Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake anti malware program


  • This topic is locked This topic is locked
26 replies to this topic

#1 CheckersMcGavern

CheckersMcGavern

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 05 June 2010 - 12:46 PM

I tried removing it with MBAM, but it only seems to have made things worse. Now the computer can't even boot up at all!
It goes through the boot process, windows loading screen pops up, then an error messege comes up... saying Windows had trouble loading and it asks me to pick an option for restart. Only... my keyboard won't work when it comes up... so it stays on the 'restart normally' option and loops endlessly. I tried using a different keyboard... and it was able to access the Bios... so I know it functions... but when it goes back to the error screen it won't function. Something tells me it's the virus putting that screen up... so I believe I need a way to kill it before loading Windows. Fortunately I have this computer (although it was hit with a different virus the other day [friggen google link redirect virus] it still seems to well enough) so I can download and burn to CD any programs needed.

Please help!

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 08 June 2010 - 03:00 AM

Hello, please see if you can follow the steps below.

I will move this thread to a more appropriate forum.

Please download OTLPE (filesize 120,9 MB)
  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 CheckersMcGavern

CheckersMcGavern
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 09 June 2010 - 12:45 PM

Okay, I managed to burn the CD, everything loaded on the computer... unfortunately, when I ran the scan... it didn't save a log. And I can't seem to be able to find a way to save it myself.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 09 June 2010 - 01:09 PM

The log should be saved at c:\OTL.txt smile.gif

You can access that using My Computer on the Reatogo-X-PE desktop.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 CheckersMcGavern

CheckersMcGavern
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 09 June 2010 - 01:20 PM

Yeah, it's not there. In fact, after trying to look through My Computer, I attempted a search for 'OTL' and didn't find it anywhere. sad.gif

*edit* Heck, I even copied and pasted c:\OTL.txt into the My Computer address bar and it tells me it couldn't find it.

Edited by CheckersMcGavern, 09 June 2010 - 01:27 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 09 June 2010 - 01:42 PM

Please try to rerun the scan and see if it completes or gives any error.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 CheckersMcGavern

CheckersMcGavern
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 09 June 2010 - 02:47 PM

I open OTLPE, it brings up a prompt asking "Do you wish to load remote user profile(s) for scanning?", I click yes.

Select Use Profile window pops up with my name, LocalService, and NetworkService in the list. My name is already selected. Under the list is a checked box with "Automatically Load All Remaining Users?" next to it. I click OK.

OTLPE by OldTimer - Version 3.1.39.0 window opens. Top left hand corner has buttons Run Scan, Quick Scan, Run Fix, and None. I click Run Scan. Bottom text bar has "Scanning service:" with various file locations and registry names flashing until it finishes with "Scans complete!".

I open My Computer, open the C drive and see no OTL.txt listed. sad.gif

I've done about 7 scans now and nothing has happened beyond what I've just described. Am I doing something wrong? Should I wait a bit after the scan completes? This is my parents computer and it is pretty old. Perhaps it just needs a moment to bring the log up?

Edited by CheckersMcGavern, 09 June 2010 - 02:48 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 09 June 2010 - 02:57 PM

Does the computer have more than one harddisk or partition?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 CheckersMcGavern

CheckersMcGavern
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 09 June 2010 - 03:25 PM

There's just one HDD. Although... it looks like another partition was added. RAMDisk (B:). It's only 64 MBs in size... I just assumed that was created by the CD.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 10 June 2010 - 01:48 AM

The RAM disk is indeed created by the CD. I will check back with OTLPE's developper to see if he can clarify this. I will post back shortly, sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 10 June 2010 - 08:52 AM

On the Reatogo-X-PE desktop, click Start > Run, and type regedit.exe in the runbox and press enter.

Select the HKEY_LOCAL_MACHINE hive
From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
C:\Windows\System32\Config\

Select the file named SOFTWARE (the file without any extensions), and click Open
Type a name for the hive that you've loaded now. (Example: MyXPHive)
Now the SOFTWARE hive is loaded, and present under the HKEY_LOCAL_Machine base hive.
Browse to the following key:
HKEY_LOCAL_MACHINE\<MyXPHive>\microsoft\windows nt\currentversion

In the right panel, look for a value named SystemRoot, and let me know what is listed there (usually it should say something like "c:\windows", in this case pay attention to the drive letter).

Now you MUST unload the Hive. To do so, select MyXPHive branch, and then in the File menu, choose Unload Hive. It's important to note that you'll need to select the MyXPHive branch first, before unloading it!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 CheckersMcGavern

CheckersMcGavern
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 10 June 2010 - 09:54 AM

It's no trouble at all. My other machine has a virus problem as well (blasted redirect virus) so while I wait for responses to this problem I look for ways to fix that one. lol

Anyway, I did followed the instructions and made sure the hive was unloaded after. System Root had 'E:/Windows' listed. Not quite sure why it's E....

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 10 June 2010 - 10:31 AM

Hello again,

Please follow these steps in order to change the drive letter on Reatogo. Please boot from the CD.
1. Right-click on the My Computer icon on the Reatogo-X-PE desktop
2. Click on the Manage option
3. Click on Disk Management
4. Right-click on the C: drive
5. Click on Change Drive Letter and Paths
6. Select the C: drive and click in the Change button
7. Select Assign the following Drive Letter option
8. In the drop-down selection box select E:\
9. Click Ok for any warning messages and close out the Computer Management dialog box.

Now rerun OTLPE, you should find the log in E:\OTL.txt (your C drive will now be named E:\ in My Computer).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 CheckersMcGavern

CheckersMcGavern
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 10 June 2010 - 10:58 AM

Okay, here we go.

-----------
OTL logfile created on: 6/10/2010 12:51:41 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 714.00 Mb Available Physical Memory | 70.00% Memory free
907.00 Mb Paging File | 713.00 Mb Available in Paging File | 79.00% Paging File free
Paging file location(s): E:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
C: Drive not present or media not loaded
D: Drive not present or media not loaded
Drive E: | 149.04 Gb Total Space | 122.65 Gb Free Space | 82.29% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/03/13 09:16:18 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- E:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/13 09:15:08 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- E:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- E:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/03/09 11:20:26 | 000,071,096 | ---- | M] () [Auto] -- E:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2007/02/05 10:11:18 | 000,075,320 | ---- | M] (Sony Corporation) [On_Demand] -- E:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2007/02/05 10:11:16 | 000,112,184 | ---- | M] (Sony Corporation) [On_Demand] -- E:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe -- (SonicStage Back-End Service)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto] -- E:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/12/14 02:21:20 | 000,045,056 | ---- | M] (Sony Corporation) [On_Demand] -- E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/12/14 02:02:08 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand] -- E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/12/14 01:46:16 | 000,057,344 | ---- | M] () [On_Demand] -- E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand] -- E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/06/08 08:40:50 | 000,782,336 | ---- | M] (Sony Corporation) [Auto] -- E:\Program Files\Sony\MD Simple Burner\NetMDSB.exe -- (NetMDSB)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Auto] -- -- (MCSTRM)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | Boot] -- -- (kueumds)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/06/03 08:19:53 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- E:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/06/03 08:19:53 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- E:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/13 09:15:07 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- E:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2008/04/13 14:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 14:40:27 | 000,057,600 | ---- | M] () [Kernel | System] -- E:\WINDOWS\system32\drivers\redbook.sys -- (redbook)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/03/18 06:10:48 | 000,031,264 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto] -- E:\Program Files\GameTap\bin\Release\X4HSX32.sys -- (X4HSX32)
DRV - [2008/01/22 17:38:03 | 002,845,696 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/12/27 21:05:40 | 000,715,248 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- E:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2007/11/06 23:40:20 | 000,169,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\atinavt2.sys -- (ATIAVAIW)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/04/09 10:56:22 | 000,021,248 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2007/04/09 10:55:08 | 000,022,912 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2007/04/09 10:53:24 | 000,012,672 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2003/08/15 03:53:12 | 000,462,684 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/08/14 11:16:38 | 000,404,736 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/08/04 08:14:34 | 000,065,152 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\Rtlnic51.sys -- (RTL8023)
DRV - [2003/05/30 04:05:30 | 000,089,610 | R--- | M] (Silicon Image, Inc) [Kernel | Boot] -- E:\WINDOWS\system32\drivers\SI3112r.sys -- (SI3112r)
DRV - [2003/05/12 12:59:24 | 000,013,312 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto] -- E:\WINDOWS\system32\drivers\atinpdxx.sys -- (PCDCODEC)
DRV - [2003/05/12 12:59:10 | 000,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto] -- E:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC)
DRV - [2003/05/12 12:58:55 | 000,102,912 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\atinrvxx.sys -- (atinrvxx)
DRV - [2003/05/12 12:58:02 | 000,062,464 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto] -- E:\WINDOWS\system32\drivers\atinxsxx.sys -- (ATIXSAudio)
DRV - [2003/05/12 12:57:17 | 000,051,200 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\atinraxx.sys -- (ativraxx)
DRV - [2003/05/12 12:54:15 | 000,038,400 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto] -- E:\WINDOWS\system32\drivers\atintuxx.sys -- (ATITUNEP)
DRV - [2003/04/21 02:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) [Kernel | Boot] -- E:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2003/04/11 01:32:36 | 000,502,160 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2003/04/02 22:59:46 | 000,850,880 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2003/04/01 08:07:58 | 000,142,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2003/03/27 00:58:56 | 000,287,920 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2003/03/25 08:13:30 | 000,144,736 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2003/03/25 08:13:20 | 000,135,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/03/25 08:13:02 | 000,006,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2003/03/25 08:12:54 | 000,190,176 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/03/25 08:11:24 | 000,134,656 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2003/03/19 03:51:00 | 000,018,688 | R--- | M] (NVIDIA Corporation) [Kernel | Boot] -- E:\WINDOWS\system32\drivers\nv_agp.SYS -- (nv_agp)
DRV - [2003/03/05 12:19:28 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto] -- E:\WINDOWS\system32\pfmodnt.sys -- (PfModNT)
DRV - [2003/02/20 04:08:54 | 000,021,851 | R--- | M] (Integrated Technology Express, Inc.) [Kernel | Boot] -- E:\WINDOWS\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2003/02/12 00:37:48 | 000,009,600 | R--- | M] (Silicon Image, Inc.) [Kernel | Boot] -- E:\WINDOWS\system32\drivers\SiWinAcc.sys -- (SiFilter)
DRV - [2002/08/08 15:51:32 | 000,038,951 | ---- | M] (Sony Corporation) [Kernel | On_Demand] -- E:\WINDOWS\system32\drivers\NETMDUSB.sys -- (NETMDUSB)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - E:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - E:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Daniel_Bright_ON_E\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\Daniel_Bright_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Daniel_Bright_ON_E\..\URLSearchHook: *{03402F96-3DC7-4285-BC50-9E81FEFAFE43} - Reg Error: Key error. File not found
IE - HKU\Daniel_Bright_ON_E\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\Daniel_Bright_ON_E\..\URLSearchHook: *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\Daniel_Bright_ON_E\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - E:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\Daniel_Bright_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Daniel_Bright_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Daniel_Bright_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: E:\Program Files\AVG\AVG9\Firefox [2010/06/04 06:42:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: E:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/05/23 13:40:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: E:\Program Files\MyWebSearch\bar\1.bin File not found
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: E:\Program Files\Mozilla Firefox\components [2010/04/21 11:00:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: E:\Program Files\Mozilla Firefox\plugins [2010/04/02 15:47:56 | 000,000,000 | ---D | M]

[2010/06/03 16:23:48 | 000,000,000 | ---D | M] -- E:\Program Files\Mozilla Firefox\extensions
[2007/12/27 21:10:37 | 000,000,000 | ---D | M] (AdVantage) -- E:\Program Files\Mozilla Firefox\extensions\{A89AED22-9133-424c-88E7-C8235C5FF302}
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- E:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2007/07/27 08:00:00 | 000,000,734 | ---- | M]) - E:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (Google Inc.)
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - E:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - E:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - E:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\Daniel_Bright_ON_E\..\Toolbar\WebBrowser: (no name) - {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No CLSID value found.
O3 - HKU\Daniel_Bright_ON_E\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKU\Daniel_Bright_ON_E\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - E:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\Daniel_Bright_ON_E\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - E:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AsioReg] E:\WINDOWS\System32\CTASIO.DLL (Creative Technology Ltd)
O4 - HKLM..\Run: [AVG9_TRAY] E:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CTDVDDet] E:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] E:\WINDOWS\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MChk] E:\WINDOWS\System32\vavjdttz.exe File not found
O4 - HKLM..\Run: [SBDrvDet] E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [skb] File not found
O4 - HKLM..\Run: [SoundMan] E:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [UpdReg] E:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKU\Daniel_Bright_ON_E..\Run: [Aim6] File not found
O4 - HKU\Daniel_Bright_ON_E..\Run: [gotnewupdate000.exe] E:\Documents and Settings\Daniel Bright\Application Data\532A75910DFF9BF8D9AD891EA49BA1EB\gotnewupdate000.exe (MS)
O4 - HKU\Daniel_Bright_ON_E..\Run: [Messenger (Yahoo!)] E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\Daniel_Bright_ON_E..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\Daniel_Bright_ON_E..\Run: [updateMgr] E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: Error locating startup folders.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Daniel_Bright_ON_E\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_E\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_E\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &AIM Toolbar Search - E:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html ()
O9 - Extra Button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - E:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - E:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: TestPokerStars.com - {809132AF-89D2-4d52-AA03-AB4E35BBDC5B} - E:\Program Files\PokerStars.TEST\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - E:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} http://www.facebook.com/controls/contactx.dll (ContactExtractor Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab (MSN Games - Installer)
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab (CBankshotZoneCtrl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 76.85.229.110 76.85.229.111
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - E:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - E:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - E:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{3960bab3-7cce-11de-a26c-000d615e4049}\Shell\AutoRun\command - "" = C:\__DTMEDIA\DTMedia.exe -- File not found
O33 - MountPoints2\{449eae70-4547-11dd-aa14-000d615e4049}\Shell\AutoRun\command - "" = C:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{4d90c6b7-83ed-11dc-81f8-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{4d90c6b7-83ed-11dc-81f8-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4d90c6b7-83ed-11dc-81f8-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/04 22:59:34 | 000,000,000 | ---D | C] -- E:\Avenger
[2010/06/04 22:26:04 | 000,000,000 | ---D | C] -- E:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/04 22:26:03 | 000,000,000 | ---D | C] -- E:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/04 21:41:04 | 000,000,000 | ---D | C] -- E:\Program Files\$NtUninstallWTF1012$
[2010/06/04 21:40:45 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Daniel Bright\Application Data\532A75910DFF9BF8D9AD891EA49BA1EB
[2010/05/20 11:05:29 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Daniel Bright\Desktop\SBurner
[2010/05/20 10:53:08 | 000,036,679 | ---- | C] (Sony Corporation) -- E:\WINDOWS\System32\drivers\NETMD052.sys
[2010/05/20 10:52:45 | 000,770,048 | ---- | C] (Gracenote) -- E:\WINDOWS\System32\CDDBUISony.dll
[2010/05/20 10:52:45 | 000,655,360 | ---- | C] (Gracenote, Inc.) -- E:\WINDOWS\System32\CDDBControlSony.dll
[2010/05/20 10:52:45 | 000,589,824 | ---- | C] (Gracenote) -- E:\WINDOWS\System32\CddbMusicIDSony.dll
[2010/05/20 10:52:45 | 000,073,728 | ---- | C] (Gracenote) -- E:\WINDOWS\System32\CddbLinkSony.dll
[2010/05/20 10:51:10 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Daniel Bright\Application Data\Sony Corporation
[2010/05/20 10:51:09 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Sony Shared
[2010/05/19 07:09:51 | 000,090,112 | ---- | C] (Sony Corporation) -- E:\WINDOWS\snymsico.dll
[2010/05/19 07:09:51 | 000,038,951 | ---- | C] (Sony Corporation) -- E:\WINDOWS\System32\drivers\NETMDUSB.sys
[2010/05/19 07:09:51 | 000,036,232 | ---- | C] (Sony Corporation) -- E:\WINDOWS\System32\drivers\NETMD033.sys
[2010/05/19 07:09:51 | 000,035,319 | ---- | C] (Sony Corporation) -- E:\WINDOWS\System32\drivers\NETMD031.sys
[2010/05/19 07:09:50 | 000,000,000 | ---D | C] -- E:\Program Files\Sony
[2010/05/19 07:09:23 | 001,767,968 | ---- | C] (Sony Corporation ) -- E:\Program Files\PA_DRIVER.EXE
[2010/05/19 07:06:39 | 002,289,828 | ---- | C] (Sony Corporation ) -- E:\Program Files\UPDATE_MDSB2001U.EXE
[2007/10/27 11:40:46 | 000,065,536 | ---- | C] ( ) -- E:\WINDOWS\System32\a3d.dll
[5 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[10 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/09 17:28:16 | 006,291,456 | -H-- | M] () -- E:\Documents and Settings\Daniel Bright\NTUSER.DAT
[2010/06/04 22:58:32 | 000,262,144 | -H-- | M] () -- E:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/06/04 22:58:32 | 000,262,144 | -H-- | M] () -- E:\Documents and Settings\LocalService\NTUSER.DAT
[2010/06/04 22:58:32 | 000,030,168 | ---- | M] () -- E:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-0000000A-00001102-00000004-10071102}.rfx
[2010/06/04 22:58:32 | 000,030,168 | ---- | M] () -- E:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-0000000A-00001102-00000004-10071102}.rfx
[2010/06/04 22:58:32 | 000,030,132 | ---- | M] () -- E:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-0000000A-00001102-00000004-10071102}.rfx
[2010/06/04 22:58:32 | 000,030,132 | ---- | M] () -- E:\WINDOWS\System32\BMXState-{00000001-00000000-0000000A-00001102-00000004-10071102}.rfx
[2010/06/04 22:58:32 | 000,002,064 | ---- | M] () -- E:\WINDOWS\System32\settingsbkup.sfm
[2010/06/04 22:58:32 | 000,002,064 | ---- | M] () -- E:\WINDOWS\System32\settings.sfm
[2010/06/04 22:58:32 | 000,000,292 | ---- | M] () -- E:\WINDOWS\System32\DVCStateBkp-{00000001-00000000-0000000A-00001102-00000004-10071102}.dat
[2010/06/04 22:58:32 | 000,000,292 | ---- | M] () -- E:\WINDOWS\System32\DVCState-{00000001-00000000-0000000A-00001102-00000004-10071102}.dat
[2010/06/04 22:58:31 | 000,002,048 | --S- | M] () -- E:\WINDOWS\bootstat.dat
[2010/06/04 22:58:13 | 000,000,006 | -H-- | M] () -- E:\WINDOWS\tasks\SA.DAT
[2010/06/04 22:58:08 | 000,000,178 | -HS- | M] () -- E:\Documents and Settings\Daniel Bright\ntuser.ini
[2010/06/04 22:57:54 | 004,990,228 | ---- | M] () -- E:\WINDOWS\{00000001-00000000-0000000A-00001102-00000004-10071102}.CDF
[2010/06/04 22:57:52 | 000,000,296 | ---- | M] () -- E:\WINDOWS\tasks\vkyqzdwx.job
[2010/06/04 22:49:33 | 000,000,000 | ---- | M] () -- E:\Documents and Settings\Daniel Bright\Local Settings\Application Data\prvlcl.dat
[2010/06/04 22:19:23 | 000,000,868 | ---- | M] () -- E:\WINDOWS\tasks\Google Software Updater.job
[2010/06/04 22:07:02 | 000,001,010 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1500820517-725345543-1003UA.job
[2010/06/04 21:45:57 | 000,000,438 | -H-- | M] () -- E:\WINDOWS\tasks\User_Feed_Synchronization-{DA8277CF-BDF2-4FB2-AE41-259844296522}.job
[2010/06/04 21:41:32 | 000,001,237 | ---- | M] () -- E:\Documents and Settings\Daniel Bright\Start Menu\Programs\Startup\Antimalware Doctor.lnk
[2010/06/04 21:41:23 | 000,050,981 | ---- | M] () -- E:\WINDOWS\System32\gxowyiamhqhvtz.exe
[2010/06/04 19:05:34 | 060,704,886 | ---- | M] () -- E:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/06/04 06:44:11 | 000,013,694 | ---- | M] () -- E:\WINDOWS\System32\wpa.dbl
[2010/06/04 03:07:01 | 000,000,958 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1500820517-725345543-1003Core.job
[2010/06/03 08:19:53 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- E:\WINDOWS\System32\drivers\avgtdix.sys
[2010/06/03 08:19:53 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- E:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/06/02 14:14:21 | 000,000,284 | ---- | M] () -- E:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/29 02:08:58 | 000,002,358 | ---- | M] () -- E:\Documents and Settings\Daniel Bright\Desktop\Google Chrome.lnk
[2010/05/27 19:42:24 | 000,149,932 | ---- | M] () -- E:\Documents and Settings\Daniel Bright\Desktop\BatmanAsGreenLantern.jpg
[2010/05/21 18:57:49 | 000,014,012 | -H-- | M] () -- E:\WINDOWS\System32\mlfcache.dat
[2010/05/21 00:38:54 | 000,090,389 | ---- | M] () -- E:\Documents and Settings\Daniel Bright\Desktop\Fringe.jpg
[2010/05/19 07:09:27 | 001,767,968 | ---- | M] (Sony Corporation ) -- E:\Program Files\PA_DRIVER.EXE
[2010/05/19 07:06:43 | 002,289,828 | ---- | M] (Sony Corporation ) -- E:\Program Files\UPDATE_MDSB2001U.EXE
[2010/05/17 22:38:13 | 000,207,360 | ---- | M] () -- E:\Documents and Settings\Daniel Bright\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/12 03:00:46 | 000,001,374 | ---- | M] () -- E:\WINDOWS\imsins.BAK
[2010/05/12 00:20:58 | 001,013,293 | ---- | M] () -- E:\Documents and Settings\Daniel Bright\Desktop\129167583988157915.gif
[2010/05/12 00:20:53 | 000,985,844 | ---- | M] () -- E:\Documents and Settings\Daniel Bright\Desktop\dramaticcatu.gif
[2010/05/11 19:55:19 | 000,060,416 | ---- | M] (Realtek Semiconductor Corp.) -- E:\WINDOWS\ALCFDRTM.VER
[5 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[10 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- E:\WINDOWS\System32\sogojito
[2010/06/04 21:41:32 | 000,001,237 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\Start Menu\Programs\Startup\Antimalware Doctor.lnk
[2010/06/04 21:41:23 | 000,050,981 | ---- | C] () -- E:\WINDOWS\System32\gxowyiamhqhvtz.exe
[2010/05/27 19:42:24 | 000,149,932 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\Desktop\BatmanAsGreenLantern.jpg
[2010/05/21 18:57:49 | 000,014,012 | -H-- | C] () -- E:\WINDOWS\System32\mlfcache.dat
[2010/05/21 00:38:54 | 000,090,389 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\Desktop\Fringe.jpg
[2010/05/20 10:52:45 | 000,532,480 | ---- | C] () -- E:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2010/05/12 00:20:58 | 001,013,293 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\Desktop\129167583988157915.gif
[2010/05/12 00:20:53 | 000,985,844 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\Desktop\dramaticcatu.gif
[2010/04/29 15:23:31 | 000,027,475 | ---- | C] () -- E:\WINDOWS\CSTBox.INI
[2010/04/03 13:37:57 | 000,000,262 | ---- | C] () -- E:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/01/10 17:35:58 | 000,000,000 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\Local Settings\Application Data\prvlcl.dat
[2009/06/26 14:51:21 | 000,000,512 | ---- | C] () -- E:\WINDOWS\SIERRA.INI
[2009/02/21 14:06:57 | 000,043,520 | ---- | C] () -- E:\WINDOWS\System32\CmdLineExt03.dll
[2008/12/17 13:45:16 | 000,000,021 | ---- | C] () -- E:\WINDOWS\atid.ini
[2008/12/02 19:09:24 | 000,000,406 | ---- | C] () -- E:\WINDOWS\cdplayer.ini
[2008/12/02 19:07:09 | 000,000,004 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\Application Data\95E8F8
[2008/12/02 19:07:08 | 000,870,128 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\Application Data\mcs.rma
[2008/10/16 14:10:27 | 000,000,754 | ---- | C] () -- E:\WINDOWS\WORDPAD.INI
[2008/04/16 12:15:59 | 001,445,456 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\ymjmsi.log
[2008/04/14 16:57:51 | 000,010,621 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\.recently-used.xbel
[2008/02/18 01:09:08 | 000,000,010 | ---- | C] () -- E:\WINDOWS\WININIT.INI
[2007/12/27 14:03:29 | 000,000,352 | ---- | C] () -- E:\WINDOWS\LEXSTAT.INI
[2007/10/28 12:48:16 | 000,000,231 | ---- | C] () -- E:\WINDOWS\AC3API.INI
[2007/10/28 12:47:40 | 000,068,908 | ---- | C] () -- E:\WINDOWS\System32\Emu10kx.ini
[2007/10/28 12:47:40 | 000,000,029 | ---- | C] () -- E:\WINDOWS\System32\ctzapxx.ini
[2007/10/28 12:47:35 | 000,005,515 | ---- | C] () -- E:\WINDOWS\System32\ENSDEF.INI
[2007/10/28 12:47:35 | 000,000,194 | ---- | C] () -- E:\WINDOWS\System32\KILL.INI
[2007/10/28 12:45:33 | 000,000,136 | ---- | C] () -- E:\WINDOWS\SBWIN.INI
[2007/10/28 10:21:55 | 000,000,000 | ---- | C] () -- E:\WINDOWS\ATIMMC.INI
[2007/10/27 19:03:15 | 000,363,520 | ---- | C] () -- E:\WINDOWS\System32\psisdecd.dll
[2007/10/27 12:59:58 | 000,000,169 | ---- | C] () -- E:\WINDOWS\RtlRack.ini
[2007/10/27 12:11:20 | 000,207,360 | ---- | C] () -- E:\Documents and Settings\Daniel Bright\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/27 11:40:47 | 000,000,164 | ---- | C] () -- E:\WINDOWS\avrack.ini
[2007/10/27 11:26:43 | 000,032,768 | R--- | C] () -- E:\WINDOWS\System32\idecoi.dll
[2007/10/26 19:22:33 | 000,045,056 | -H-- | C] () -- E:\Documents and Settings\Daniel Bright\ntuser.dat.LOG
[2007/10/26 19:22:33 | 000,000,178 | -HS- | C] () -- E:\Documents and Settings\Daniel Bright\ntuser.ini
[2007/10/26 19:22:32 | 006,291,456 | -H-- | C] () -- E:\Documents and Settings\Daniel Bright\NTUSER.DAT
[2007/10/26 19:21:20 | 000,262,144 | -H-- | C] () -- E:\Documents and Settings\LocalService\NTUSER.DAT
[2007/10/26 19:21:20 | 000,008,192 | -H-- | C] () -- E:\Documents and Settings\LocalService\ntuser.dat.LOG
[2007/10/26 19:21:20 | 000,000,020 | -HS- | C] () -- E:\Documents and Settings\LocalService\ntuser.ini
[2007/10/26 19:21:13 | 000,000,020 | -HS- | C] () -- E:\Documents and Settings\NetworkService\ntuser.ini
[2007/10/26 19:21:12 | 000,262,144 | -H-- | C] () -- E:\Documents and Settings\NetworkService\NTUSER.DAT
[2007/10/26 19:21:12 | 000,008,192 | -H-- | C] () -- E:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2007/10/26 15:01:32 | 000,057,600 | ---- | C] () -- E:\WINDOWS\System32\drivers\redbook.sys

========== LOP Check ==========

[2007/12/10 18:39:39 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\.BitTornado
[2010/06/04 21:40:58 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\532A75910DFF9BF8D9AD891EA49BA1EB
[2007/11/21 06:40:23 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\acccore
[2007/11/21 06:27:22 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\Aim
[2009/04/27 22:12:27 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\Amazon
[2009/02/21 14:07:28 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\Atari
[2010/04/29 15:48:40 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\Canon
[2008/04/19 11:36:02 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\CDBurnerXP_Soft
[2007/12/27 21:19:35 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\DAEMON Tools
[2008/04/01 19:30:44 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\gtk-2.0
[2009/02/21 14:06:11 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\Leadertech
[2009/11/08 12:26:02 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\LimeWire
[2007/10/27 12:17:14 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\Netscape
[2007/12/01 16:42:58 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Daniel Bright\Application Data\Viewpoint
[2010/06/04 21:45:57 | 000,000,438 | -H-- | M] () -- E:\WINDOWS\Tasks\User_Feed_Synchronization-{DA8277CF-BDF2-4FB2-AE41-259844296522}.job
[2010/06/04 22:57:52 | 000,000,296 | ---- | M] () -- E:\WINDOWS\Tasks\vkyqzdwx.job

========== Purity Check ==========


< End of report >

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 10 June 2010 - 11:40 AM

Hello again,

It seems we are dealing with a rootkit here. Lets first see if we can find a replacement copy for the infected file.

Rerun OTLPE and copy/paste the following text into the "custom scan/fix" field. Click the NONE button and then the Run Scan button. Post me the resulting log please.
CODE
/md5start
redbook.sys
/md5stop

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users