Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor - followed instructions but still having problems


  • This topic is locked This topic is locked
39 replies to this topic

#1 cantor

cantor

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 27 August 2010 - 12:40 AM

Hi

First time here. I recently got infected by the antimalware doctor virus. I followed the solution provided on this website

http://www.bleepingcomputer.com/virus-remo...imalware-doctor
I then rebooted and this time I had the antivirus 2010 malware virus. I again used malwarebytes antimalware software. I then downloaded avg free. The resident shield alert is saying there is a multiple threat detected.

"c:\WINDOWS\system32\winlogon.exe";"Virus identified Win32/Patched.FM";"Object is white-listed (critical/system file that should not be removed)"
"c:\WINDOWS\explorer.exe";"Virus identified Win32/Patched.FL";"Object is white-listed (critical/system file that should not be removed)"
I ran malwarebytes antimalware software for a third time. However the avg resident shield alert is still saying the same thing. I have tried to follow the instructions to prepare this post. However I am having difficulty at the gmer stage. I download the program and run it, but after a few minutes everything on my computer freezes and it shuts down. I have tried this a few times now. I have therefore only been able to upload the dds and attach logs.
From looking that the malwarebytes logs it seems to me that
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
is not being deleted when I reboot. Here are the three logs I got when I ran malwarebytes antimalware software. Can someone please help me?

First scan
Scan type: Full scan (C:\|D:\|)
Objects scanned: 305072
Time elapsed: 2 hour(s), 48 minute(s), 46 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 10
Registry Values Infected: 10
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 103

Memory Processes Infected:
C:\WINDOWS\taskmgr.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\taskmgr.exe (Malware.Packer.Gen) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\mcaptup6.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\nhni.goo (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\zk41q3daz.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-33cf-aax5-35gx1c642122} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b4ba40a2-75f1-51bd-f413-04b15a2c8953} (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b4ba40a2-75f1-51bd-f413-04b15a2c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4ba40a2-75f1-51bd-f413-04b15a2c8953} (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srenum (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trawgd327uhf838jdfdsfdfds (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trawgd327uhf838jdfdsfdfds (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isutegobeyeyo (Trojan.Hiloti) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b4ba40a2-75f1-51bd-f413-04b15a2c8953} (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haw389r7uifhdfigdhudf (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfio38fiosfh398rfisjhkdsfd (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newsecureapp70700.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe nhni.goo mgxaig) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013 (Backdoor.IRCBot) -> Delete on reboot.

Files Infected:
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe (Generic.Bot.H) -> Delete on reboot.
C:\WINDOWS\taskmgr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\mcaptup6.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\nhni.goo (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zk41q3daz.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\vr8om12j4g.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\hexdump.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\25A7F648335CC2C91AF3D00AE4DF469D\newsecureapp70700.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\bclwnpwyq\ibyygtashdw.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\0.04762531653689528.exe (Trojan.Sasfis) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\34.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\c1678eby9.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\kcu457.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\login.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\lphtn.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\lsass.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\lvj1k.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\mca3sz.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\mdm.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\mkcxhunr.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\notepad.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\nvsvc32.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\oljnco7w.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\pxc0ymftp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\r0ikof5s9lmd1.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\r7dpo.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\sysedit.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\system.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\taskmgr.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\user.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\esvclgp98.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\iexplarer.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\iexplorer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\install.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\423905828.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\9.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\ajrnsm.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\amnocxserw.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\avp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\avp32.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\16F.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\170.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\171.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\173.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\1746594782.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\2121580242.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\2175798992.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\2245642742.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\33.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\win.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\winamp.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\winlogon.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\wtpvaae.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\xe4pmuj.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\xjoqojgw.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\ytz2jog86.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\zbfo9kx625qrnku.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\bcgnl.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\sjofqmrjx002cm.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\smss.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\cmd.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\cnoxmeasrw.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\csrss.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\debug.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\drweb.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\e4c90dglh5a.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\user.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplarer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\install.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\nvsvc32.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\debug.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\drweb.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\win32.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\wininst.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\avp32.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\cmd.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\services.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\setup.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\spoolsv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\mdm.exe (Malware.Packer.Gen) -> Delete on reboot.
C:\WINDOWS\system32\f4uol.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vo72hkj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\e8s6hnsv.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tj3ws6ut4.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uo48pi9s.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1955780828.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\98469782.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\spoolsv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sysedit.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winamp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\iexplorer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\srenum.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\services.exe (Password.Stealer) -> Delete on reboot.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.


second scan
Scan type: Full scan (C:\|D:\|)
Objects scanned: 305289
Time elapsed: 2 hour(s), 21 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Userinit (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000064 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000065 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000066 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000067 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000068 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\setup.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\4109367352.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\4137168958.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\489469088.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\1574890616.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\1603785972.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\2272314292.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\2372615898.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\3336943676.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\3360839032.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\win32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\gdi32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\hexdump.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\win.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\lsass.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010) -> Quarantined and deleted successfully.

third scan

Scan type: Full scan (C:\|D:\|)
Objects scanned: 304186
Time elapsed: 2 hour(s), 21 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Temp\mrnascwoex.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010) -> Quarantined and deleted successfully.

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:20 PM

Posted 02 September 2010 - 12:33 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold

    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  • Push the button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

***************************************************

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try unchecking the Devices box in addition to the others previously requested. Also, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt
Gmer.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 cantor

cantor
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 02 September 2010 - 08:41 PM

Sorry about those last posts. After I selected "add reply" the web browser was saying that the web page was unavailable. I also think that not all of the logs are in those replies. I've just uploaded them as attachments in this reply.

OTL logfile created on: 9/2/2010 10:05:23 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 295.51 Gb Total Space | 76.40 Gb Free Space | 25.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NEIL-3671146A11
Current User Name: Neil
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/02 22:02:53 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\OTL.exe
PRC - [2010/08/18 09:58:17 | 000,945,720 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2010/07/23 10:06:53 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/11 00:54:32 | 000,408,936 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
PRC - [2009/10/29 14:24:17 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/12/09 18:40:16 | 000,464,264 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\AskService.exe
PRC - [2008/12/09 18:40:16 | 000,234,888 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
PRC - [2008/11/13 09:33:54 | 000,097,128 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
PRC - [2008/04/14 20:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/27 16:43:34 | 000,118,784 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
PRC - [2007/07/03 13:57:38 | 001,228,800 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2007/05/17 15:43:18 | 000,568,176 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/05/10 01:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\OEM02Mon.exe
PRC - [2007/05/06 17:10:52 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2007/02/21 11:28:36 | 000,643,072 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/02/21 11:19:58 | 000,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 11:17:42 | 000,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/02/21 11:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/02/21 11:13:26 | 000,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/02/21 11:10:00 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2006/11/02 14:05:50 | 000,282,624 | ---- | M] (Knowles Acoustics) -- C:\WINDOWS\system32\KADxMain.exe


========== Modules (SafeList) ==========

MOD - [2010/09/02 22:02:53 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\OTL.exe
MOD - [2009/10/29 14:24:52 | 000,102,400 | ---- | M] (RealPlayer) -- c:\Program Files\Real\RealPlayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll
MOD - [2009/08/13 21:55:04 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
MOD - [2008/04/14 20:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/07/03 13:56:56 | 000,098,304 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2007/05/17 14:33:10 | 000,073,728 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll
MOD - [2007/05/17 14:31:18 | 000,040,960 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll
MOD - [2003/03/19 04:14:52 | 000,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2003/02/21 12:42:22 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/12/09 18:40:16 | 000,464,264 | ---- | M] () [Auto | Running] -- C:\Program Files\AskBarDis\bar\bin\AskService.exe -- (ASKService)
SRV - [2008/12/09 18:40:16 | 000,234,888 | ---- | M] () [Auto | Running] -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe -- (ASKUpgrade)
SRV - [2007/02/21 11:28:36 | 000,643,072 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2007/02/21 11:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/02/21 11:10:00 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - [2010/08/29 07:46:55 | 000,000,000 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\gozheik.sys -- (gozheik)
DRV - [2009/10/29 15:32:23 | 000,020,480 | ---- | M] (NT Kernel Resources) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndisrd.sys -- (ndisrd)
DRV - [2008/04/14 20:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/06/06 16:07:00 | 006,349,696 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/05/10 01:01:00 | 000,235,584 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/05/06 17:12:00 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/04/27 15:37:24 | 000,202,912 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/03/31 13:02:42 | 000,876,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/03/23 10:50:42 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/03/06 04:09:52 | 000,172,561 | R--- | M] (Roland Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rdwm1046.sys -- (RDID1046)
DRV - [2007/03/05 18:45:00 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2007/02/25 06:05:24 | 002,203,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/02/21 11:16:12 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/11/21 04:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/15 00:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 19:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 17:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/02 18:47:36 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/11/02 18:47:00 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/11/02 18:46:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/11/02 12:31:38 | 000,103,168 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec02.sys -- (DXEC02)
DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-854245398-1336601894-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKU\S-1-5-21-854245398-1336601894-1801674531-1003\..\URLSearchHook: {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll ()
IE - HKU\S-1-5-21-854245398-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-854245398-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com.au"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/27 07:27:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/27 07:27:24 | 000,000,000 | ---D | M]

[2010/08/27 07:27:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Mozilla\Extensions
[2010/08/27 07:30:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Mozilla\Firefox\Profiles\5t06m6g8.default\extensions
[2010/08/27 07:30:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Mozilla\Firefox\Profiles\5t06m6g8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/27 07:27:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/06/21 22:24:56 | 000,283,952 | ---- | M] (Musicnotes, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npmusicn.dll
[2008/06/30 21:02:00 | 000,663,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll

O1 HOSTS File: ([2008/04/14 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-1336601894-1801674531-1003\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-854245398-1336601894-1801674531-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-854245398-1336601894-1801674531-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [ecaworsxmn.tmp] C:\DOCUME~1\NEIL~1.NEI\LOCALS~1\Temp\ecaworsxmn.tmp File not found
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe (Knowles Acoustics)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [orcsxweman.tmp] C:\DOCUME~1\NEIL~1.NEI\LOCALS~1\Temp\orcsxweman.tmp File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-854245398-1336601894-1801674531-1003..\Run: [DELL Webcam Manager] C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-1336601894-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-1336601894-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{08e147b2-fa7d-11de-9afc-001d09b0460c}\Shell\AutoRun\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{08e147b2-fa7d-11de-9afc-001d09b0460c}\Shell\open\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{24375374-5c91-11de-98e3-001d09b0460c}\Shell\AutoRun\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{24375374-5c91-11de-98e3-001d09b0460c}\Shell\open\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{53223de9-e625-11de-9ad9-001d09b0460c}\Shell\AutoRun\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{53223de9-e625-11de-9ad9-001d09b0460c}\Shell\open\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{67d10cfc-a290-11de-9a23-001d09b0460c}\Shell\AutoRun\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{67d10cfc-a290-11de-9a23-001d09b0460c}\Shell\open\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{73186f80-5bd0-11de-98dd-001d09b0460c}\Shell\AutoRun\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{73186f80-5bd0-11de-98dd-001d09b0460c}\Shell\open\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{84636576-bc72-11de-9a69-001d09b0460c}\Shell\AutoRun\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{84636576-bc72-11de-9a69-001d09b0460c}\Shell\open\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{d53538a4-5af3-11de-98d6-001d09b0460c}\Shell\AutoRun\command - "" = E:\umenu.exe -- File not found
O33 - MountPoints2\{d53538a5-5af3-11de-98d6-001d09b0460c}\Shell\AutoRun\command - "" = E:\umenu.exe -- File not found
O33 - MountPoints2\{da15a6b8-7899-11de-9964-001d09b0460c}\Shell\AutoRun\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O33 - MountPoints2\{da15a6b8-7899-11de-9964-001d09b0460c}\Shell\open\command - "" = E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/09/02 22:02:47 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\OTL.exe
[2010/08/27 10:29:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/08/27 08:49:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/27 08:49:15 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/27 08:49:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/27 07:43:32 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/08/27 07:43:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2010/08/26 22:56:57 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/08/26 13:50:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Malwarebytes
[2010/08/26 13:50:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010/08/26 06:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\bclwnpwyq
[2010/08/26 06:40:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Windows Server
[2010/08/26 06:40:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\25A7F648335CC2C91AF3D00AE4DF469D
[2010/08/24 21:52:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\phd copy
[2010/08/11 22:55:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\Job details - Macquarie Group_files
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/02 22:03:19 | 000,041,223 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/09/02 22:02:53 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\OTL.exe
[2010/09/02 21:56:59 | 000,029,354 | ---- | M] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\Hello.docx
[2010/09/02 21:56:59 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\~$Hello.docx
[2010/09/02 21:49:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/02 21:49:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/02 21:49:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/02 17:12:52 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\NTUSER.DAT
[2010/09/02 16:36:00 | 000,001,006 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1336601894-1801674531-1003UA.job
[2010/09/02 14:11:08 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2010/08/31 21:52:36 | 000,097,792 | ---- | M] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/30 19:06:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/08/30 10:20:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/29 07:46:56 | 000,000,954 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1336601894-1801674531-1003Core.job
[2010/08/29 07:46:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\gozheik.sys
[2010/08/27 12:33:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\defogger_reenable
[2010/08/27 12:25:51 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/27 12:25:51 | 000,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/27 12:25:51 | 000,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/27 08:49:18 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/27 07:32:24 | 000,002,395 | ---- | M] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\Google Chrome.lnk
[2010/08/27 07:32:24 | 000,002,373 | ---- | M] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/08/27 07:27:26 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/08/27 07:27:26 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/08/26 23:28:25 | 000,010,818 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\.wtav
[2010/08/26 06:41:14 | 000,000,120 | ---- | M] () -- C:\WINDOWS\atacudezenoco.dll
[2010/08/24 21:16:40 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Skype.lnk
[2010/08/12 16:53:33 | 000,267,800 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/12 09:12:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/11 22:55:04 | 000,017,163 | ---- | M] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\Job details - Macquarie Group.htm
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/02 21:56:59 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\~$Hello.docx
[2010/09/02 21:56:58 | 000,029,354 | ---- | C] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\Hello.docx
[2010/08/27 12:33:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\defogger_reenable
[2010/08/27 08:49:18 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/27 07:32:24 | 000,002,395 | ---- | C] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\Google Chrome.lnk
[2010/08/27 07:32:24 | 000,002,373 | ---- | C] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/08/27 07:31:20 | 000,001,006 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1336601894-1801674531-1003UA.job
[2010/08/27 07:31:18 | 000,000,954 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1336601894-1801674531-1003Core.job
[2010/08/27 07:27:26 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/08/27 07:27:26 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/08/26 23:10:59 | 000,010,818 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\.wtav
[2010/08/26 06:41:14 | 000,000,120 | ---- | C] () -- C:\WINDOWS\atacudezenoco.dll
[2010/08/26 06:40:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\gozheik.sys
[2010/08/11 22:55:03 | 000,017,163 | ---- | C] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\Job details - Macquarie Group.htm
[2010/05/23 17:06:10 | 000,031,862 | R--- | C] () -- C:\WINDOWS\System32\RdCi1046.dll
[2009/06/18 12:52:36 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHealr.dll
[2009/06/17 15:44:33 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/06/17 10:55:45 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/06/17 10:55:45 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/06/17 10:55:44 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/06/17 10:55:43 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/06/17 10:17:59 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2009/06/16 14:51:01 | 000,097,792 | ---- | C] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/16 14:26:22 | 000,000,081 | ---- | C] () -- C:\Documents and Settings\Neil.NEIL-3671146A11\Local Settings\Application Data\FASTWiz.log
[2008/04/14 20:00:00 | 000,528,816 | ---- | C] () -- C:\WINDOWS\System32\mstaseow.dll
[2007/05/17 14:52:30 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/05/17 14:23:20 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/02/17 12:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 12:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/05/12 19:13:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2007/12/16 20:43:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/08/27 12:19:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2009/06/17 16:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Azureus
[2009/06/21 22:26:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Musicnotes
[2009/10/01 11:23:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/17 12:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/08/26 06:41:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\25A7F648335CC2C91AF3D00AE4DF469D
[2010/08/31 21:53:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Azureus
[2010/05/23 16:58:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Cakewalk
[2009/09/14 16:48:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\ieSpell
[2009/06/19 20:12:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\MSNInstaller
[2010/08/24 21:49:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\SSH
[2009/08/19 09:25:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\Thunderbird
[2009/06/17 11:25:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\tmp
[2009/06/23 22:35:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Neil.NEIL-3671146A11\Application Data\WinShell

========== Purity Check ==========



========== Custom Scans ==========


< netsvc >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2008/04/14 20:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2008/04/14 20:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 20:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0027\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0028\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 20:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 20:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/02/12 13:36:54 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\dell\drivers\R154200\iastor.sys
[2007/05/08 20:22:56 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\drivers\storage\R154200\iastor.sys
[2007/05/08 20:22:58 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\i386\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 20:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 20:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2008/04/14 20:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 20:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/06/16 20:56:56 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/06/16 20:56:56 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/06/16 20:56:56 | 000,937,984 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Files - Unicode (All) ==========
[2008/04/14 20:00:00 | 000,119,808 | ---- | M] ()(C:\WINDOWS\System32\us?rinit.exe) -- C:\WINDOWS\System32\usеrinit.exe
[2008/04/14 20:00:00 | 000,119,808 | ---- | C] ()(C:\WINDOWS\System32\us?rinit.exe) -- C:\WINDOWS\System32\usеrinit.exe
< End of report >


***************************************************

OTL Extras logfile created on: 9/2/2010 10:05:23 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 295.51 Gb Total Space | 76.40 Gb Free Space | 25.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NEIL-3671146A11
Current User Name: Neil
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus -- (Vuze Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{29087C1B-1637-1A71-A4ED-40F544419092}" = Antivirus 2010
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{73AAEC5C-BA64-4655-A7B7-67874574530B}" = e-tax 2009
"{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}" = SSH Secure Shell
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.2
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1B5E9C8-4CCF-44E3-87D6-7C00D7DA5370}" = IntelliSonic Speech Enhancement
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FBE569CA-BFEB-4E57-A674-F94D938E1AEF}" = e-tax 2010
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"4569969E1360D2854474C661EF9B4D54F143EB16" = Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
"8461-7759-5462-8226" = Vuze
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"Ask Toolbar_is1" = Vuze Toolbar
"Cakewalk VST Adapter 4" = Cakewalk VST Adapter 4
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"Creative OEM002" = Laptop Integrated Webcam Driver (1.02.01.0612)
"DELL Webcam Center" = DELL Webcam Center
"DELL Webcam Manager" = DELL Webcam Manager
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DreamStation DXi2" = DreamStation DXi2
"ENTERPRISE" = Microsoft Office Enterprise 2007
"GPL Ghostscript 8.63" = GPL Ghostscript 8.63
"GSview 4.9" = GSview 4.9
"ie8" = Windows Internet Explorer 8
"ieSpell" = ieSpell
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MiKTeX 2.7" = MiKTeX 2.7
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel® PROSet/Wireless Software
"RealPlayer 12.0" = RealPlayer
"SONAR LE" = SONAR LE
"SynTPDeinstKey" = Dell Touchpad
"VLC media player" = VLC media player 1.0.2
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WinShell_is1" = WinShell

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-854245398-1336601894-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/2/2010 1:11:43 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/2/2010 1:11:43 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/2/2010 3:38:05 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/2/2010 3:38:05 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/2/2010 3:38:05 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 9/2/2010 3:38:06 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/2/2010 3:38:06 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/2/2010 9:52:54 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 9/2/2010 10:03:16 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 9/2/2010 10:03:17 AM | Computer Name = NEIL-3671146A11 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ OSession Events ]
Error - 10/13/2009 11:47:58 PM | Computer Name = NEIL-3671146A11 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 139
seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/26/2010 9:18:36 PM | Computer Name = NEIL-3671146A11 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 49
seconds with 0 seconds of active time. This session ended with a crash.

Error - 4/10/2010 10:45:51 PM | Computer Name = NEIL-3671146A11 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 54
seconds with 0 seconds of active time. This session ended with a crash.

Error - 5/11/2010 7:49:40 PM | Computer Name = NEIL-3671146A11 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 34
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 9/1/2010 6:26:54 AM | Computer Name = NEIL-3671146A11 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 9/1/2010 8:28:43 PM | Computer Name = NEIL-3671146A11 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 9/1/2010 8:28:43 PM | Computer Name = NEIL-3671146A11 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 9/1/2010 8:30:15 PM | Computer Name = NEIL-3671146A11 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 9/2/2010 1:08:53 AM | Computer Name = NEIL-3671146A11 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 9/2/2010 1:08:53 AM | Computer Name = NEIL-3671146A11 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 9/2/2010 9:50:04 AM | Computer Name = NEIL-3671146A11 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 9/2/2010 9:50:04 AM | Computer Name = NEIL-3671146A11 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 9/2/2010 10:05:46 AM | Computer Name = NEIL-3671146A11 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 9/2/2010 10:05:46 AM | Computer Name = NEIL-3671146A11 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >

***************************************************

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-02 23:15:37
Windows 5.1.2600 Service Pack 3
Running: 882urufe.exe; Driver: C:\DOCUME~1\NEIL~1.NEI\LOCALS~1\Temp\kwnyrpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8F6A360, 0x2F26B7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[348] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[348] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\wuauclt.exe[348] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
? C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1232] C:\WINDOWS\system32\SHLWAPI.dll IMAGE_DOS_SIGNATURE not found;
.text C:\WINDOWS\System32\svchost.exe[1644] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1644] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1644] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1644] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E0000A
.text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[2236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\wuauclt.exe[2236] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\wuauclt.exe[2236] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C
? C:\WINDOWS\system32\wscntfy.exe[2612] C:\WINDOWS\system32\ADVAPI32.dll IMAGE_DOS_SIGNATURE not found;
? C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2900] C:\WINDOWS\system32\ADVAPI32.dll IMAGE_DOS_SIGNATURE not found;

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Blade Zephon, 04 September 2010 - 10:19 PM.
Copied logs into reply body. ~BZ


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:20 PM

Posted 04 September 2010 - 10:20 PM

Hello.

I removed your duplicate posts, no worries smile.gif

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 cantor

cantor
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 06 September 2010 - 12:13 AM

Hi Blade

I've run the ComboFix and attached the tex file. My computer seems to be running a bit smoother now, but it's stopped doing a few things. I can't connect to the internet any more and there is no audio either. With regards the internet, I think I need to reinstall the wireless driver. I think I need to reinstall some sort of audio driver as well. I have the cd with all the drivers on it that came with the computer when I bought it. I didn't want to go ahead and do that though just yet in case the virus is still around.

ComboFix 10-09-04.06 - Neil 09/06/2010 8:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2704 [GMT 8:00]
Running from: c:\documents and settings\Neil.NEIL-3671146A11\Desktop\renamed.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\.wtav
c:\documents and settings\Neil.NEIL-3671146A11\Application Data\25A7F648335CC2C91AF3D00AE4DF469D
c:\documents and settings\Neil.NEIL-3671146A11\Application Data\25A7F648335CC2C91AF3D00AE4DF469D\enemies-names.txt
c:\documents and settings\Neil.NEIL-3671146A11\Application Data\25A7F648335CC2C91AF3D00AE4DF469D\local.ini
c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Windows Server
c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Windows Server\uses32.dat
c:\program files\AskSearch\bin\DefaultSearch.dll
C:\restore
c:\windows\atacudezenoco.dll
c:\windows\system32\driVERs\gozheik.sys
c:\windows\system32\USRINI~1.EXE

c:\windows\system32\drivers\gozheik.sys . . . is infected!! . . . Failed to find a valid replacement.
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USERINIT
-------\Service_ndisrd
-------\Legacy_gozheik
-------\Service_gozheik


((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-08-30 02:19 . 2010-08-30 02:20 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-08-27 02:29 . 2010-08-27 02:29 -------- d-----w- c:\windows\system32\NtmsData
2010-08-27 00:49 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-27 00:49 . 2010-08-27 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 00:49 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-26 23:43 . 2010-08-26 23:43 -------- d-----w- c:\program files\AVG
2010-08-26 23:43 . 2010-08-27 04:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
2010-08-26 05:50 . 2010-08-26 05:50 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Malwarebytes
2010-08-26 05:50 . 2010-08-26 05:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-08-25 23:48 . 2010-08-25 23:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-08-25 23:48 . 2010-08-25 23:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-08-25 23:44 . 2010-08-25 23:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2010-08-25 22:55 . 2010-08-25 22:55 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2010-08-25 22:41 . 2010-08-26 14:55 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\bclwnpwyq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-31 13:53 . 2009-06-17 08:19 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Azureus
2010-08-30 05:49 . 2009-10-26 13:31 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\vlc
2010-08-30 02:20 . 2009-09-08 11:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-27 00:00 . 2007-12-16 12:39 -------- d-----w- c:\program files\Google
2010-08-24 15:16 . 2009-06-17 04:18 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Skype
2010-08-24 13:49 . 2009-06-18 06:28 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\SSH
2010-08-12 01:11 . 2009-06-17 06:48 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-08-09 14:14 . 2009-05-12 11:12 -------- d-----w- c:\program files\Vuze
2010-06-30 12:31 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-14 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-06-16 06:11 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-06-17 03:20 . 2009-06-17 03:20 76 --sh--r- c:\windows\CT4CET.bin
.

------- Sigcheck -------

[-] 2008-04-14 . 020DB801C09BC7D96126002C15BE7979 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 51B42C4BB7C170C2BB338D87471F2B83 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="c:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-19 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8433664]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-29 198160]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [5/12/2009 7:12 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [5/12/2009 7:13 PM 234888]
S3 RDID1046;EDIROL UA-25;c:\windows\system32\drivers\Rdwm1046.sys [5/23/2010 5:06 PM 172561]
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1336601894-1801674531-1003Core.job
- c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-26 10:55]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1336601894-1801674531-1003UA.job
- c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-26 10:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Mozilla\Firefox\Profiles\5t06m6g8.default\
FF - prefs.js: browser.startup.homepage - google.com.au
FF - plugin: c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-06 09:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A460EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(452)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(516)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(996)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-06 09:21:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-06 01:20

Pre-Run: 81,885,065,216 bytes free
Post-Run: 87,311,642,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 91AA9ED09369CA2ADEA67779902D9289

Attached Files


Edited by Blade Zephon, 07 September 2010 - 08:45 AM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:20 PM

Posted 07 September 2010 - 08:52 AM

Hi cantor

ComboFix reports infected system files. This could indicate a file infector, which can be serious. We need to investigate.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link--> Virustotal

When the VirusTotal page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\winlogon.exe
c:\windows\explorer.exe
c:\windows\system32\drivers\gozheik.sys

Please post back the URL of the results page for each file in your next post.

If VirusTotal is busy, try the same at Jotti

***************************************************

Please download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (With Vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • A log named MBRcheck will be on your desktop
  • Copy and paste that log in your next reply

~Blade


In your next reply, please include the following:
VirusTotal result URLs (3)
MBRCheck Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 cantor

cantor
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 07 September 2010 - 08:38 PM

Hi Blade

I'll try and get those things done. One problem though, my computer isn't connecting to the internet any more. It is saying that a wireless driver is not installed, but even when I try to connect using a cable it still doesn't connect. How should I proceed with regards the VirusTotal website?


#8 cantor

cantor
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 08 September 2010 - 12:05 AM

Hi Blade

I've managed to get the drivers reinstalled so that I can connect to the internet. I hope that was okay unsure.gif

The gozheik.sys file wasn't at that location. I've done a search for a file called "gozheik.sys" and it says it is located at

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\gozheik.sys.vir

Because this is in a quarantine folder I didn't know whether to let virustotal scan it?

Here are the other url's though.

http://www.virustotal.com/file-scan/report...6d37-1283958720

http://www.virustotal.com/file-scan/report...63ce-1283958775

I've also got the MBRCheck log for you.

MBRCheck, version 1.2.3

© 2010, AD



Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000c



Kernel Drivers (total 124):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0xBA5A8000 \WINDOWS\system32\KDCOM.DLL

0xBA4B8000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA0B8000 ohci1394.sys

0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xBA4BC000 compbatt.sys

0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA0D8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F23000 dmio.sys

0xBA330000 PartMgr.sys

0xBA0E8000 VolSnap.sys

0xB9F0B000 atapi.sys

0xBA0F8000 disk.sys

0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9EEB000 fltMgr.sys

0xB9ED9000 sr.sys

0xBA118000 PxHelp20.sys

0xB9EC2000 KSecDD.sys

0xB9E35000 Ntfs.sys

0xB9E08000 NDIS.sys

0xB9DEE000 Mup.sys

0xB91A5000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xB8B96000 \SystemRoot\system32\DRIVERS\nv4_mini.sys

0xB8B82000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xBA370000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB8B5E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA378000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB8B36000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xBA238000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys

0xBA248000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xB8B22000 \SystemRoot\system32\DRIVERS\sdbus.sys

0xBA258000 \SystemRoot\system32\DRIVERS\rimmptsk.sys

0xB8B0E000 \SystemRoot\system32\DRIVERS\rimsptsk.sys

0xB8ABD000 \SystemRoot\system32\DRIVERS\rixdptsk.sys

0xBA268000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xB8A8B000 \SystemRoot\system32\DRIVERS\SynTP.sys

0xBA5F4000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xBA380000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xBA388000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xBA278000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA288000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA298000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB8A68000 \SystemRoot\system32\DRIVERS\ks.sys

0xBA390000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

0xB96A7000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xB96A3000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0xB8997000 \SystemRoot\system32\DRIVERS\btkrnl.sys

0xBA7C9000 \SystemRoot\system32\DRIVERS\audstub.sys

0xBA2A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xB969F000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB8980000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA2B8000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA2C8000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xBA398000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB896F000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA2D8000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xBA3A0000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xBA3A8000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB893F000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA2E8000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA5F6000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB88E1000 \SystemRoot\system32\DRIVERS\update.sys

0xBA564000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA1D8000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xBA1E8000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xB41AA000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys

0xB40B8000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys

0xB4005000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys

0xBA4A0000 \SystemRoot\System32\Drivers\Modem.SYS

0xBA650000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xB4B8B000 \SystemRoot\System32\Drivers\Null.SYS

0xBA652000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA360000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA368000 \SystemRoot\System32\drivers\vga.sys

0xBA654000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA656000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xB695F000 \SystemRoot\System32\Drivers\Msfs.SYS

0xB6957000 \SystemRoot\System32\Drivers\Npfs.SYS

0xB9A5D000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xB3F96000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xB3F3D000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xB3F0B000 \SystemRoot\system32\DRIVERS\netbt.sys

0xB3EE5000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xB6A94000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xB3EC3000 \SystemRoot\System32\drivers\afd.sys

0xB6A84000 \SystemRoot\system32\DRIVERS\netbios.sys

0xB3E70000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xB3E00000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xB6A74000 \SystemRoot\System32\Drivers\Fips.SYS

0xB52C0000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS

0xB3C9A000 \SystemRoot\System32\Drivers\btwusb.sys

0xB3FED000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xB3C8A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xB3FE5000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xB3FE1000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xAF165000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xAE1C5000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys

0xBA620000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys

0xAEF0E000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xAE959000 \SystemRoot\System32\drivers\Dxapi.sys

0xAF14D000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA7FE000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\nv4_disp.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xBA450000 \SystemRoot\system32\DRIVERS\AegisP.sys

0xAE3F1000 \SystemRoot\system32\DRIVERS\s24trans.sys

0xB315E000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xAA562000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xAA54A000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys

0xAA46B000 \SystemRoot\system32\DRIVERS\srv.sys

0xA9FF2000 \SystemRoot\System32\Drivers\HTTP.sys

0xA8791000 \SystemRoot\System32\Drivers\Fastfat.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll



Processes (total 50):

0 System Idle Process

4 System

360 C:\WINDOWS\system32\smss.exe

412 csrss.exe

440 C:\WINDOWS\system32\winlogon.exe

496 C:\WINDOWS\system32\services.exe

508 C:\WINDOWS\system32\lsass.exe

676 C:\WINDOWS\system32\svchost.exe

728 svchost.exe

772 C:\WINDOWS\system32\svchost.exe

812 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

876 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

1104 C:\WINDOWS\explorer.exe

1228 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

1308 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe

1352 svchost.exe

1408 svchost.exe

1492 C:\WINDOWS\system32\spoolsv.exe

1600 svchost.exe

1644 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

1672 C:\Program Files\AskBarDis\bar\bin\AskService.exe

1700 C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

1728 C:\Program Files\Bonjour\mDNSResponder.exe

1792 C:\Program Files\Java\jre6\bin\jqs.exe

1844 C:\WINDOWS\system32\nvsvc32.exe

1888 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

1940 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

2008 C:\WINDOWS\system32\svchost.exe

2292 alg.exe

2308 C:\WINDOWS\system32\wscntfy.exe

2380 C:\WINDOWS\OEM02Mon.exe

2392 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

2404 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

2412 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

2436 C:\WINDOWS\system32\rundll32.exe

2488 C:\WINDOWS\system32\rundll32.exe

2508 C:\Program Files\Dell\QuickSet\quickset.exe

2516 C:\Program Files\Common Files\Java\Java Update\jusched.exe

2544 C:\WINDOWS\system32\KADxMain.exe

2604 C:\Program Files\iTunes\iTunesHelper.exe

2692 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

2716 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

2768 C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe

2812 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

2912 C:\WINDOWS\system32\ctfmon.exe

3308 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

3464 wmiprvse.exe

3584 C:\Program Files\iPod\bin\iPodService.exe

3940 C:\WINDOWS\system32\wuauclt.exe

1292 C:\Documents and Settings\Neil.NEIL-3671146A11\Desktop\MBRCheck.exe



\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`04e71400 (NTFS)



PhysicalDrive0 Model Number: SAMSUNGHM320JI, Rev: 2SS00_01



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A





Done!

Edited by cantor, 08 September 2010 - 10:22 AM.


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:20 PM

Posted 09 September 2010 - 09:11 AM

Hi cantor.

I'm unsure at this point exactly how, but the reason for your internet loss is due to the malware infection. So, for the time being hold off on those VT uploads. This looks to be a newer strain of malware so we're going to have to play it by ear a little here. I definitely don't anticipate something going horribly wrong, but just in case, do you have your Windows reinstallation disks?

***************************************************

Before we continue: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we continue.

2 guidelines when backing up:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do NOT backup any applications/installers and Do NOT backup any files with the following extensions
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar

This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

***************************************************

Let me know when you're ready to continue and we'll get started.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 cantor

cantor
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 12 September 2010 - 12:13 AM

Hi Blade

I've got my windows re-installation disc. I've also backed up my files. Let me know what to do next smile.gif



#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:20 PM

Posted 16 September 2010 - 03:11 AM

Hi cantor.

sorry for the delay.

I will reply to this with further instructions shortly.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:20 PM

Posted 16 September 2010 - 09:02 AM

Hi cantor.

Again, sorry for the delay.

Before we begin, please note that I am assuming that your CD drive on this machine is your D:\ drive. If this is NOT the case, please STOP and let me know what letter your CD drive is assigned to.

***************************************************

Please open a Notepad file: (From the Start Menu, click Run and type notepad in the window that appears.)
  • Copy the contents of the below code box into the notepad window.
  • Save the file as fixit.bat on your desktop: (Important! make sure you change the "Save As Type" to "All Files")
    CODE
    @Echo off
    expand D:\i386\winlogon.ex_ C:\winlogon.exe
    expand D:\i386\explorer.ex_ C:\explorer.exe
  • Close the notepad window and click on the fixit.bat file on your Desktop (a window will open and close quickly. This is normal)

***************************************************

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
FCopy::
c:\winlogon.exe c:\windows\system32\winlogon.exe
c:\explorer.exe c:\windows\explorer.exe


Save this as CFScript.txt, in the same location as renamed.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 cantor

cantor
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 19 September 2010 - 10:29 PM

Hi Blade

Sorry for the delay. I'll get you those logs in the next few days.

Cheers
Cantor

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:20 PM

Posted 20 September 2010 - 03:29 AM

Alright. . . will look for them smile.gif

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 cantor

cantor
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 20 September 2010 - 08:14 PM

Hi Blade

Here is the the ComboFix log


ComboFix 10-09-20.02 - Neil 09/21/2010 7:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2690 [GMT 8:00]
Running from: c:\documents and settings\Neil.NEIL-3671146A11\Desktop\renamed.exe
Command switches used :: c:\documents and settings\Neil.NEIL-3671146A11\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\3c27odP3.exe
c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\program files\Intel\Wireless\Bin\ifrmewrk.exe
c:\program files\Intel\Wireless\bin\ZCfgSvc.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\AegisP.inf
c:\windows\OEM02Mon.exe
c:\windows\system32\spool\prtprocs\w32x86\HPPRN03.DLL
c:\windows\system32\ubwi.wlo
c:\windows\Tasks\At10.job
c:\windows\Tasks\At102.job

CODE
<pre>
c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\GoogleUpdate .exe ---^> c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe ---^> c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Java\Java Update\jusched .exe ---^> c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Common Files\Real\Update_OB\realsched .exe ---^> c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\Dell\Dell Webcam Manager\DellWMgr .exe ---^> c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
c:\program files\Dell\QuickSet\quickset .exe ---^> c:\program files\Dell\QuickSet\quickset.exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe ---^> c:\program files\Intel\Wireless\Bin\ifrmewrk.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc .exe ---^> c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\iTunes\iTunesHelper .exe ---^> c:\program files\iTunes\iTunesHelper.exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe ---^> c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
c:\program files\QuickTime\qttask                     .exe ---^> c:\program files\QuickTime\qttask.exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe ---^> c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\OEM02Mon .exe ---^> c:\windows\OEM02Mon.exe
</pre>

.
Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ndisrd


((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 )))))))))))))))))))))))))))))))
.

2010-09-15 08:56 . 2010-09-15 08:56 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Leadertech
2010-09-13 15:21 . 2010-09-13 15:21 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\PrivacIE
2010-09-08 14:58 . 2010-09-08 14:58 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.NEIL-3671146A11
2010-09-08 14:58 . 2010-09-08 14:58 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11.NEIL-3671146A11
2010-09-08 14:58 . 2010-09-08 14:58 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-09-08 14:58 . 2010-09-08 14:58 21361 ----a-w- c:\windows\AegisP.sys
2010-09-08 14:56 . 2007-09-25 22:01 2236032 ----a-w- c:\windows\system32\drivers\NETw4x32.sys
2010-09-08 14:56 . 2007-08-27 03:12 2777088 ----a-w- c:\windows\system32\NETw4r32.dll
2010-09-08 14:56 . 2007-08-27 03:12 745472 ----a-w- c:\windows\system32\NETw4c32.dll
2010-09-08 14:56 . 2010-09-08 14:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2010-09-08 14:56 . 2010-09-08 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Intel
2010-09-08 14:56 . 2010-09-08 14:56 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\Intel
2010-09-08 14:55 . 2010-09-08 14:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Intel
2010-09-08 14:55 . 2010-09-08 14:55 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Intel
2010-09-08 14:53 . 2007-03-16 10:10 770048 ----a-w- c:\windows\system32\BCMLogon.dll
2010-09-08 14:53 . 2007-03-16 10:10 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-09-08 14:53 . 2007-03-16 10:10 89088 ----a-w- c:\windows\system32\ATL71.DLL
2010-09-08 14:53 . 2007-03-16 10:10 86016 ----a-w- c:\windows\system32\preflib.dll
2010-09-08 14:53 . 2007-03-16 10:10 44032 ----a-w- c:\windows\system32\wltrynt.dll
2010-09-08 14:53 . 2007-03-16 10:10 253952 ----a-w- c:\windows\system32\bcmwlu00.exe
2010-09-08 14:53 . 2007-03-16 10:10 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE
2010-09-08 14:53 . 2007-03-16 10:10 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-09-08 14:53 . 2007-03-16 10:10 1253376 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2010-09-08 14:53 . 2007-03-16 10:10 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-09-08 14:53 . 2007-03-16 10:10 20480 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2010-09-08 14:53 . 2007-03-16 10:10 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-09-08 14:51 . 2007-05-10 02:22 405504 ----a-w- c:\windows\stsystra.exe
2010-09-08 14:51 . 2007-04-10 09:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-09-08 14:50 . 2007-08-21 01:58 146944 ----a-w- c:\windows\system32\st325602.dll
2010-09-08 14:50 . 2007-05-10 02:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2010-09-08 08:33 . 2006-11-20 20:25 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2010-08-30 02:19 . 2010-08-30 02:20 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-08-27 02:29 . 2010-08-27 02:29 -------- d-----w- c:\windows\system32\NtmsData
2010-08-27 00:49 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-27 00:49 . 2010-08-27 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 00:49 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-26 23:43 . 2010-08-26 23:43 -------- d-----w- c:\program files\AVG
2010-08-26 23:43 . 2010-08-27 04:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
2010-08-26 05:50 . 2010-08-26 05:50 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Malwarebytes
2010-08-26 05:50 . 2010-08-26 05:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-08-25 23:48 . 2010-08-25 23:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-08-25 23:48 . 2010-08-25 23:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-08-25 23:44 . 2010-08-25 23:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2010-08-25 22:55 . 2010-08-25 22:55 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2010-08-25 22:41 . 2010-08-26 14:55 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\bclwnpwyq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-21 00:10 . 2008-02-29 03:26 -------- d-----w- c:\program files\QuickTime
2010-09-21 00:10 . 2008-02-29 03:27 -------- d-----w- c:\program files\iTunes
2010-09-20 23:30 . 2010-09-13 15:11 112 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\oA6K1o3b.dat
2010-09-20 03:18 . 2009-10-26 13:31 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\vlc
2010-09-15 08:38 . 2009-09-08 11:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-13 15:59 . 2009-06-17 08:19 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Azureus
2010-09-08 14:53 . 2007-12-16 12:28 -------- d-----w- c:\program files\Dell
2010-09-08 08:32 . 2007-12-16 12:29 -------- d-----w- c:\program files\Broadcom
2010-08-27 00:00 . 2007-12-16 12:39 -------- d-----w- c:\program files\Google
2010-08-24 15:16 . 2009-06-17 04:18 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Skype
2010-08-24 13:49 . 2009-06-18 06:28 -------- d-----w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\SSH
2010-08-16 13:05 . 2010-08-16 13:05 310208 ----a-w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Azureus\plugins\mlab\ShaperProbeC.exe
2010-08-12 01:11 . 2009-06-17 06:48 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-08-09 14:14 . 2009-05-12 11:12 -------- d-----w- c:\program files\Vuze
2010-08-04 23:59 . 2010-08-04 23:59 503808 ----a-w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2fc56dcd-n\msvcp71.dll
2010-08-04 23:59 . 2010-08-04 23:59 348160 ----a-w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2fc56dcd-n\msvcr71.dll
2010-08-04 23:59 . 2010-08-04 23:59 499712 ----a-w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2fc56dcd-n\jmc.dll
2010-08-04 23:59 . 2010-08-04 23:59 61440 ----a-w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-79b65339-n\decora-sse.dll
2010-08-04 23:59 . 2010-08-04 23:59 12800 ----a-w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-79b65339-n\decora-d3d.dll
2010-07-04 04:34 . 2010-04-11 02:45 439816 ----a-w- c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Real\Update\setup3.10\setup.exe
2010-06-30 12:31 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-14 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2009-06-17 03:20 . 2009-06-17 03:20 76 --sh--r- c:\windows\CT4CET.bin
.
CODE
<pre>
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra .exe
</pre>


------- Sigcheck -------

[-] 2008-04-14 . 020DB801C09BC7D96126002C15BE7979 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 51B42C4BB7C170C2BB338D87471F2B83 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-09-06_01.10.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-21 00:10 . 2010-09-21 00:10 16384 c:\windows\Temp\Perflib_Perfdata_688.dat
+ 2010-09-20 23:54 . 2010-09-20 23:54 16384 c:\windows\Temp\Perflib_Perfdata_370.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 72704 c:\windows\system32\videos.exe
- 2006-03-08 01:21 . 2006-03-08 01:21 53248 c:\windows\system32\SMSUnins.dll
+ 2006-08-29 05:59 . 2006-08-29 05:59 53248 c:\windows\system32\SMSUnins.dll
+ 2007-08-27 03:09 . 2007-08-27 03:09 14848 c:\windows\system32\s24NCfg.dll
- 2008-04-14 12:00 . 2010-08-27 04:25 68558 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-09-08 14:58 68558 c:\windows\system32\perfc009.dat
- 2009-06-17 02:27 . 2006-11-20 20:25 45568 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbxp.sys
+ 2010-09-08 08:33 . 2006-11-20 20:25 45568 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbxp.sys
+ 2010-09-08 08:33 . 2006-11-20 20:20 49507 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbe5.sys
- 2009-06-17 02:27 . 2006-11-20 20:20 49507 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbe5.sys
+ 2007-08-27 03:10 . 2007-08-27 03:10 12288 c:\windows\system32\drivers\s24trans.sys
+ 2010-09-20 11:32 . 2010-09-20 11:32 72704 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OLHBL6CC\aus6[1].exe
+ 2009-06-16 06:19 . 2010-09-20 23:54 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-16 06:19 . 2010-09-04 09:45 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-16 06:19 . 2010-09-04 09:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-16 06:19 . 2010-09-20 23:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-08-25 23:48 . 2010-08-25 23:49 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2010-08-25 23:48 . 2010-09-20 23:54 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2010-09-09 16:08 . 2010-09-20 23:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-17 02:26 . 2009-06-17 02:26 3262 c:\windows\Installer\{612B9183-67A9-4B44-9877-2F059E35B86A}\ARPPRODUCTICON.exe
+ 2010-09-08 08:33 . 2010-09-08 08:33 3262 c:\windows\Installer\{612B9183-67A9-4B44-9877-2F059E35B86A}\ARPPRODUCTICON.exe
- 2008-04-14 12:00 . 2010-08-27 04:25 435828 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2010-09-08 14:58 435828 c:\windows\system32\perfh009.dat
+ 2007-10-08 06:11 . 2007-10-08 06:11 208896 c:\windows\system32\NetProvCredMan.dll
- 2009-06-17 03:19 . 2003-02-21 04:42 348160 c:\windows\system32\msvcr71.dll
+ 2009-06-17 03:19 . 2007-03-16 10:10 348160 c:\windows\system32\MSVCR71.DLL
- 2009-06-17 03:19 . 2003-03-18 20:14 499712 c:\windows\system32\msvcp71.dll
+ 2009-06-17 03:19 . 2007-03-16 10:10 499712 c:\windows\system32\MSVCP71.DLL
+ 2010-09-08 14:56 . 2007-02-12 04:40 557056 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\Netw2c32.dll
+ 2010-09-08 14:56 . 2007-08-27 03:12 745472 c:\windows\system32\DRVSTORE\netw4x32_B0AEEEEDA759744D7D2AC236F54CA6D4CFC0961C\NETw4c32.dll
+ 2010-09-08 14:56 . 2007-08-27 03:12 745472 c:\windows\system32\DRVSTORE\netw4k32_4CD46BE21BE74C8D663C65B8DC2D7EEA091E50F5\NETw4c32.dll
+ 2009-06-17 02:47 . 2007-09-11 02:54 600328 c:\windows\Installer\iProInst.exe
+ 2010-09-08 14:56 . 2007-10-01 22:58 818784 c:\windows\Installer\iProData\mWlsSafe.msi
+ 2010-09-08 14:56 . 2007-10-01 22:56 817748 c:\windows\Installer\iProData\mProSafe.msi
+ 2010-09-08 14:56 . 2007-10-08 01:10 802816 c:\windows\Installer\iProData\iconvrtr.exe
+ 2010-09-08 14:59 . 2010-09-08 14:59 926208 c:\windows\Installer\95afe.msi
+ 2010-09-08 14:59 . 2010-09-08 14:59 932352 c:\windows\Installer\95af9.msi
+ 2010-09-08 14:59 . 2010-09-08 14:59 932864 c:\windows\Installer\95af4.msi
+ 2010-09-08 14:59 . 2010-09-08 14:59 934400 c:\windows\Installer\95aef.msi
+ 2010-09-08 14:58 . 2010-09-08 14:58 932352 c:\windows\Installer\95aea.msi
+ 2010-09-08 14:58 . 2010-09-08 14:58 927744 c:\windows\Installer\95ae5.msi
+ 2010-09-08 14:58 . 2010-09-08 14:58 933376 c:\windows\Installer\95adf.msi
+ 2010-09-08 14:58 . 2010-09-08 14:58 932864 c:\windows\Installer\95ada.msi
+ 2010-09-08 14:58 . 2010-09-08 14:58 932352 c:\windows\Installer\95ad5.msi
+ 2010-09-08 14:58 . 2010-09-08 14:58 816640 c:\windows\Installer\95acb.msi
+ 2010-09-08 14:58 . 2010-09-08 14:58 816128 c:\windows\Installer\95ac6.msi
+ 2010-09-08 14:57 . 2010-09-08 14:57 924672 c:\windows\Installer\95abc.msi
+ 2010-09-08 14:57 . 2010-09-08 14:57 867328 c:\windows\Installer\95ab3.msi
+ 2010-09-08 14:56 . 2010-09-08 14:56 885760 c:\windows\Installer\95aad.msi
+ 2009-06-17 03:19 . 2007-03-16 10:10 1060864 c:\windows\system32\MFC71.DLL
- 2009-06-17 03:19 . 2003-03-19 13:19 1060864 c:\windows\system32\MFC71.DLL
+ 2010-09-08 14:56 . 2007-07-25 09:44 2210048 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\w29n51.sys
+ 2010-09-08 14:56 . 2007-07-25 09:45 2206464 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\w29n50.sys
+ 2010-09-08 14:56 . 2007-02-12 04:41 2732032 c:\windows\system32\DRVSTORE\w29n51_E99959A506B0423451BFDD2FE3C8B527B6AF45BD\Netw2r32.dll
+ 2010-09-08 14:56 . 2007-09-25 22:01 2236032 c:\windows\system32\DRVSTORE\netw4x32_B0AEEEEDA759744D7D2AC236F54CA6D4CFC0961C\NETw4x32.sys
+ 2010-09-08 14:56 . 2007-08-27 03:12 2777088 c:\windows\system32\DRVSTORE\netw4x32_B0AEEEEDA759744D7D2AC236F54CA6D4CFC0961C\NETw4r32.dll
+ 2010-09-08 14:56 . 2007-08-27 03:12 2777088 c:\windows\system32\DRVSTORE\netw4k32_4CD46BE21BE74C8D663C65B8DC2D7EEA091E50F5\NETw4r32.dll
+ 2010-09-08 14:56 . 2007-09-25 21:59 2230912 c:\windows\system32\DRVSTORE\netw4k32_4CD46BE21BE74C8D663C65B8DC2D7EEA091E50F5\NETw4k32.sys
+ 2009-06-17 02:12 . 2007-05-10 02:24 1222840 c:\windows\system32\drivers\sthda.sys
- 2009-06-17 02:12 . 2007-05-06 09:12 1222840 c:\windows\system32\drivers\sthda.sys
+ 2010-09-08 14:56 . 2007-10-08 02:22 1409024 c:\windows\Installer\iProData\mZConfig.msi
+ 2010-09-08 14:56 . 2007-10-08 02:06 1195008 c:\windows\Installer\iProData\mWMI.msi
+ 2010-09-08 14:56 . 2007-10-08 02:22 1867776 c:\windows\Installer\iProData\mToolkit.msi
- 2009-06-17 02:47 . 2006-10-02 03:23 1528320 c:\windows\Installer\iProData\msxml6.msi
+ 2010-09-08 14:56 . 2006-11-19 22:13 1528320 c:\windows\Installer\iProData\msxml6.msi
+ 2010-09-08 14:56 . 2007-10-08 02:22 1116160 c:\windows\Installer\iProData\mSSO.msi
+ 2010-09-08 14:56 . 2007-10-08 02:19 1379840 c:\windows\Installer\iProData\mSCfg.msi
+ 2010-09-08 14:56 . 2007-10-08 02:18 1561600 c:\windows\Installer\iProData\mPfWiz.msi
+ 2010-09-08 14:56 . 2007-10-08 02:05 2943488 c:\windows\Installer\iProData\mPfMgr.msi
+ 2010-09-08 14:56 . 2007-10-08 02:18 2680320 c:\windows\Installer\iProData\mMHouse.msi
+ 2010-09-08 14:56 . 2007-10-08 02:17 1291776 c:\windows\Installer\iProData\mLogView.msi
+ 2010-09-08 14:56 . 2007-10-08 02:17 2049024 c:\windows\Installer\iProData\mIWA.msi
+ 2010-09-08 14:56 . 2007-10-01 22:47 7040424 c:\windows\Installer\iProData\mHlpDell.msi
+ 2010-09-08 14:56 . 2007-10-08 02:05 1326592 c:\windows\Installer\iProData\mGina.msi
+ 2010-09-08 14:56 . 2007-10-08 02:17 1642496 c:\windows\Installer\iProData\mDrWiFi.msi
+ 2010-09-08 14:56 . 2007-10-01 22:52 4234752 c:\windows\Installer\iProData\mDriver.msi
+ 2010-09-08 14:56 . 2007-10-08 02:23 4520448 c:\windows\Installer\iProData\mCore.msi
+ 2010-09-08 08:33 . 2010-09-08 08:33 1105408 c:\windows\Installer\d9c213.msi
+ 2010-09-08 14:58 . 2010-09-08 14:58 1809920 c:\windows\Installer\95ad0.msi
+ 2010-09-08 14:58 . 2010-09-08 14:58 1229312 c:\windows\Installer\95ac1.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="c:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-19 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8433664]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset .exe c:\program files\Dell\QuickSet\quickset.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-29 198160]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2010-09-13 35332]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]

c:\documents and settings\Neil.NEIL-3671146A11\Start Menu\Programs\Startup\
Seagate 2GH36MPG Product Registration.lnk - c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Leadertech\PowerRegister\Seagate 2GH36MPG Product Registration.exe [2010-9-15 1731736]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [5/12/2009 7:12 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [5/12/2009 7:13 PM 234888]
S3 RDID1046;EDIROL UA-25;c:\windows\system32\drivers\Rdwm1046.sys [5/23/2010 5:06 PM 172561]
.
Contents of the 'Scheduled Tasks' folder

2010-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1336601894-1801674531-1003Core.job
- c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-26 10:55]

2010-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1336601894-1801674531-1003UA.job
- c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-26 10:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Neil.NEIL-3671146A11\Application Data\Mozilla\Firefox\Profiles\5t06m6g8.default\
FF - prefs.js: browser.startup.homepage - google.com.au
FF - plugin: c:\documents and settings\Neil.NEIL-3671146A11\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-21 08:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,f2,26,cb,8c,e5,18,45,bf,8c,08,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,f2,26,cb,8c,e5,18,45,bf,8c,08,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(444)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(1244)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\netprovcredman.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra .exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-21 08:19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-21 00:19
ComboFix2.txt 2010-09-06 01:21

Pre-Run: 92,591,316,992 bytes free
Post-Run: 92,948,156,416 bytes free

- - End Of File - - 179A603C8ABEFB22AE08143A80E5172C





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users