Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob DNS Changer, Win32.Autoit.p


  • This topic is locked This topic is locked
117 replies to this topic

#1 Fex

Fex

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 26 March 2010 - 08:39 AM

Hi,

My computer has been infected with Zlob.

I'm running XP with avast! and AVG free editions - I've tried to uninstall AVG, but the uninstaller fails, with details:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

Usually, I can't update Spybot, Malwarebytes or AVG, or access their homepages. I can't get Microsoft security updates. I did manually update Spybot, and a scan showed the presence of Zlob DNS Changer and Win32.Autoit.p, among other things. I removed Zlob, which briefly resolved the web problems, but Win32.Autoit.p remains:

Win32.Autoit.p: [SBI $126FBB94] Autorun settings (SYS2)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS2

Win32.Autoit.p: [SBI $126FBB94] Autorun settings (SYS3)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS3

Win32.Autoit.p: [SBI $126FBB94] Autorun settings (SYS4)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS4

Win32.Autoit.p: [SBI $B8C986CA] Autorun settings (SYS1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS1

So Zlob keeps coming back, as do the internet issues.

Last time I checked, F8 at boot gave no option for safe mode.

GMER crashed three times yesterday before I managed to get the attached report. Since then, I've used Spybot to remove Zlob again. The DDS report is more recent.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jon at 20:12:18.00 on Fri 03/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.626 [GMT 7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\JetAudio\jetAudio.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\SB Digital Music SX\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\SB Digital Music SX\Entertainment Center\EAXLoadr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jon\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RCSystem] "c:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [CTSysVol] c:\program files\creative\sb digital music sx\surround mixer\CTSysVol.exe /r
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SYS1] c:\windows\system32\system.exe
mRun: [SYS2] c:\windows\system32\bad1.exe
mRun: [SYS3] c:\windows\system32\bad2.exe
mRun: [SYS4] c:\windows\system32\bad3.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.3458333333
DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} - hxxp://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: {3819048B-9783-42B4-BAE4-6810283105D8} = 208.67.220.220,208.67.222.222
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
mASetup: {0CA3D76C-7AC1-8CA0-8BE6-7CCC7EDD8ECA} - c:\windows\windois.exe 2
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\default.kvr\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.google.co.uk/search?q=
FF - component: c:\documents and settings\jon\application data\mozilla\firefox\profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\jon\application data\mozilla\firefox\profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJPI141_01.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-23 162640]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-30 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-30 27784]
R1 mapledxp;mapledxp;c:\windows\system32\drivers\mapledxp.sys [2008-11-23 24720]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-23 19024]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-2-5 33792]
R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2005-12-12 1905408]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\program files\unlocker\UnlockerDriver4.sys [2005-4-24 3584]

=============== Created Last 30 ================

2010-03-25 12:42:21 0 ----a-w- c:\documents and settings\jon\defogger_reenable
2010-03-25 12:21:25 0 d-----w- c:\program files\GPLGS
2010-03-25 12:20:42 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2010-03-25 12:20:39 0 d-----w- c:\program files\Acro Software
2010-03-25 08:55:56 5904 ----a-w- c:\windows\system32\Takeown.exe
2010-03-25 08:55:55 0 d-----w- c:\windows\system32\takeown
2010-03-25 08:25:48 0 d-----w- c:\program files\Yahoo!
2010-03-23 18:10:54 0 d-s---w- C:\ComboFix
2010-03-23 18:08:12 79360 ----a-w- c:\windows\system32\swxcacls.exe
2010-03-23 18:08:08 135168 ----a-w- c:\windows\system32\swreg.exe
2010-03-23 13:59:59 0 d-----w- c:\windows\system32\zh_temp
2010-03-23 07:44:54 0 d-----w- c:\docume~1\jon\applic~1\QuickScan
2010-03-23 04:06:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-19 15:15:01 0 d-----w- c:\program files\StudioDevil
2010-03-19 14:30:35 697690 ----a-w- c:\windows\unins003.exe
2010-03-19 14:30:35 55822 ----a-w- c:\windows\unins003.dat
2010-03-19 11:43:02 695642 ----a-w- c:\windows\unins002.exe
2010-03-19 11:43:02 13022 ----a-w- c:\windows\unins002.dat
2010-03-18 16:33:33 54156 ---ha-w- c:\windows\QTFont.qfn
2010-03-18 16:33:33 1409 ----a-w- c:\windows\QTFont.for
2010-03-17 21:57:10 0 d-----w- c:\program files\ASIO4ALL v2
2010-03-17 21:06:59 9728 ------w- c:\windows\system32\drivers\PfModNT.sys
2010-03-17 20:59:22 77824 ------w- c:\windows\system32\ctdvda32.dll
2010-03-16 13:55:19 0 d-----w- c:\windows\system32\NtmsData
2010-03-16 12:04:39 0 d-----w- c:\docume~1\jon\applic~1\Foxit
2010-03-16 12:00:59 0 d-----w- c:\program files\CDex
2010-03-16 08:01:05 0 d-----w- c:\docume~1\jon\applic~1\TrueCrypt
2010-03-15 23:36:32 389120 ----a-w- c:\windows\system32\CF5874.exe
2010-03-15 23:02:19 0 d-----w- c:\program files\kX Audio Driver

==================== Find3M ====================

2010-03-16 01:16:48 24296 -c--a-w- c:\docume~1\jon\applic~1\GDIPFONTCACHEV1.DAT
2008-09-09 18:14:36 5632 --sha-w- c:\program files\common files\Thumbs.db
2007-08-14 14:11:50 6144 --sha-w- c:\program files\Thumbs.db
2007-02-12 22:46:45 785 ----a-w- c:\program files\unins000.dat
2003-11-20 11:14:58 102400 ----a-w- c:\program files\sfz.exe
2003-10-21 21:00:00 75922 ----a-w- c:\program files\unins000.exe
2005-08-25 16:19:02 108 --sha-r- c:\windows\neoqaz2.dll
2009-10-09 00:18:25 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-08 04:12:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080820090809\index.dat

============= FINISH: 20:14:06.68 ===============

Attached Files


Edited by Fex, 26 March 2010 - 08:46 AM.


BC AdBot (Login to Remove)

 


#2 Fex

Fex
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 27 March 2010 - 01:44 AM

It gets worse....

I tried to boot in safe mode using MSCONFIG, but Windows didn't restart. When I try to boot now, I get the 'Windows did not start' message....
Starting Windows normally does not work.
Starting Windows with last known good configuration does not work.
Starting Windows in safe mode doesn't work, but throws up a screen full of stuff along the lines of:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\AppPatch\drvmain.sdb
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\DRIVERS\ACPI.sys

etc etc etc....

GAH!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 28 March 2010 - 07:00 AM

Hello, never a good idea to force safe mode through MSConfig.
I see you also ran Combofix. Did you allow the Recovery Console to install and can you access it?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Fex

Fex
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 28 March 2010 - 08:21 AM

Hi, thanks for replying.
QUOTE(elise025 @ Mar 28 2010, 07:00 PM) View Post
Hello, never a good idea to force safe mode through MSConfig.
If only I'd known.... it seemed like a good idea at the time....
QUOTE(elise025 @ Mar 28 2010, 07:00 PM) View Post
I see you also ran Combofix. Did you allow the Recovery Console to install and can you access it?
I ran Combofix once, but I've no idea what it did. I shouldn't have been messing with it. Later, a scan identified part of Combofix (possibly just the installer files, maybe the exe) as a threat, and that part got deleted. I would have no idea how to access the recovery console even if there is one, but I doubt that it would be possible.... I've tried booting with the original Windows install CD in the drive, and I've tried making a recovery flash drive, but all result in black screen of death.

Edited by Fex, 28 March 2010 - 08:22 AM.


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 28 March 2010 - 08:56 AM

Well then lets start first with creating a means of accessing your files.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.
Also, please use My Computer on the Reatogo desktop to locate c:\boot.ini
Open this file and post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Fex

Fex
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 29 March 2010 - 08:06 AM

It's good to have access again. Thanks for your help.

QUOTE(elise025 @ Mar 28 2010, 08:56 PM) View Post
When asked "Do you wish to load the remote registry", select Yes
It didn't ask....

QUOTE
Change Drivers to Use Safelist
It was set like that by default....

QUOTE
Please post the contents of the OTL.txt file in your reply.
OTL logfile created on: 3/29/2010 10:05:32 PM - Run
OTLPE by OldTimer - Version 3.1.37.1 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 773.00 Mb Available Physical Memory | 76.00% Memory free
907.00 Mb Paging File | 834.00 Mb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.92 Gb Total Space | 22.40 Gb Free Space | 40.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet004

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (Lavasoft Ad-Aware Service)
SRV - File not found [On_Demand] -- -- (Alic1iskwuww)
SRV - [2010/03/19 02:19:35 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2010/03/09 07:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 07:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 07:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2007/09/28 01:24:36 | 000,156,976 | ---- | M] (Seagate Technology LLC) [Auto] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2007/04/13 11:49:00 | 000,101,528 | ---- | M] () [On_Demand] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2005/03/09 00:18:21 | 000,054,784 | ---- | M] (Macrovision) [Auto] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
SRV - [2004/03/08 05:09:34 | 000,024,064 | ---- | M] (Acesoft) [On_Demand] -- C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe -- (Autocomplete)
SRV - [2003/07/24 07:24:16 | 000,786,484 | ---- | M] (AHEAD Software) [Auto] -- C:\Program Files\Ahead\InCD\incdsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (atimtag)
DRV - [2010/03/09 07:12:54 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/03/09 07:12:33 | 000,162,640 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/03/09 07:09:08 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/03/09 07:08:41 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/03/09 07:08:30 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/03/09 07:08:15 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/08/30 06:42:03 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/30 06:42:01 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2008/12/28 17:10:41 | 000,215,872 | ---- | M] (TrueCrypt Foundation) [Kernel | System] -- C:\WINDOWS\system32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2008/05/02 00:15:44 | 000,004,096 | ---- | M] () [Kernel | Unavailable] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/05/03 02:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2007/04/25 05:20:48 | 004,030,144 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2006/08/25 11:14:17 | 000,010,578 | ---- | M] (Applied Networking Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2006/05/28 20:43:11 | 000,223,128 | ---- | M] (DT Soft Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\dtscsi.sys -- (dtscsi)
DRV - [2006/05/28 15:04:24 | 000,642,560 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2006/05/01 15:37:16 | 000,022,272 | ---- | M] (Doug Fetter Software Wizardry) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbmn1x1.sys -- (USBMN1X1)
DRV - [2006/05/01 15:37:16 | 000,013,504 | ---- | M] (MIDIMAN) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usb11ldr.sys -- (USB11LDR)
DRV - [2005/12/11 22:02:34 | 001,905,408 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sbusb.sys -- (sbusb)
DRV - [2005/11/21 01:48:21 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2005/07/11 22:53:20 | 000,114,688 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/07/11 22:53:12 | 000,142,848 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/05/09 09:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cledx.sys -- (CLEDX)
DRV - [2005/05/03 03:34:20 | 001,034,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/05/03 03:33:42 | 000,224,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/05/03 03:33:36 | 000,716,288 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/04/24 05:08:34 | 000,003,584 | ---- | M] () [Kernel | On_Demand] -- C:\Program Files\Unlocker\UnlockerDriver4.sys -- (UnlockerDriver4)
DRV - [2005/03/09 00:18:17 | 000,012,464 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2004/08/04 01:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/04 01:29:26 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/04/04 23:44:42 | 000,024,720 | ---- | M] (Jeff Hurchalla and Marble Sound) [Kernel | System] -- C:\WINDOWS\System32\drivers\mapledxp.SYS -- (mapledxp)
DRV - [2003/07/24 07:22:18 | 000,005,264 | ---- | M] (Ahead Software AG) [Recognizer | System] -- C:\WINDOWS\system32\drivers\incdrec.sys -- (InCDrec)
DRV - [2003/07/24 07:22:00 | 000,086,752 | ---- | M] () [File_System | Disabled] -- C:\WINDOWS\system32\drivers\incdfs.sys -- (InCDfs)
DRV - [2003/07/24 07:15:38 | 000,028,432 | ---- | M] (Ahead Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\incdpass.sys -- (InCDPass)
DRV - [2002/10/14 13:00:00 | 000,101,431 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\IdeChnDr.sys -- (IdeChnDr) Intel®
DRV - [2002/10/14 13:00:00 | 000,013,891 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\IdeBusDr.sys -- (IdeBusDr)
DRV - [2002/08/07 21:41:34 | 000,018,116 | R--- | M] () [Kernel | Auto] -- C:\WINDOWS\system32\drivers\GVCplDrv.sys -- (GVCplDrv)
DRV - [2001/08/17 10:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 02:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 02:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
DRV - [2001/08/17 02:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 02:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 02:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 02:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 02:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 02:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 02:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 02:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Startpage = http://uk.msn.com/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.HAL_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Jon_ON_C\Software\Microsoft\Internet Explorer\Main,Startpage = http://uk.msn.com/
IE - HKU\Jon_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\Jon_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/23 07:26:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/23 07:26:42 | 000,000,000 | ---D | M]

[2010/03/26 10:08:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/05/11 02:28:00 | 000,044,153 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\inspector.dll
[2010/03/16 08:03:57 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010/03/24 13:33:36 | 000,380,222 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.123fporn.info
O1 - Hosts: 13123 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\Jon_ON_C\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4 - HKLM..\Run: [AudioDrvEmulator] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SB Digital Music SX\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [H2O] C:\Program Files\Syncrosoft\POS\H2O\cledx.exe (Team H2O)
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Ahead Software AG)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)
O4 - HKLM..\Run: [RCSystem] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [SbUsb AudCtrl] C:\WINDOWS\System32\sbusbdll.dll (Creative Technology Ltd)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SYS1] C:\WINDOWS\System32\system.exe File not found
O4 - HKLM..\Run: [SYS2] C:\WINDOWS\System32\bad1.exe File not found
O4 - HKLM..\Run: [SYS3] C:\WINDOWS\System32\bad2.exe File not found
O4 - HKLM..\Run: [SYS4] C:\WINDOWS\System32\bad3.exe File not found
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKU\Jon_ON_C..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe (Creative Technology Ltd)
O4 - HKU\Jon_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoControlPanel = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator.HAL_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Jon_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91
O7 - HKU\Jon_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O7 - HKU\Jon_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O7 - HKU\Jon_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\Jon_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe File not found
O9 - Extra 'Tools' menuitem : &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} http://simcity.ea.com/update/EARTPX.cab (EARTPatchX Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...8109.3458333333 (Reg Error: Key error.)
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (MaxisSimCity4LotTeleX Control)
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (MaxisSimCity4PatcherX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/28 14:33:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/05/09 21:48:26 | 000,000,032 | ---- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/25 08:59:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Desktop\gmer
[2010/03/25 08:29:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Local Settings\Application Data\CutePDF Writer
[2010/03/25 08:21:25 | 000,000,000 | ---D | C] -- C:\Program Files\GPLGS
[2010/03/25 08:20:39 | 000,000,000 | ---D | C] -- C:\Program Files\Acro Software
[2010/03/25 04:55:56 | 000,005,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Takeown.exe
[2010/03/25 04:55:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\takeown
[2010/03/25 04:25:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Application Data\Yahoo!
[2010/03/25 04:25:48 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2010/03/23 14:10:54 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/03/23 14:08:12 | 000,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2010/03/23 14:08:08 | 000,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2010/03/23 09:59:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh_temp
[2010/03/23 03:44:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Application Data\QuickScan
[2010/03/23 00:06:59 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/03/23 00:06:58 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/03/23 00:06:57 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/03/23 00:06:55 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/03/23 00:06:54 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/03/23 00:06:54 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/03/23 00:06:53 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/03/23 00:06:24 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/03/23 00:06:24 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/03/23 00:06:14 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/03/21 06:31:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Desktop\Deja Vu mp3s
[2010/03/21 01:37:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Jon\My Documents\My Pictures
[2010/03/20 03:09:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\My Documents\iZotope iDrum Content
[2010/03/19 23:36:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\My Documents\My downloads GigaTribe
[2010/03/19 23:35:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Local Settings\Application Data\Shalsoft
[2010/03/19 11:15:01 | 000,000,000 | ---D | C] -- C:\Program Files\StudioDevil
[2010/03/17 18:03:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Desktop\cdex_170b2_enu
[2010/03/17 17:57:10 | 000,000,000 | ---D | C] -- C:\Program Files\ASIO4ALL v2
[2010/03/17 17:06:59 | 000,009,728 | ---- | C] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\PfModNT.sys
[2010/03/17 16:59:22 | 000,077,824 | ---- | C] (Creative Technology Ltd) -- C:\WINDOWS\System32\ctdvda32.dll
[2010/03/16 09:55:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/03/16 08:04:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Application Data\Foxit
[2010/03/16 08:00:59 | 000,000,000 | ---D | C] -- C:\Program Files\CDex
[2010/03/16 04:39:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jon\Recent
[2010/03/16 04:01:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\Application Data\TrueCrypt
[2010/03/15 19:36:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/15 19:36:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/15 19:36:32 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF5874.exe
[2010/03/15 19:02:19 | 000,000,000 | ---D | C] -- C:\Program Files\kX Audio Driver
[2010/03/15 09:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jon\My Documents\Downloads
[2008/11/23 12:38:53 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\System32\mapleapi.dll
[2003/10/21 17:00:00 | 000,075,922 | ---- | C] (Jordan Russell) -- C:\Program Files\unins000.exe
[2002/12/04 22:18:08 | 000,059,392 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/29 22:06:47 | 004,456,448 | ---- | M] () -- C:\Documents and Settings\Administrator.HAL\NTUSER.DAT
[2010/03/29 07:33:33 | 1073,008,640 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/29 07:33:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/26 13:19:26 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\LocalService\ntuser.dat
[2010/03/26 13:19:26 | 000,249,856 | ---- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/03/26 13:19:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/26 13:19:04 | 029,097,984 | ---- | M] () -- C:\Documents and Settings\Jon\ntuser.dat
[2010/03/26 13:19:04 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Jon\ntuser.ini
[2010/03/26 13:18:42 | 000,000,756 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/26 13:18:42 | 000,000,229 | RHS- | M] () -- C:\boot.ini
[2010/03/26 13:18:42 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/26 13:14:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/26 12:49:04 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/25 21:49:29 | 048,290,211 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\Dreams of Rivers (album).mp3
[2010/03/25 19:15:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/25 08:59:05 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\gmer.zip
[2010/03/25 08:45:01 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\dds.scr
[2010/03/25 08:42:21 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Jon\defogger_reenable
[2010/03/25 08:01:25 | 057,693,111 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/03/25 04:25:33 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\CCleaner.lnk
[2010/03/24 13:33:36 | 000,380,222 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/23 14:13:46 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/23 14:11:35 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100325-003336.backup
[2010/03/23 04:00:52 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/03/22 21:25:06 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\housecall.guid.cache
[2010/03/22 14:51:33 | 000,126,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/22 10:41:29 | 000,118,272 | ---- | M] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/20 09:46:02 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/03/19 23:33:27 | 000,000,640 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\GigaTribe.lnk
[2010/03/19 20:08:52 | 000,025,080 | ---- | M] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/19 11:15:03 | 000,055,822 | ---- | M] () -- C:\WINDOWS\unins003.dat
[2010/03/19 11:09:08 | 000,697,690 | ---- | M] () -- C:\WINDOWS\unins003.exe
[2010/03/19 10:43:01 | 003,749,990 | -H-- | M] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\IconCache.db
[2010/03/19 08:52:46 | 000,013,022 | ---- | M] () -- C:\WINDOWS\unins002.dat
[2010/03/19 08:52:37 | 000,695,642 | ---- | M] () -- C:\WINDOWS\unins002.exe
[2010/03/18 12:33:33 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/03/17 17:57:10 | 000,000,813 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\ASIO4ALL v2 Instruction Manual.lnk
[2010/03/17 17:12:43 | 000,000,183 | ---- | M] () -- C:\WINDOWS\setuplog
[2010/03/17 17:08:39 | 000,000,347 | ---- | M] () -- C:\WINDOWS\CTWave32.INI
[2010/03/16 16:23:29 | 000,142,495 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/03/16 12:46:57 | 000,012,540 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/03/16 08:13:38 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\Jon\Desktop\REAPER.lnk
[2010/03/15 21:16:48 | 000,024,296 | ---- | M] () -- C:\Documents and Settings\Jon\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/15 19:36:26 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF5874.exe
[2010/03/09 07:24:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/03/09 07:24:05 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/03/09 07:12:54 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/03/09 07:12:33 | 000,162,640 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/03/09 07:09:08 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/03/09 07:08:41 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/03/09 07:08:38 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/03/09 07:08:30 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/03/09 07:08:15 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/26 10:22:29 | 007,328,927 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\roguefix_2.255.bat
[2010/03/25 08:58:16 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\gmer.zip
[2010/03/25 08:43:39 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\dds.scr
[2010/03/25 08:42:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jon\defogger_reenable
[2010/03/25 08:20:42 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/03/25 07:28:46 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\Defogger.exe
[2010/03/23 14:08:11 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2010/03/23 03:42:44 | 048,290,211 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\Dreams of Rivers (album).mp3
[2010/03/22 21:25:06 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\housecall.guid.cache
[2010/03/19 23:33:27 | 000,000,640 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\GigaTribe.lnk
[2010/03/19 10:30:35 | 000,697,690 | ---- | C] () -- C:\WINDOWS\unins003.exe
[2010/03/19 10:30:35 | 000,055,822 | ---- | C] () -- C:\WINDOWS\unins003.dat
[2010/03/19 07:43:02 | 000,695,642 | ---- | C] () -- C:\WINDOWS\unins002.exe
[2010/03/19 07:43:02 | 000,013,022 | ---- | C] () -- C:\WINDOWS\unins002.dat
[2010/03/18 12:33:33 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/03/18 12:33:33 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/03/17 17:57:10 | 000,000,813 | ---- | C] () -- C:\Documents and Settings\Jon\Desktop\ASIO4ALL v2 Instruction Manual.lnk
[2009/08/27 09:47:21 | 000,000,347 | ---- | C] () -- C:\WINDOWS\CTWave32.INI
[2009/08/27 09:42:29 | 000,000,029 | ---- | C] () -- C:\WINDOWS\sfbm.INI
[2009/08/21 12:34:32 | 000,000,054 | ---- | C] () -- C:\WINDOWS\Player.INI
[2009/08/04 06:58:16 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/09/08 13:23:26 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2007/11/03 06:54:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2007/10/12 15:40:57 | 000,005,632 | -HS- | C] () -- C:\Program Files\Common Files\Thumbs.db
[2007/07/17 04:34:34 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\realbap1.dll
[2007/02/16 14:30:35 | 000,000,135 | ---- | C] () -- C:\WINDOWS\Cyber.ini
[2007/02/12 18:46:43 | 000,000,785 | ---- | C] () -- C:\Program Files\unins000.dat
[2007/01/16 10:38:47 | 000,000,344 | ---- | C] () -- C:\WINDOWS\EaseMIDIConverter.INI
[2007/01/05 19:10:29 | 000,214,016 | ---- | C] () -- C:\WINDOWS\System32\sqlite.dll
[2006/12/14 17:55:26 | 000,006,144 | -HS- | C] () -- C:\Program Files\Thumbs.db
[2006/09/01 09:09:17 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/08/15 08:30:05 | 000,136,448 | ---- | C] () -- C:\WINDOWS\RMTOOLS.DLL
[2006/05/01 17:45:51 | 000,000,122 | ---- | C] () -- C:\WINDOWS\sbwin.ini
[2006/04/22 12:31:29 | 000,000,973 | ---- | C] () -- C:\WINDOWS\DVDFabGold.INI
[2006/04/07 01:53:31 | 000,000,400 | ---- | C] () -- C:\WINDOWS\WGPLAYER.INI
[2006/04/07 01:47:48 | 000,000,700 | ---- | C] () -- C:\WINDOWS\WINGROOV.INI
[2006/02/02 18:05:19 | 000,029,696 | ---- | C] () -- C:\WINDOWS\System32\asutl8.dll
[2006/02/02 17:25:49 | 000,001,186 | ---- | C] () -- C:\WINDOWS\psmplay.ini
[2005/09/29 23:14:08 | 000,012,741 | ---- | C] () -- C:\WINDOWS\System32\SBUSB.INI
[2005/08/25 12:19:02 | 000,000,108 | RHS- | C] () -- C:\WINDOWS\neoqaz2.dll
[2005/08/03 15:54:08 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2005/06/15 06:36:23 | 000,065,536 | ---- | C] () -- C:\WINDOWS\qt3wrap.dll
[2005/06/15 06:36:22 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/06/04 03:12:00 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/04/14 01:16:20 | 000,000,040 | ---- | C] () -- C:\WINDOWS\TSC.INI
[2005/04/14 01:05:49 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/04/08 00:38:44 | 000,172,544 | ---- | C] () -- C:\WINDOWS\System32\sfsshell.dll
[2005/03/19 12:20:53 | 000,000,027 | ---- | C] () -- C:\WINDOWS\phpdev.ini
[2005/01/19 00:18:52 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2004/09/25 09:45:57 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/08/08 14:11:41 | 000,000,040 | ---- | C] () -- C:\WINDOWS\nero.INI
[2004/08/07 11:00:30 | 000,086,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\incdfs.sys
[2004/06/02 11:06:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/05/20 11:50:14 | 001,537,536 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-hi.dll
[2004/05/19 18:13:46 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS3y.DLL
[2004/05/19 17:49:25 | 000,018,116 | R--- | C] () -- C:\WINDOWS\System32\drivers\GVCplDrv.sys
[2004/05/19 17:42:49 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS3w.DLL
[2004/05/16 18:33:27 | 000,118,272 | ---- | C] () -- C:\Documents and Settings\Jon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/05/12 08:12:48 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2004/05/12 08:12:48 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2004/05/02 10:15:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2004/04/28 15:00:37 | 000,000,750 | ---- | C] () -- C:\WINDOWS\txp-lcn.ini
[2004/03/01 20:37:18 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/03/01 20:33:52 | 000,675,840 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/02/01 15:21:56 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\Uncommon.dll
[2004/01/27 02:13:54 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2004/01/22 08:06:32 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2003/11/20 07:14:58 | 000,102,400 | ---- | C] () -- C:\Program Files\sfz.exe
[2003/08/29 02:26:36 | 000,002,065 | ---- | C] () -- C:\WINDOWS\my_02-20-2005_13h39.ini
[2003/08/07 15:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2002/11/24 08:40:36 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\ac3encode.dll
[2002/08/20 20:37:50 | 000,093,696 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2002/02/27 06:50:00 | 000,197,120 | ---- | C] () -- C:\WINDOWS\System32\patchw32.dll
[2001/09/17 02:20:02 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2000/11/24 07:05:06 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\Cpuinfo2.dll
[1999/12/06 13:00:00 | 000,024,956 | ---- | C] () -- C:\WINDOWS\twain_16.dll
[1998/08/15 18:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll

========== LOP Check ==========

[2006/04/18 06:29:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Ableton
[2008/10/23 10:00:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Anvil Studio
[2009/10/11 07:48:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Audacity
[2007/01/04 09:03:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\BinarySense
[2008/10/25 14:18:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Blue Cat Audio
[2008/05/18 09:15:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Canon
[2006/12/21 14:51:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\COWON
[2008/09/25 17:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\dBpoweramp
[2004/10/17 11:57:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\FeedReader
[2010/03/16 08:04:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Foxit
[2007/01/18 15:12:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\GetRightToGo
[2009/11/04 14:37:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\GigaTribe
[2009/10/01 11:28:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\GrabPro
[2004/05/09 02:07:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Kazaa Lite
[2007/01/16 05:56:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Mp3tag
[2007/01/04 10:40:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\NCH Swift Sound
[2004/10/21 14:47:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Opera
[2009/10/02 13:55:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Orbit
[2009/07/19 08:11:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Photo2Sketch
[2008/11/23 01:46:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Propellerhead Software
[2010/03/23 14:28:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\QuickScan
[2009/09/05 04:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\REAPER
[2005/12/29 06:54:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Seven Zip
[2007/01/14 09:19:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Shareaza
[2007/02/10 22:49:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Smartelectronix
[2008/04/26 08:07:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Spectaculator
[2007/02/04 15:30:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Steinberg
[2006/04/19 07:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Thunderbird
[2010/03/16 04:01:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\TrueCrypt
[2008/08/03 07:40:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\uTorrent
[2006/04/05 09:43:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jon\Application Data\Xara
[2010/03/25 19:15:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 108 bytes -> C:\WINDOWS:
< End of report >

QUOTE
Also, please use My Computer on the Reatogo desktop to locate c:\boot.ini
Open this file and post its contents in your next reply.
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /safeboot:minimal



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 29 March 2010 - 08:33 AM

Using My Computer on the Reatogo desktop, locate c:\boot.ini

Open this file and post me its contents.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Fex

Fex
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 29 March 2010 - 11:51 AM

I already did that.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 29 March 2010 - 12:07 PM

Oops, I totally overlooked that ohmy.gif

Please download the file I attached to this post by right clicking on it and selecting "save target as".

Save the file as boot.ini.txt to a flashdrive.

Boot from the Reatogo CD. Open your flashdrive using My Computer and rightclick on boot.ini.txt, select Rename. Rename the file to boot.ini (delete the .txt part).

Now, using My Computer, navigate to your C drive and rename boot.ini to boot.ini.bak

Copy the boot.ini file from your flashdrive and paste it in the C drive. Restart your computer normally and see if it boots now.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Fex

Fex
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 29 March 2010 - 02:44 PM

QUOTE(elise025 @ Mar 30 2010, 12:07 AM) View Post
Restart your computer normally and see if it boots now.


It boots now. It's just a little slow.

You rock.

What's next?


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 29 March 2010 - 02:51 PM

I see indeed evidence there might still be some malware there.

Please post me the log you will find at c:\combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Fex

Fex
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 29 March 2010 - 06:46 PM

It wasn't there. It's now clear that Combofix didn't run properly at the last attempt.
So, I downloaded it again, renamed the exe, switched system restore back on and ran it again, following the instructions this time. (I hope you'll forgive me for acting on my own initiative; I know it doesn't always work out so well....)

ComboFix 10-03-29.02 - Jon 03/30/2010 6:00.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.511 [GMT 7:00]
Running from: c:\documents and settings\Jon\Desktop\Jon.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents
c:\windows\patch.exe
c:\windows\system32\Data
c:\windows\system32\dumphive.exe
c:\windows\System32\ntSVc.ocx
c:\windows\system32\Process.exe
c:\windows\system32\skinboxer43.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\twain_16.dll
M:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-30 02:08 . 2010-03-30 02:08 -------- d-s---w- c:\documents and settings\Administrator.HAL\IETldCache
2010-03-25 12:29 . 2010-03-25 12:31 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\CutePDF Writer
2010-03-25 12:21 . 2010-03-25 12:21 -------- d-----w- c:\program files\GPLGS
2010-03-25 12:20 . 2009-11-05 01:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2010-03-25 12:20 . 2010-03-25 12:20 -------- d-----w- c:\program files\Acro Software
2010-03-25 08:55 . 1999-01-19 21:37 5904 ----a-w- c:\windows\system32\Takeown.exe
2010-03-25 08:55 . 2010-03-25 10:20 -------- d-----w- c:\windows\system32\takeown
2010-03-25 08:25 . 2010-03-25 08:25 -------- d-----w- c:\documents and settings\Jon\Application Data\Yahoo!
2010-03-25 08:25 . 2010-03-25 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-25 08:25 . 2010-03-25 08:26 -------- d-----w- c:\program files\Yahoo!
2010-03-23 13:59 . 2010-03-23 13:59 -------- d-----w- c:\windows\system32\zh_temp
2010-03-23 07:44 . 2010-03-23 18:28 -------- d-----w- c:\documents and settings\Jon\Application Data\QuickScan
2010-03-23 04:06 . 2010-03-09 11:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-23 04:06 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-23 04:06 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-23 04:06 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-23 04:06 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-23 04:06 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-23 04:06 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-23 04:06 . 2010-03-09 11:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-23 04:06 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-23 04:06 . 2010-03-23 04:06 -------- d-----w- c:\program files\Alwil Software
2010-03-23 04:06 . 2010-03-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-20 03:35 . 2010-03-20 03:35 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Shalsoft
2010-03-19 15:15 . 2010-03-19 15:15 -------- d-----w- c:\program files\StudioDevil
2010-03-19 14:30 . 2010-03-19 15:15 55822 ----a-w- c:\windows\unins003.dat
2010-03-19 14:30 . 2010-03-19 15:09 697690 ----a-w- c:\windows\unins003.exe
2010-03-19 11:43 . 2010-03-19 12:52 13022 ----a-w- c:\windows\unins002.dat
2010-03-19 11:43 . 2010-03-19 12:52 695642 ----a-w- c:\windows\unins002.exe
2010-03-17 21:57 . 2010-03-17 21:57 -------- d-----w- c:\program files\ASIO4ALL v2
2010-03-17 21:06 . 2004-10-19 02:07 9728 ------w- c:\windows\system32\drivers\PfModNT.sys
2010-03-17 20:59 . 2003-11-11 04:08 77824 ------w- c:\windows\system32\ctdvda32.dll
2010-03-16 13:55 . 2010-03-25 09:45 -------- d-----w- c:\windows\system32\NtmsData
2010-03-16 12:04 . 2010-03-16 12:04 -------- d-----w- c:\documents and settings\Jon\Application Data\Foxit
2010-03-16 12:00 . 2010-03-16 12:02 -------- d-----w- c:\program files\CDex
2010-03-16 08:01 . 2010-03-16 08:01 -------- d-----w- c:\documents and settings\Jon\Application Data\TrueCrypt
2010-03-15 23:36 . 2010-03-15 23:36 389120 ----a-w- c:\windows\system32\CF5874.exe
2010-03-15 23:02 . 2010-03-15 23:02 -------- d-----w- c:\program files\kX Audio Driver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-29 22:40 . 2006-03-29 11:21 55 -c--a-w- c:\windows\sfshell.tmp
2010-03-26 10:22 . 2006-12-21 18:51 -------- d-----w- c:\program files\JetAudio
2010-03-26 10:19 . 2006-12-21 18:51 -------- d-----w- c:\program files\Common Files\COWON
2010-03-26 07:33 . 2010-03-26 16:57 668648 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-03-26 07:33 . 2010-03-26 16:57 830864 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-03-25 13:14 . 2009-08-23 09:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-25 08:25 . 2006-04-05 20:00 -------- d-----w- c:\program files\CCleaner
2010-03-23 15:03 . 2008-12-07 07:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 14:54 . 2009-01-19 12:04 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-21 15:01 . 2006-04-19 11:51 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-20 07:27 . 2007-02-08 00:34 -------- d-----w- c:\program files\VstPlugins
2010-03-20 07:11 . 2007-02-04 19:18 -------- d-----w- c:\program files\Steinberg
2010-03-20 03:33 . 2008-07-17 11:08 -------- d-----w- c:\program files\GigaTribe
2010-03-20 00:08 . 2004-05-20 14:20 25080 -c--a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 21:10 . 2006-05-01 08:02 -------- d-----w- c:\program files\Creative
2010-03-16 15:04 . 2004-09-10 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 12:13 . 2008-09-23 12:09 -------- d-----w- c:\program files\REAPER
2010-03-16 08:42 . 2005-12-29 10:54 80896 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\LZMA.dll
2010-03-16 08:42 . 2005-12-29 10:54 5632 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\Swap.dll
2010-03-16 08:42 . 2005-12-29 10:54 5120 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\Copy.dll
2010-03-16 08:42 . 2005-12-29 10:54 129024 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Formats\7z.dll
2010-03-16 08:42 . 2005-12-29 10:54 32256 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\Aes.dll
2010-03-16 08:42 . 2005-12-29 10:54 18944 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\Branch.dll
2010-03-16 08:42 . 2005-12-29 10:54 13824 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\7zAes.dll
2010-01-07 09:07 . 2008-12-07 07:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 09:07 . 2008-12-07 07:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-09-09 18:14 . 2007-10-12 19:40 5632 --sha-w- c:\program files\Common Files\Thumbs.db
2007-08-14 14:11 . 2006-12-14 21:55 6144 --sha-w- c:\program files\Thumbs.db
2007-02-12 22:46 . 2007-02-12 22:46 785 ----a-w- c:\program files\unins000.dat
2003-11-20 11:14 . 2003-11-20 11:14 102400 ----a-w- c:\program files\sfz.exe
2003-10-21 21:00 . 2003-10-21 21:00 75922 ----a-w- c:\program files\unins000.exe
2005-05-11 06:28 . 2004-10-28 23:21 44153 -c--a-w- c:\program files\mozilla firefox\components\inspector.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-08-25 16:19 . 2005-08-25 16:19 108 --sha-r- c:\windows\neoqaz2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-12 315392]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2003-07-24 1155122]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-12-12 125440]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 385024]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"CTSysVol"="c:\program files\Creative\SB Digital Music SX\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-30 10:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn1x1.dll
"midi2"=usbmn1x1.dll
"midi3"=myokent.dll
"midi5"=mapledxp.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2010-03-19 06:19 2046816 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2004-08-01 11:46 155648 -c--a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 18:00 90112 ------w- c:\windows\Updreg.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WS_FTP\\ws_ftp95.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\REAPER\\reaper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\GigaTribe\\gigatribe.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/29/2006 2:04 AM 642560]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/23/2010 11:06 AM 162640]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/30/2009 5:42 PM 335240]
R1 mapledxp;mapledxp;c:\windows\system32\drivers\mapledxp.sys [11/23/2008 11:38 PM 24720]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/23/2010 11:06 AM 19024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/30/2009 5:38 PM 297752]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2/5/2007 2:14 AM 33792]
R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [12/12/2005 9:02 AM 1905408]
S2 gupdate1ca486681e43a44;Google Update Service (gupdate1ca486681e43a44);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2009 5:27 AM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 Alic1iskwuww;Alic1iskwuww; [x]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\program files\Unlocker\UnlockerDriver4.sys [4/24/2005 4:08 PM 3584]
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 22:26]

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 22:26]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.google.co.uk/search?q=
FF - component: c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.1_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_01\bin\NPJPI141_01.dll
FF - plugin: c:\program files\Java\j2re1.4.1_01\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SYS1 - c:\windows\system32\system.exe
HKLM-Run-SYS2 - c:\windows\system32\bad1.exe
HKLM-Run-SYS3 - c:\windows\system32\bad2.exe
HKLM-Run-SYS4 - c:\windows\system32\bad3.exe
MSConfigStartUp-SYS2 - c:\windows\system32\bad1.exe
MSConfigStartUp-SYS3 - c:\windows\system32\bad2.exe
MSConfigStartUp-SYS4 - c:\windows\system32\bad3.exe
ActiveSetup-{0CA3D76C-7AC1-8CA0-8BE6-7CCC7EDD8ECA} - c:\windows\windois.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 06:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8778B788]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8778b788
\Driver\ACPI -> ACPI.sys @ 0xf74e4cb8
\Driver\atapi -> atapi.sys @ 0xf749fb40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7391bd4
PacketIndicateHandler -> NDIS.sys @ 0xf737fa0d
SendHandler -> NDIS.sys @ 0xf7393b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{262EE60B-B0EB-DEC1-7540-54FF7D4B4AFD}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaendifhelmdmljafmoe"=hex:69,61,70,70,65,6c,67,6a,64,64,6d,69,66,6e,70,6b,63,
6c,00,00
"iaknfjmolndmjjmeed"=hex:6a,61,70,70,65,6c,68,6a,69,6c,67,6c,6e,68,6f,6d,6a,6b,
6a,6a,00,d5

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60F187D2-E7DC-6E15-E8A9-8A9E68DFE2D7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iakkekmlneagfbcdei"=hex:6a,61,62,6d,66,68,65,6f,6d,67,68,6c,6f,62,70,6f,6c,67,
66,66,00,01
"haimoeakfaleegcm"=hex:6a,61,62,6d,66,68,65,6f,6c,67,6b,6c,64,6e,6a,6f,68,6a,
61,6a,00,01
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\myokent.dll

- - - - - - - > 'lsass.exe'(652)
c:\windows\system32\myokent.dll

- - - - - - - > 'explorer.exe'(3696)
c:\windows\system32\myokent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\CTsvcCDA.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\RunDll32.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Creative\SB Digital Music SX\Entertainment Center\EAXLoadr.exe
.
**************************************************************************
.
Completion time: 2010-03-30 06:21:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-29 23:21

Pre-Run: 23,841,177,600 bytes free
Post-Run: 23,664,177,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn


Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - DACC6145B27FC085BD38D0EA36AA0472



I forgot to turn Spybot off, and it queried several registry changes after reboot, while Combofix was supposedly writing the log. I figured that they were legitimate changes, so I allowed them all.

Ccleaner is now showing a lot of new registry issues (I haven't let it fix them yet), but the old ones have finally gone. It's looking good....

I see that the Combofix log says "Warning: possible MBR rootkit infection !" Is that anything to worry about?

Can I delete boot.ini.bak now?

Edit: I still can't access safer-networking.org (spybot) or malwarebytes.org, and now avast! can't connect to the server to update.

Edited by Fex, 29 March 2010 - 06:56 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 30 March 2010 - 03:12 AM

Hello,

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Now re-run Combofix and post me the log afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Fex

Fex
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 30 March 2010 - 06:45 AM

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:04 on 30/03/2010 (Jon)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read dtscsi.sys
Unable to read sptd.sys
Unable to read sptd0573.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-


------------------------------------------------------------------------------------------

ComboFix 10-03-29.02 - Jon 03/30/2010 18:11:53.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.537 [GMT 7:00]
Running from: c:\documents and settings\Jon\Desktop\Jon.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
M:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-30 02:08 . 2010-03-30 02:08 -------- d-s---w- c:\documents and settings\Administrator.HAL\IETldCache
2010-03-26 16:57 . 2010-03-26 07:33 668648 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-03-26 16:57 . 2010-03-26 07:33 830864 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-03-25 12:29 . 2010-03-25 12:31 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\CutePDF Writer
2010-03-25 12:21 . 2010-03-25 12:21 -------- d-----w- c:\program files\GPLGS
2010-03-25 12:20 . 2009-11-05 01:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2010-03-25 12:20 . 2010-03-25 12:20 -------- d-----w- c:\program files\Acro Software
2010-03-25 08:55 . 1999-01-19 21:37 5904 ----a-w- c:\windows\system32\Takeown.exe
2010-03-25 08:55 . 2010-03-25 10:20 -------- d-----w- c:\windows\system32\takeown
2010-03-25 08:25 . 2010-03-25 08:25 -------- d-----w- c:\documents and settings\Jon\Application Data\Yahoo!
2010-03-25 08:25 . 2010-03-25 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-25 08:25 . 2010-03-25 08:26 -------- d-----w- c:\program files\Yahoo!
2010-03-23 13:59 . 2010-03-23 13:59 -------- d-----w- c:\windows\system32\zh_temp
2010-03-23 07:44 . 2010-03-23 18:28 -------- d-----w- c:\documents and settings\Jon\Application Data\QuickScan
2010-03-23 04:06 . 2010-03-09 11:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-23 04:06 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-23 04:06 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-23 04:06 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-23 04:06 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-23 04:06 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-23 04:06 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-23 04:06 . 2010-03-09 11:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-23 04:06 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-23 04:06 . 2010-03-23 04:06 -------- d-----w- c:\program files\Alwil Software
2010-03-23 04:06 . 2010-03-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-20 03:35 . 2010-03-20 03:35 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Shalsoft
2010-03-19 15:15 . 2010-03-19 15:15 -------- d-----w- c:\program files\StudioDevil
2010-03-19 14:30 . 2010-03-19 15:15 55822 ----a-w- c:\windows\unins003.dat
2010-03-19 14:30 . 2010-03-19 15:09 697690 ----a-w- c:\windows\unins003.exe
2010-03-19 11:43 . 2010-03-19 12:52 13022 ----a-w- c:\windows\unins002.dat
2010-03-19 11:43 . 2010-03-19 12:52 695642 ----a-w- c:\windows\unins002.exe
2010-03-17 21:57 . 2010-03-17 21:57 -------- d-----w- c:\program files\ASIO4ALL v2
2010-03-17 21:38 . 2009-11-03 02:51 421888 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2010-03-17 21:06 . 2004-10-19 02:07 9728 ------w- c:\windows\system32\drivers\PfModNT.sys
2010-03-17 20:59 . 2003-11-11 04:08 77824 ------w- c:\windows\system32\ctdvda32.dll
2010-03-16 13:55 . 2010-03-25 09:45 -------- d-----w- c:\windows\system32\NtmsData
2010-03-16 12:04 . 2010-03-16 12:04 -------- d-----w- c:\documents and settings\Jon\Application Data\Foxit
2010-03-16 12:00 . 2010-03-16 12:02 -------- d-----w- c:\program files\CDex
2010-03-16 08:01 . 2010-03-16 08:01 -------- d-----w- c:\documents and settings\Jon\Application Data\TrueCrypt
2010-03-15 23:36 . 2010-03-15 23:36 389120 ----a-w- c:\windows\system32\CF5874.exe
2010-03-15 23:02 . 2010-03-15 23:02 -------- d-----w- c:\program files\kX Audio Driver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 11:02 . 2008-12-07 07:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 10:55 . 2009-01-19 12:04 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 10:26 . 2006-03-29 11:21 440 -c--a-w- c:\windows\sfshell.tmp
2010-03-30 08:44 . 2004-09-10 20:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-29 17:46 . 2008-12-07 07:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:45 . 2008-12-07 07:23 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 10:22 . 2006-12-21 18:51 -------- d-----w- c:\program files\JetAudio
2010-03-26 10:19 . 2006-12-21 18:51 -------- d-----w- c:\program files\Common Files\COWON
2010-03-25 13:14 . 2009-08-23 09:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-25 08:25 . 2006-04-05 20:00 -------- d-----w- c:\program files\CCleaner
2010-03-21 15:01 . 2006-04-19 11:51 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-20 07:27 . 2007-02-08 00:34 -------- d-----w- c:\program files\VstPlugins
2010-03-20 07:11 . 2007-02-04 19:18 -------- d-----w- c:\program files\Steinberg
2010-03-20 03:33 . 2008-07-17 11:08 -------- d-----w- c:\program files\GigaTribe
2010-03-20 00:08 . 2004-05-20 14:20 25080 -c--a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 21:10 . 2006-05-01 08:02 -------- d-----w- c:\program files\Creative
2010-03-16 15:04 . 2004-09-10 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 12:13 . 2008-09-23 12:09 -------- d-----w- c:\program files\REAPER
2010-03-16 08:42 . 2005-12-29 10:54 80896 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\LZMA.dll
2010-03-16 08:42 . 2005-12-29 10:54 5632 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\Swap.dll
2010-03-16 08:42 . 2005-12-29 10:54 5120 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\Copy.dll
2010-03-16 08:42 . 2005-12-29 10:54 129024 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Formats\7z.dll
2010-03-16 08:42 . 2005-12-29 10:54 32256 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\Aes.dll
2010-03-16 08:42 . 2005-12-29 10:54 18944 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\Branch.dll
2010-03-16 08:42 . 2005-12-29 10:54 13824 ----a-w- c:\documents and settings\Jon\Application Data\Seven Zip\Codecs\7zAes.dll
2008-09-09 18:14 . 2007-10-12 19:40 5632 --sha-w- c:\program files\Common Files\Thumbs.db
2007-08-14 14:11 . 2006-12-14 21:55 6144 --sha-w- c:\program files\Thumbs.db
2007-02-12 22:46 . 2007-02-12 22:46 785 ----a-w- c:\program files\unins000.dat
2003-11-20 11:14 . 2003-11-20 11:14 102400 ----a-w- c:\program files\sfz.exe
2003-10-21 21:00 . 2003-10-21 21:00 75922 ----a-w- c:\program files\unins000.exe
2005-05-11 06:28 . 2004-10-28 23:21 44153 -c--a-w- c:\program files\mozilla firefox\components\inspector.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-08-25 16:19 . 2005-08-25 16:19 108 --sha-r- c:\windows\neoqaz2.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-30_01.29.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-30 11:08 . 2010-03-30 11:08 16384 c:\windows\Temp\Perflib_Perfdata_390.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-12 315392]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2003-07-24 1155122]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-12-12 125440]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 385024]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"CTSysVol"="c:\program files\Creative\SB Digital Music SX\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-30 10:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn1x1.dll
"midi2"=usbmn1x1.dll
"midi3"=myokent.dll
"midi5"=mapledxp.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2010-03-19 06:19 2046816 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2004-08-01 11:46 155648 -c--a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 18:00 90112 ------w- c:\windows\Updreg.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WS_FTP\\ws_ftp95.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\REAPER\\reaper.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\GigaTribe\\gigatribe.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/23/2010 11:06 AM 162640]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/30/2009 5:42 PM 335240]
R1 mapledxp;mapledxp;c:\windows\system32\drivers\mapledxp.sys [11/23/2008 11:38 PM 24720]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/23/2010 11:06 AM 19024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/30/2009 5:38 PM 297752]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2/5/2007 2:14 AM 33792]
R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [12/12/2005 9:02 AM 1905408]
S2 gupdate1ca486681e43a44;Google Update Service (gupdate1ca486681e43a44);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2009 5:27 AM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 Alic1iskwuww;Alic1iskwuww; [x]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\program files\Unlocker\UnlockerDriver4.sys [4/24/2005 4:08 PM 3584]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/29/2006 2:04 AM 642560]
.
Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 22:26]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 22:26]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=202.56.253.183:8080
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.google.co.uk/search?q=
FF - component: c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\default.kvr\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 18:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{262EE60B-B0EB-DEC1-7540-54FF7D4B4AFD}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaendifhelmdmljafmoe"=hex:69,61,70,70,65,6c,67,6a,64,64,6d,69,66,6e,70,6b,63,
6c,00,00
"iaknfjmolndmjjmeed"=hex:6a,61,70,70,65,6c,68,6a,69,6c,67,6c,6e,68,6f,6d,6a,6b,
6a,6a,00,d5

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60F187D2-E7DC-6E15-E8A9-8A9E68DFE2D7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iakkekmlneagfbcdei"=hex:6a,61,62,6d,66,68,65,6f,6d,67,68,6c,6f,62,70,6f,6c,67,
66,66,00,01
"haimoeakfaleegcm"=hex:6a,61,62,6d,66,68,65,6f,6c,67,6b,6c,64,6e,6a,6f,68,6a,
61,6a,00,01
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\myokent.dll

- - - - - - - > 'lsass.exe'(588)
c:\windows\system32\myokent.dll
.
Completion time: 2010-03-30 18:22:49
ComboFix-quarantined-files.txt 2010-03-30 11:22
ComboFix2.txt 2010-03-30 01:32
ComboFix3.txt 2010-03-29 23:21

Pre-Run: 23,425,937,408 bytes free
Post-Run: 23,395,737,600 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 01F61EE17DF8BF5812C81C164971D065

------------------------------------------------------------------------------------------

I was able to update the anti-malware progs immediately after Spybot 'fixed' Win32.Autoit.p for the umpteenth time....

It's back, though. So's Zlob.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 30 March 2010 - 09:40 AM

Okay, lets first get a log to see whats going on.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users