ---D | M]


O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-2364252926-392894792-758296824-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-2364252926-392894792-758296824-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2364252926-392894792-758296824-1005..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dairy Plan Process Control.lnk = C:\DairyPln\DPProcessControl.exe (WestfaliaSurge GmbH)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2364252926-392894792-758296824-1005\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2364252926-392894792-758296824-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2364252926-392894792-758296824-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://westfaliasurge.webex.com/client/T27...ort/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.103
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\cbfbfcecaebf: DllName - C:\WINDOWS\system32\cbfbfcecaebf.dll - C:\WINDOWS\System32\cbfbfcecaebf.dll ()
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 19:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{65c611f2-fbf4-11dc-ac51-001d0925ea9e}\Shell - "" = AutoRun
O33 - MountPoints2\{65c611f2-fbf4-11dc-ac51-001d0925ea9e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7dae5d84-ba51-11dc-ac16-001d0925ea9e}\Shell - "" = AutoRun
O33 - MountPoints2\{7dae5d84-ba51-11dc-ac16-001d0925ea9e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7dae5d84-ba51-11dc-ac16-001d0925ea9e}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{96149d9e-84d8-11dd-acac-001d0925ea9e}\Shell\AutoRun\command - "" = F:\setupSNK.exe -- File not found
O33 - MountPoints2\{96b4d23d-04e5-11dd-ac53-001d0925ea9e}\Shell - "" = AutoRun
O33 - MountPoints2\{96b4d23d-04e5-11dd-ac53-001d0925ea9e}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/28 14:28:42 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/08/25 13:07:33 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\maplerow\Desktop\OTL.exe
[2009/08/24 14:45:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/08/24 14:39:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2009/08/24 14:33:30 | 00,000,000 | ---D | C] -- C:\3117f8f2921fc6ba5103
[2009/08/24 14:29:35 | 00,000,000 | ---D | C] -- C:\SDFix
[2009/08/21 11:42:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\maplerow\My Documents\Tony Phillips
[2009/08/21 11:41:27 | 00,359,932 | ---- | C] () -- C:\Documents and Settings\maplerow\My Documents\dds.scr
[2009/08/21 11:03:17 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/08/21 10:50:29 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\maplerow\Desktop\zoom.exe
[2009/08/21 09:15:28 | 00,002,855 | ---- | C] () -- C:\WINDOWS\System32\MRT.PIF
[2009/08/21 09:14:55 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/08/21 09:12:00 | 08,798,656 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\maplerow\Desktop\windows-kb890830-v2.13.exe
[2009/08/21 09:01:54 | 23,635,392 | ---- | C] () -- C:\WINDOWS\System32\MRT.exe
[2009/08/21 08:27:13 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/08/21 08:11:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/08/21 08:06:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\maplerow\Application Data\SUPERAntiSpyware.com
[2009/08/03 15:21:21 | 01,752,576 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\c21us_5212_tcm90-38222.exe
[2009/08/03 15:12:17 | 11,140,096 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\c21update_5212-032_tcm90-38220.exe
[2009/08/03 14:58:06 | 00,000,372 | ---- | C] () -- C:\WINDOWS\System32\DPAlarm.dpx
[2009/08/03 11:22:26 | 00,000,567 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\Shortcut to DPProcessControl.exe.lnk
[2009/07/31 14:42:35 | 00,000,665 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dairy Plan Process Control.lnk
[2009/07/31 14:42:35 | 00,000,572 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DAIRYPLAN Menue.lnk
[2009/07/31 14:38:42 | 00,000,000 | ---D | C] -- C:\DairyPln
[2009/07/31 07:03:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\WebEx Document Loader Port
[2009/07/30 10:37:27 | 40,934,024 | ---- | C] () -- C:\prengers.dpb
[2009/07/30 10:35:06 | 40,932,366 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\fowler.dpb
[2009/07/30 10:29:54 | 40,929,052 | ---- | C] () -- C:\cd row.dpb
[2009/07/30 10:25:20 | 40,927,219 | ---- | C] () -- C:\Documents and Settings\maplerow\Desktop\maplerow d.dpb
[2009/07/29 17:47:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/07/29 15:16:02 | 00,000,000 | ---D | C] -- C:\dpupdate
[2009/07/28 10:19:56 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\cbfbfcecaebf.dll
[2009/06/09 11:09:49 | 00,192,529 | ---- | C] () -- C:\WINDOWS\System32\kdpini.dll
[2008/01/14 18:10:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/01/04 22:15:00 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/03 22:12:17 | 00,000,606 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2008/01/03 20:35:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\DPDataTest.INI
[2007/12/20 17:39:17 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/12/20 17:18:56 | 00,001,122 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/11 19:24:19 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 19:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 19:00:37 | 00,000,477 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/11 19:00:35 | 00,000,455 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/11 19:00:16 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/11 19:00:13 | 00,061,952 | ---- | C] () -- C:\WINDOWS\System32\eventlog.dll
[1999/01/22 14:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Files - Modified Within 30 Days ==========

[2009/08/28 14:29:50 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/28 14:29:50 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/08/28 14:29:44 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/28 14:13:26 | 00,000,606 | ---- | M] () -- C:\WINDOWS\LEXSTAT.INI
[2009/08/25 13:00:14 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\maplerow\Desktop\OTL.exe
[2009/08/24 14:40:31 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/08/24 14:38:14 | 00,110,192 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/24 14:36:13 | 00,503,304 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/08/24 14:36:13 | 00,442,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/08/24 14:36:13 | 00,071,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/08/24 14:31:25 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/21 11:34:20 | 00,359,932 | ---- | M] () -- C:\Documents and Settings\maplerow\My Documents\dds.scr
[2009/08/21 10:48:33 | 00,000,455 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/21 09:15:28 | 00,002,855 | ---- | M] () -- C:\WINDOWS\System32\MRT.PIF
[2009/08/21 09:12:01 | 08,798,656 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\maplerow\Desktop\windows-kb890830-v2.13.exe
[2009/08/20 23:13:59 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\maplerow\Desktop\zoom.exe
[2009/08/20 17:00:00 | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\Auto_ParlorsSession1.job
[2009/08/20 16:59:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/20 07:01:00 | 00,000,272 | ---- | M] () -- C:\WINDOWS\tasks\RecordFlowMeter.job
[2009/08/20 07:00:00 | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\Auto_ParlorsSession3.job
[2009/08/19 23:30:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\ArchieveFiles.job
[2009/08/19 23:00:00 | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\Auto_ParlorsSession2.job
[2009/08/06 15:07:03 | 00,192,529 | ---- | M] () -- C:\WINDOWS\System32\kdpini.dll
[2009/08/03 15:22:37 | 00,002,471 | ---- | M] () -- C:\Documents and Settings\maplerow\Desktop\Copy of Microsoft Excel.lnk
[2009/08/03 15:08:15 | 00,000,372 | ---- | M] () -- C:\WINDOWS\System32\DPAlarm.dpx
[2009/08/03 11:22:26 | 00,000,567 | ---- | M] () -- C:\Documents and Settings\maplerow\Desktop\Shortcut to DPProcessControl.exe.lnk
[2009/08/03 06:50:01 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\WebEx Document Loader Port
[2009/07/31 14:42:35 | 00,000,665 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dairy Plan Process Control.lnk
[2009/07/31 14:42:35 | 00,000,572 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DAIRYPLAN Menue.lnk
[2009/07/30 10:37:32 | 40,934,024 | ---- | M] () -- C:\prengers.dpb
[2009/07/30 10:35:11 | 40,932,366 | ---- | M] () -- C:\Documents and Settings\maplerow\Desktop\fowler.dpb
[2009/07/30 10:30:00 | 40,929,052 | ---- | M] () -- C:\cd row.dpb
[2009/07/30 10:25:26 | 40,927,219 | ---- | M] () -- C:\Documents and Settings\maplerow\Desktop\maplerow d.dpb
< End of report >

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 28 August 2009 - 03:16 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 TonyLee

TonyLee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 31 August 2009 - 01:25 PM

Ok, I downloaded RootRepeal and moved it to the infected computer on it's desktop. I did get it to run and it disappeared after 20 seconds or so. Before it disappeared I did see it had two items listed. I don't remember exactly what it said but it had something to do with windows api. Each entry had something to do with it like it couldn't be read or accessed. I tried to run it again and I got this message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

What else do you got?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 31 August 2009 - 02:38 PM

Let's try this one.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 TonyLee

TonyLee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 31 August 2009 - 03:06 PM

The behavior of GMER was a little different than you stated. It started off scanning and it said that there was a rootkit detected and ask if I wanted to do a complete scan. The scan only lasted a few minutes and it stopped around System Restore files. I tried to run it again and I got the same permission message.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 01 September 2009 - 11:53 AM

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 TonyLee

TonyLee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 01 September 2009 - 04:45 PM

Here is the log file.
Thanks.

ComboFix 09-09-01.04 - maplerow 09/01/2009 17:13.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.422 [GMT -4:00]
Running from: c:\documents and settings\maplerow\Desktop\cbfx20090901.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\7be51a00f58ce39c3b855af44043e326.exe
c:\windows\system32\cbfbfcecaebf.dll
c:\windows\system32\kdpini.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-08-28 18:28 . 2009-08-28 18:28 -------- d-----w- C:\_OTL
2009-08-24 18:39 . 2009-08-24 18:39 -------- d-----w- c:\windows\ERUNT
2009-08-24 18:33 . 2009-08-24 18:33 -------- d-----w- C:\3117f8f2921fc6ba5103
2009-08-24 18:29 . 2009-08-24 18:43 -------- d-----w- C:\SDFix
2009-08-21 13:15 . 2009-08-21 13:15 2855 ----a-w- c:\windows\system32\MRT.PIF
2009-08-21 13:14 . 2009-08-21 13:14 -------- d--h--w- c:\windows\PIF
2009-08-21 12:13 . 2009-08-21 12:21 117760 ----a-w- c:\documents and settings\maplerow\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-21 12:11 . 2009-08-21 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-21 12:06 . 2009-08-21 12:06 -------- d-----w- c:\documents and settings\maplerow\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 21:16 . 2008-01-17 18:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-01 16:29 . 2008-01-04 17:00 -------- d-----w- c:\documents and settings\maplerow\Application Data\WeatherBug
2009-07-29 14:23 . 2009-07-29 14:23 150544 ----a-w- c:\windows\system32\abf47eb5ee7139b54cbe7768b90139d1.exe
2009-07-29 14:23 . 2009-07-29 14:23 124448 ----a-w- c:\windows\system32\9c40a2663de5acf80addd02fd0ccbc7b.exe
2009-07-13 06:18 . 2004-08-11 23:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-21 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-22 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-12 1015808]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-30 29744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dairy Plan Process Control.lnk - c:\dairypln\DPProcessControl.exe [2007-3-13 421888]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AWS\\WeatherBug\\Weather.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4348:TCP"= 4348:TCP:sujerw

R1 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [1/3/2008 6:59 PM 16512]
R1 oxpar;OX16PCI95x Parallel port driver;c:\windows\system32\drivers\oxpar.sys [1/3/2008 7:19 PM 76416]
R1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [1/3/2008 6:59 PM 53376]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [1/3/2008 6:59 PM 5376]
R3 XlonPci;XLON PCI Device Driver;c:\windows\system32\drivers\xlonpci2.sys [1/3/2008 7:04 PM 44521]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 4:30 PM 79168]
S2 crbaluscc;Update Driver;c:\windows\system32\svchost.exe -k netsvcs [8/11/2004 7:00 PM 14336]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/20/2007 5:37 PM 29744]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
crbaluscc
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\RecordFlowMeter.job
- c:\programme\IVON\RecordFlowMeter.vbs [2008-09-03 14:27]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 17:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\9dd5ba46d7ef5fb3bd2b9f7daa9907a7.sys 39936 bytes executable
c:\windows\system32\_9dd5ba46d7ef5fb3bd2b9f7daa9907a7.sys_.vir 39936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\9dd5ba46d7ef5fb3bd2b9f7daa9907a7]
"ImagePath"="system32\9dd5ba46d7ef5fb3bd2b9f7daa9907a7.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\wscntfy.exe
c:\dairypln\DPBRID~1.EXE
.
**************************************************************************
.
Completion time: 2009-09-01 17:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 21:18

Pre-Run: 68,928,593,920 bytes free
Post-Run: 69,018,300,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

148 --- E O F --- 2009-08-24 18:46

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 02 September 2009 - 11:20 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
9dd5ba46d7ef5fb3bd2b9f7daa9907a7

File::
c:\windows\system32\abf47eb5ee7139b54cbe7768b90139d1.exe
c:\windows\system32\9c40a2663de5acf80addd02fd0ccbc7b.exe

NetSvc::
crbaluscc

Rootkit::
c:\windows\system32\9dd5ba46d7ef5fb3bd2b9f7daa9907a7.sys 
c:\windows\system32\_9dd5ba46d7ef5fb3bd2b9f7daa9907a7.sys_.vir

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\9dd5ba46d7ef5fb3bd2b9f7daa9907a7]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=================


Now let's come back to Malwarebytes and see if you can get it installed.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 TonyLee

TonyLee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 03 September 2009 - 06:36 AM

Everything seems to be working now. I have malwarebytes installed and the log posted below the combofix log. I also have antivirus running and up to date.

ComboFix 09-09-01.04 - maplerow 09/02/2009 14:15.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.555 [GMT -4:00]
Running from: c:\documents and settings\maplerow\Desktop\cbfx20090901.exe
Command switches used :: c:\documents and settings\maplerow\Desktop\CFScript

FILE ::
"c:\windows\system32\9c40a2663de5acf80addd02fd0ccbc7b.exe"
"c:\windows\system32\abf47eb5ee7139b54cbe7768b90139d1.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\9c40a2663de5acf80addd02fd0ccbc7b.exe
c:\windows\system32\abf47eb5ee7139b54cbe7768b90139d1.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-08-28 18:28 . 2009-08-28 18:28 -------- d-----w- C:\_OTL
2009-08-24 18:39 . 2009-08-24 18:39 -------- d-----w- c:\windows\ERUNT
2009-08-24 18:33 . 2009-08-24 18:33 -------- d-----w- C:\3117f8f2921fc6ba5103
2009-08-24 18:29 . 2009-08-24 18:43 -------- d-----w- C:\SDFix
2009-08-21 13:15 . 2009-08-21 13:15 2855 ----a-w- c:\windows\system32\MRT.PIF
2009-08-21 13:14 . 2009-08-21 13:14 -------- d--h--w- c:\windows\PIF
2009-08-21 12:13 . 2009-08-21 12:21 117760 ----a-w- c:\documents and settings\maplerow\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-21 12:11 . 2009-08-21 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-21 12:06 . 2009-08-21 12:06 -------- d-----w- c:\documents and settings\maplerow\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 18:18 . 2008-01-17 18:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-01 16:29 . 2008-01-04 17:00 -------- d-----w- c:\documents and settings\maplerow\Application Data\WeatherBug
2009-07-13 06:18 . 2004-08-11 23:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-01_21.16.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-02 18:18 . 2009-09-02 18:18 16384 c:\windows\temp\Perflib_Perfdata_76c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-21 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-22 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-12 1015808]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-30 29744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dairy Plan Process Control.lnk - c:\dairypln\DPProcessControl.exe [2007-3-13 421888]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AWS\\WeatherBug\\Weather.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4348:TCP"= 4348:TCP:sujerw

R1 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [1/3/2008 6:59 PM 16512]
R1 oxpar;OX16PCI95x Parallel port driver;c:\windows\system32\drivers\oxpar.sys [1/3/2008 7:19 PM 76416]
R1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [1/3/2008 6:59 PM 53376]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [1/3/2008 6:59 PM 5376]
R3 XlonPci;XLON PCI Device Driver;c:\windows\system32\drivers\xlonpci2.sys [1/3/2008 7:04 PM 44521]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 4:30 PM 79168]
S2 crbaluscc;Update Driver;c:\windows\system32\svchost.exe -k netsvcs [8/11/2004 7:00 PM 14336]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/20/2007 5:37 PM 29744]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\RecordFlowMeter.job
- c:\programme\IVON\RecordFlowMeter.vbs [2008-09-03 14:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 14:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\dairypln\DPBRID~1.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-02 14:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 18:19
ComboFix2.txt 2009-09-01 21:18

Pre-Run: 69,029,543,936 bytes free
Post-Run: 68,990,582,784 bytes free

112 --- E O F --- 2009-08-24 18:46


------------------------------------------------------------------
MalwareBytes log
------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2731
Windows 5.1.2600 Service Pack 2

9/2/2009 2:34:16 PM
mbam-log-2009-09-02 (14-34-16).txt

Scan type: Quick Scan
Objects scanned: 100350
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users