Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Damn Stubborn Infection! (Desktopplayer.exe)


  • This topic is locked This topic is locked
17 replies to this topic

#1 DickNervous

DickNervous

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Levittown, NY
  • Local time:08:44 AM

Posted 08 September 2010 - 12:41 PM

DIT: Moved to appropriate forum,Virus, Trojan, Spyware, and Malware Removal Logs

For months now I have been using the advice give by the experts here to remove malware from computers (THANK YOU!!!!!). However, despite that knowledge and experience I have come across a particularly stubborn beast.

To the best of my knowledge this was a "drive-by" infection. The machine is Windows 7 and is used as a media/file/torrent server. I (foolishly) didn't have any active protection on the machine but did run MBAM and SAS every few days. Since the infection was detected I have purchased a license for MBAM and have it actively protecting the machine. In an effort to remove the malware I have done the following:

Run MBAM in both Safe Mode and Normal
Run SAS in both Safe Mode and Normal
Run HJT in both Safe Mode and Normal
Run Kaspersky TDS Killer in both Safe Mode and Normal
Booted with UBCD for Windows and run SAS as well as deleted files

Each time I have removed whatever the apps found, only to have them back again. MBAM Proection keeps alerting me that it has blocked access to potentially harmful websites (see log below) on an almost constant basis.

The following logs are the latest runs that I just did as I was writing this post.

DDS Log

DDS (Ver_10-03-17.01) - NTFSx86
Run by Rich at 13:38:52.80 on Wed 09/08/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1918.1068 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\rdpclip.exe
C:\Users\Rich\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rich\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rich\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Users\Rich\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uRun: [cleanxxxxx.exe] c:\cleanxxxxx.exe\cleanxxxxx.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {CB6FD85F-9872-46BE-98AE-B9C90DB3D938} = 68.237.161.12,71.243.0.12

============= SERVICES / DRIVERS ===============

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2004-6-29 7680]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-8 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-8 20952]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S4 AMPingService;AMPingService;c:\users\rich\appdata\local\temp\amping.exe --> c:\users\rich\appdata\local\temp\AMPing.exe [?]
S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]
S4 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\folding@home windows smp client v1.01\smpd.exe [2009-11-3 1194496]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
S4 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-13 1343400]

=============== Created Last 30 ================

2010-09-08 17:38:30 0 ----a-w- c:\users\rich\defogger_reenable
2010-09-08 13:18:45 0 d-----w- c:\program files\riv87
2010-09-07 04:04:28 0 d-----w- c:\windows\pss
2010-09-06 03:31:25 98816 ----a-w- c:\windows\sed.exe
2010-09-06 03:31:25 77312 ----a-w- c:\windows\MBR.exe
2010-09-06 03:31:25 256512 ----a-w- c:\windows\PEV.exe
2010-09-06 03:31:25 161792 ----a-w- c:\windows\SWREG.exe
2010-09-06 03:31:16 0 d-s---w- C:\ComboFix
2010-09-05 06:00:19 0 d-----w- c:\program files\Nero
2010-09-05 05:59:10 0 d-----w- c:\programdata\Nero
2010-08-25 17:13:31 172 ----a-w- c:\windows\system32\MRT.INI
2010-08-25 12:41:14 0 d-----w- c:\program files\sys2
2010-08-24 18:02:22 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-23 17:17:04 0 d-----w- c:\program files\ssns
2010-08-23 03:43:12 200375170 ----a-w- c:\windows\MEMORY.DMP
2010-08-21 15:39:03 0 d-----w- c:\program files\syst
2010-08-17 04:48:21 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-08-17 04:41:13 0 d-----w- c:\users\rich\appdata\roaming\SUPERAntiSpyware.com
2010-08-17 04:41:13 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-17 04:41:08 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-17 04:32:35 0 d-----w- C:\lspfix
2010-08-17 04:32:30 201030 ----a-w- C:\lspfix.zip
2010-08-17 04:20:40 0 d-----w- C:\tdsskiller
2010-08-17 04:20:09 1133429 ----a-w- C:\tdsskiller.zip
2010-08-16 18:50:22 0 d-----w- c:\program files\MSN Toolbar
2010-08-16 18:46:45 0 d-----w- c:\programdata\PC Drivers HeadQuarters
2010-08-16 18:46:42 0 d-----w- c:\program files\MSN Toolbar Installer
2010-08-15 19:08:31 0 d-----w- c:\program files\rivi
2010-08-13 19:22:54 0 d-----w- c:\windows\system32\Wat
2010-08-13 19:06:55 338493 --sh--r- C:\TLYGU
2010-08-11 03:40:07 0 d-----w- c:\program files\riv
2010-08-10 02:26:04 0 d-----w- c:\users\rich\appdata\roaming\Ruax

==================== Find3M ====================

2010-09-03 15:19:08 108544 ----a-w- c:\windows\system32\drivers\ulsata2.sys
2010-08-25 17:38:31 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2010-08-24 14:07:54 16384 ----a-w- c:\windows\system32\drivers\ws2ifsl.sys
2010-08-17 04:25:49 51776 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:39:24.98 ===============




MBAM Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4571

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/8/2010 12:03:24 PM
mbam-log-2010-09-08 (12-03-24).txt

Scan type: Quick scan
Objects scanned: 142906
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{850621ff-2fe8-65ff-6117-c142961fb0dd} (Spyware.Passwords.XGen) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Rich\AppData\Roaming\Loeb\podyw.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> No action taken.

(I removed the infections and rebooted after saving the log)

=============================================
I have purchased a license for MBAM and here is the protection log. The log included hundreds more lines of trying to access the IP addresses listed, I edited them out for clariuty.

MBAM Protection Log

00:11:42 Rich IP-BLOCK 206.53.53.26
00:15:11 Rich IP-BLOCK 95.143.192.30
00:15:11 Rich IP-BLOCK 95.143.192.240
00:17:27 Rich IP-BLOCK 206.53.53.26
00:25:45 Rich IP-BLOCK 94.96.38.75
00:54:51 Rich IP-BLOCK 113.11.194.152
01:00:37 Rich IP-BLOCK 95.211.83.229
01:12:44 Rich IP-BLOCK 94.96.157.228
02:24:03 Rich IP-BLOCK 95.168.183.41
02:37:28 Rich IP-BLOCK 213.174.157.3
07:21:26 Rich IP-BLOCK 222.71.16.114
11:42:28 Rich DETECTION C:\Program Files\riv87\us.exe Spyware.Passwords.XGen QUARANTINE
11:55:08 Rich DETECTION C:\PROGRAM FILES\hjt\TREND MICRO\HIJACKTHIS\HIJACKTHISSRV.EXE Malware.Packer.Gen QUARANTINE
12:19:02 Rich DETECTION C:\Program Files\Microsoft\DesktopLayer.exe Trojan.Agent QUARANTINE
12:19:29 Rich DETECTION C:\Program Files\SUPERAntiSpyware\SUPERAntiSpywareSrv.exe Trojan.Agent QUARANTINE
12:19:31 Rich DETECTION C:\Program Files\SUPERAntiSpyware\SUPERAntiSpywareSrv.exe Trojan.Agent DENY
12:19:31 Rich DETECTION C:\Program Files\SUPERAntiSpyware\SUPERAntiSpywareSrv.exe Trojan.Agent DENY
12:19:32 Rich DETECTION C:\Program Files\SUPERAntiSpyware\SUPERAntiSpywareSrv.exe Trojan.Agent DENY
12:19:54 Rich DETECTION C:\Program Files\SUPERAntiSpyware\SUPERAntiSpywareSrv.exe Trojan.Agent DENY
12:19:58 Rich DETECTION C:\Program Files\SUPERAntiSpyware\SUPERAntiSpywareSrv.exe Trojan.Agent DENY

==================================================================================
SAS Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/08/2010 at 01:30 PM

Application Version : 4.41.1000

Core Rules Database Version : 5471
Trace Rules Database Version: 3283

Scan type : Complete Scan
Total Scan Time : 01:10:00

Memory items scanned : 554
Memory threats detected : 0
Registry items scanned : 7946
Registry threats detected : 0
File items scanned : 199679
File threats detected : 3

Trojan.Agent/Gen-Falleg
C:\PROGRAM FILES\HJT\TREND MICRO\HIJACKTHIS\HIJACKTHISSRV.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARESRV.EXE
C:\Windows\Prefetch\HIJACKTHISSRV.EXE-04E6F7EA.pf
=================================================================

THanks for moving it, I realized right after I clicked the New Topic button that it was in the wrong forums.

Additionally, here is the GMER log and I have attached a text file with all the logs I posted.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-08 14:48:16
Windows 6.1.7600
Running: 5zjb8ioh.exe; Driver: C:\Users\Rich\AppData\Local\Temp\pwldrpow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1AAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1A104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1A3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C032D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C02898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1A1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1A958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1A6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1AF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1B1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C7A599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C9EF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\drivers\awubeun.sys The system cannot find the path specified. !
.text peauth.sys 95D52C9D 28 Bytes CALL 442BB863
.text peauth.sys 95D52CC1 28 Bytes CALL 442BB887
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 9D132000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 9D132123 486 Bytes [D5, 12, 9D, FE, 05, 34, D5, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 529A 9D13230A 142 Bytes [12, 9D, 3B, 08, 77, 04, 3B, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 9D132399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F 9D1323FF 136 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume12 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume12 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume11 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume11 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I have more information for the lucky person who volunteers to help.. thumbup.gif

I am using the ESET online scanner right now, just to see if it found anything. It found quite a few files infected with W32.Ramnit.A virus.
The interesting thing is that when I booted with the Ultimate Boot CD for Windows yesterday and scanned with Avast and McAfee Stinger and SAS, none of them found this infection....

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 08 September 2010 - 04:43 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 PM

Posted 14 September 2010 - 06:59 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 DickNervous

DickNervous
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Levittown, NY
  • Local time:08:44 AM

Posted 14 September 2010 - 09:48 PM

I am here m0le, eagerly awaiting your direction. smile.gif

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 PM

Posted 15 September 2010 - 06:33 PM

I would like to see a Gmer scan please

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#5 DickNervous

DickNervous
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Levittown, NY
  • Local time:08:44 AM

Posted 15 September 2010 - 10:03 PM

One GMER log....

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-15 22:57:58
Windows 6.1.7600
Running: g3dzd78s.exe; Driver: C:\Users\Rich\AppData\Local\Temp\pwldrpow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1EAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1E104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1E3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C06634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C06898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1E1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1E958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1E6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1EF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1F1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C7E599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CA2F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 9BA11C9D 28 Bytes [44, B8, 59, AC, 18, 32, 8A, ...]
.text peauth.sys 9BA11CC1 28 Bytes [44, B8, 59, AC, 18, 32, 8A, ...]
PAGE peauth.sys 9BA1802C 102 Bytes [D0, D0, 07, 57, 38, 2D, 31, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 9B22C000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 9B22C123 629 Bytes [75, 22, 9B, FE, 05, 34, 75, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 9B22C399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F 9B22C3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B 9B22C4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume12 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume12 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume11 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume11 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 PM

Posted 16 September 2010 - 04:30 PM

There's some visible issues with the PC so please run OTL, a scanner and ,later, a remover.
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#7 DickNervous

DickNervous
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Levittown, NY
  • Local time:08:44 AM

Posted 16 September 2010 - 10:44 PM

The scan only created one text file, OTL.Txt, which is pasted below.


OTL logfile created on: 9/16/2010 11:37:39 PM - Run 3
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Rich\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 242.92 Gb Free Space | 81.50% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 184.10 Gb Free Space | 79.05% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 0.01 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive G: | 95.41 Gb Total Space | 0.67 Gb Free Space | 0.70% Space Free | Partition Type: NTFS
Drive H: | 94.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 931.51 Gb Total Space | 330.38 Gb Free Space | 35.47% Space Free | Partition Type: NTFS
Drive J: | 465.76 Gb Total Space | 94.22 Gb Free Space | 20.23% Space Free | Partition Type: NTFS
Drive K: | 37.24 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive L: | 95.42 Gb Total Space | 31.11 Gb Free Space | 32.60% Space Free | Partition Type: NTFS
Drive M: | 931.51 Gb Total Space | 249.59 Gb Free Space | 26.79% Space Free | Partition Type: NTFS
Drive N: | 465.76 Gb Total Space | 50.33 Gb Free Space | 10.81% Space Free | Partition Type: NTFS
Drive O: | 1863.01 Gb Total Space | 1151.54 Gb Free Space | 61.81% Space Free | Partition Type: NTFS

Computer Name: ARSENAL
Current User Name: Rich
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Rich\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\rdpclip.exe (Microsoft Corporation)
PRC - C:\Windows\System32\sppsvc.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Rich\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\winsta.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (AMPingService) -- C:\Users\Rich\AppData\Local\Temp\AMPing.exe File not found
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe ()
SRV - (mpich2_smpd) -- C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe ()
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (Hamachi2Svc) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (Stereo Service) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (wlidsvc) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (NeroMediaHomeService.4) -- C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero AG)


========== Driver Services (SafeList) ==========

DRV - (cpuz132) -- C:\Users\Rich\AppData\Local\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (catchme) -- C:\Users\Rich\AppData\Local\Temp\catchme.sys File not found
DRV - (ulsata2) -- C:\Windows\system32\DRIVERS\ulsata2.sys (Promise Technology, Inc.)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (Ultra) -- C:\Windows\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (dontgo) -- C:\Windows\system32\DRIVERS\DontGo.sys (Promise Technology, Inc.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 8D 44 78 6C 4F CB 01 [binary data]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/02/28 22:54:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\msntoolbar@msn.com: C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\Firefox [2010/08/16 14:50:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/08/16 14:50:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{26219C14-C623-468F-8788-A0C3A5361435}: C:\Windows\system32\config\systemprofile\AppData\Local\{26219C14-C623-468F-8788-A0C3A5361435}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{531D1D90-9A3B-49CF-96F1-E3061BEB61B7}: C:\Users\Rich\AppData\Local\{531D1D90-9A3B-49CF-96F1-E3061BEB61B7}\


O1 HOSTS File: ([2010/08/16 17:00:56 | 000,000,002 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (EXPLORER.EXE) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\System32\livessp.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/06/24 04:25:46 | 000,000,298 | R--- | M] () - H:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/08 15:18:03 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/09/08 15:15:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo! Companion
[2010/09/08 09:18:45 | 000,000,000 | ---D | C] -- C:\Program Files\riv87
[2010/09/07 00:04:28 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/09/05 23:31:25 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/09/05 23:31:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/09/05 23:31:25 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/09/05 23:31:18 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/09/05 23:31:16 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/09/05 23:30:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/05 23:30:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/09/05 23:30:35 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/09/05 23:22:17 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Rich\Desktop\OTL.exe
[2010/09/05 02:08:06 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Roaming\Nero
[2010/09/05 02:08:00 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Local\Nero
[2010/09/05 02:00:19 | 000,000,000 | ---D | C] -- C:\Program Files\Nero
[2010/09/05 01:59:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Nero
[2010/09/05 01:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2010/08/25 08:41:14 | 000,000,000 | ---D | C] -- C:\Program Files\sys2
[2010/08/23 13:17:04 | 000,000,000 | ---D | C] -- C:\Program Files\ssns
[2010/08/22 21:47:44 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/08/21 11:39:03 | 000,000,000 | ---D | C] -- C:\Program Files\syst

========== Files - Modified Within 30 Days ==========

[2010/09/16 23:37:57 | 002,621,440 | -HS- | M] () -- C:\Users\Rich\NTUSER.DAT
[2010/09/16 23:29:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4177623686-3169190636-2548671302-1001UA.job
[2010/09/16 23:15:46 | 000,020,144 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/16 23:15:46 | 000,020,144 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/16 16:29:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4177623686-3169190636-2548671302-1001Core.job
[2010/09/15 23:17:38 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/15 23:17:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/15 23:17:31 | 1508,016,128 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/15 23:17:28 | 206,207,874 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/09/15 22:43:42 | 001,670,762 | -H-- | M] () -- C:\Users\Rich\AppData\Local\IconCache.db
[2010/09/15 22:37:46 | 000,293,376 | ---- | M] () -- C:\Users\Rich\Desktop\g3dzd78s.exe
[2010/09/15 14:29:34 | 000,002,403 | ---- | M] () -- C:\Users\Rich\Desktop\Google Chrome.lnk
[2010/09/08 15:17:19 | 000,000,966 | ---- | M] () -- C:\Users\Rich\Documents\cc_20100908_151714.reg
[2010/09/08 15:15:50 | 000,001,012 | ---- | M] () -- C:\Users\Rich\Desktop\CCleaner.lnk
[2010/09/08 13:38:30 | 000,000,000 | ---- | M] () -- C:\Users\Rich\defogger_reenable
[2010/09/08 13:15:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Rich\Desktop\OTL.exe
[2010/09/07 16:22:50 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/09/07 16:22:50 | 000,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/09/07 16:22:50 | 000,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/09/05 23:29:02 | 003,837,097 | R--- | M] () -- C:\Users\Rich\Desktop\ComboFix.exe
[2010/09/05 02:14:57 | 000,004,608 | ---- | M] () -- C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/03 11:19:08 | 000,108,544 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\System32\drivers\ulsata2.sys
[2010/08/25 13:38:57 | 000,266,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/08/25 13:13:31 | 000,000,172 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2010/08/22 21:55:51 | 000,000,120 | ---- | M] () -- C:\Users\Rich\AppData\Local\Mlafeqovaruyuq.dat
[2010/08/22 21:55:51 | 000,000,000 | ---- | M] () -- C:\Users\Rich\AppData\Local\Udunab.bin

========== Files Created - No Company Name ==========

[2010/09/15 23:00:17 | 206,207,874 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/09/15 22:37:44 | 000,293,376 | ---- | C] () -- C:\Users\Rich\Desktop\g3dzd78s.exe
[2010/09/08 15:17:16 | 000,000,966 | ---- | C] () -- C:\Users\Rich\Documents\cc_20100908_151714.reg
[2010/09/08 13:38:30 | 000,000,000 | ---- | C] () -- C:\Users\Rich\defogger_reenable
[2010/09/07 08:37:10 | 000,001,024 | -H-- | C] () -- C:\Users\Rich\ntuser.dat.LOG
[2010/09/05 23:31:25 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/09/05 23:31:25 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/09/05 23:31:25 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/09/05 23:31:25 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/09/05 23:31:25 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/09/05 23:29:00 | 003,837,097 | R--- | C] () -- C:\Users\Rich\Desktop\ComboFix.exe
[2010/09/05 02:13:58 | 000,004,608 | ---- | C] () -- C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/25 13:13:31 | 000,000,172 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010/08/22 21:55:51 | 000,000,120 | ---- | C] () -- C:\Users\Rich\AppData\Local\Mlafeqovaruyuq.dat
[2010/08/22 21:55:51 | 000,000,000 | ---- | C] () -- C:\Users\Rich\AppData\Local\Udunab.bin
[2010/05/08 23:13:40 | 000,000,009 | ---- | C] () -- C:\Users\Rich\AppData\Roaming\nuar.old
[2010/03/25 16:57:07 | 000,000,244 | ---- | C] () -- C:\Windows\maketorrent.ini
[2009/11/03 10:11:40 | 001,380,352 | ---- | C] () -- C:\Windows\System32\mpich2shmp.dll
[2009/11/03 10:11:40 | 001,196,032 | ---- | C] () -- C:\Windows\System32\mpich2.dll
[2009/11/03 10:11:40 | 001,175,552 | ---- | C] () -- C:\Windows\System32\mpich2shm.dll
[2009/11/03 10:11:40 | 000,102,400 | ---- | C] () -- C:\Windows\System32\mpich2mpi.dll
[2009/09/21 11:01:28 | 000,000,052 | ---- | C] () -- C:\Windows\MediaGUI.INI
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll

========== LOP Check ==========

[2010/05/09 00:22:27 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\AKM Antivirus 2010 Pro
[2010/08/25 13:35:39 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Asips
[2010/08/16 15:39:09 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Awcu
[2010/07/13 02:21:20 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Cigyu
[2010/08/24 09:36:21 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Cynoy
[2010/06/24 22:34:07 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\D-Link Media Server
[2010/09/07 07:47:38 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Duobu
[2010/09/03 11:17:28 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Efmeqi
[2010/08/17 01:04:07 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Erezla
[2010/09/07 00:08:31 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Feykvo
[2010/09/08 15:52:41 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Folding@home-gpu
[2010/09/03 21:57:08 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Hoeqd
[2010/03/11 07:19:33 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Igiquf
[2010/02/28 22:55:46 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\ImgBurn
[2010/02/28 22:55:46 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\InstallPad
[2010/08/17 08:25:39 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Liaxo
[2010/09/08 12:03:33 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Loeb
[2010/08/22 22:52:57 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Loevyq
[2010/06/06 23:51:28 | 000,000,000 | -HSD | M] -- C:\Users\Rich\AppData\Roaming\lowsec
[2010/02/28 22:55:48 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\MediaServerDump
[2010/08/17 01:04:03 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Noomok
[2010/09/03 15:51:14 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Obet
[2010/08/08 00:36:35 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Ovtuv
[2010/06/11 19:19:04 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Qeewta
[2010/08/24 13:38:49 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Qubee
[2010/09/08 00:54:42 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Ruax
[2010/09/14 13:38:10 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\TeraCopy
[2010/08/16 15:39:09 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Udbic
[2010/09/16 23:36:24 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\uTorrent
[2010/08/24 10:06:48 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Uvqada
[2010/06/10 18:29:45 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Vypi
[2010/09/05 23:34:00 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Wuyds
[2010/09/01 10:04:20 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Xoekvy
[2010/06/30 00:52:39 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yhavo
[2010/08/16 15:39:08 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yqoced
[2010/08/17 01:04:07 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yrin
[2010/08/22 22:52:52 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yvuwos
[2010/08/08 00:24:30 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yxuw
[2010/08/24 10:06:47 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yxve
[2010/08/21 17:47:33 | 000,020,382 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 PM

Posted 17 September 2010 - 06:13 PM

Open OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

CODE
:OTL
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
[2010/08/22 21:55:51 | 000,000,120 | ---- | C] () -- C:\Users\Rich\AppData\Local\Mlafeqovaruyuq.dat
[2010/08/22 21:55:51 | 000,000,000 | ---- | C] () -- C:\Users\Rich\AppData\Local\Udunab.bin
[2010/05/08 23:13:40 | 000,000,009 | ---- | C] () -- C:\Users\Rich\AppData\Roaming\nuar.old
[2010/08/25 13:35:39 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Asips
[2010/08/16 15:39:09 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Awcu
[2010/07/13 02:21:20 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Cigyu
[2010/08/24 09:36:21 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Cynoy
[2010/09/07 07:47:38 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Duobu
[2010/09/03 11:17:28 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Efmeqi
[2010/08/17 01:04:07 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Erezla
[2010/09/07 00:08:31 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Feykvo
[2010/09/03 21:57:08 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Hoeqd
[2010/03/11 07:19:33 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Igiquf
[2010/08/17 08:25:39 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Liaxo
[2010/09/08 12:03:33 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Loeb
[2010/08/22 22:52:57 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Loevyq
[2010/06/06 23:51:28 | 000,000,000 | -HSD | M] -- C:\Users\Rich\AppData\Roaming\lowsec
[2010/08/17 01:04:03 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Noomok
[2010/09/03 15:51:14 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Obet
[2010/08/08 00:36:35 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Ovtuv
[2010/06/11 19:19:04 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Qeewta
[2010/08/24 13:38:49 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Qubee
[2010/09/08 00:54:42 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Ruax
[2010/08/16 15:39:09 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Udbic
[2010/08/24 10:06:48 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Uvqada
[2010/06/10 18:29:45 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Vypi
[2010/09/05 23:34:00 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Wuyds
[2010/09/01 10:04:20 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Xoekvy
[2010/06/30 00:52:39 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yhavo
[2010/08/16 15:39:08 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yqoced
[2010/08/17 01:04:07 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yrin
[2010/08/22 22:52:52 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yvuwos
[2010/08/08 00:24:30 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yxuw
[2010/08/24 10:06:47 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Yxve
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please then run an OTL scan as you did first and post the log.
Posted Image
m0le is a proud member of UNITE

#9 DickNervous

DickNervous
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Levittown, NY
  • Local time:08:44 AM

Posted 17 September 2010 - 08:54 PM

The fix log:

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
C:\Users\Rich\AppData\Local\Mlafeqovaruyuq.dat moved successfully.
C:\Users\Rich\AppData\Local\Udunab.bin moved successfully.
C:\Users\Rich\AppData\Roaming\nuar.old moved successfully.
C:\Users\Rich\AppData\Roaming\Asips folder moved successfully.
C:\Users\Rich\AppData\Roaming\Awcu folder moved successfully.
C:\Users\Rich\AppData\Roaming\Cigyu folder moved successfully.
C:\Users\Rich\AppData\Roaming\Cynoy folder moved successfully.
C:\Users\Rich\AppData\Roaming\Duobu folder moved successfully.
C:\Users\Rich\AppData\Roaming\Efmeqi folder moved successfully.
C:\Users\Rich\AppData\Roaming\Erezla folder moved successfully.
C:\Users\Rich\AppData\Roaming\Feykvo folder moved successfully.
C:\Users\Rich\AppData\Roaming\Hoeqd folder moved successfully.
C:\Users\Rich\AppData\Roaming\Igiquf folder moved successfully.
C:\Users\Rich\AppData\Roaming\Liaxo folder moved successfully.
C:\Users\Rich\AppData\Roaming\Loeb folder moved successfully.
C:\Users\Rich\AppData\Roaming\Loevyq folder moved successfully.
C:\Users\Rich\AppData\Roaming\lowsec folder moved successfully.
C:\Users\Rich\AppData\Roaming\Noomok folder moved successfully.
C:\Users\Rich\AppData\Roaming\Obet folder moved successfully.
C:\Users\Rich\AppData\Roaming\Ovtuv folder moved successfully.
C:\Users\Rich\AppData\Roaming\Qeewta folder moved successfully.
C:\Users\Rich\AppData\Roaming\Qubee folder moved successfully.
C:\Users\Rich\AppData\Roaming\Ruax folder moved successfully.
C:\Users\Rich\AppData\Roaming\Udbic folder moved successfully.
C:\Users\Rich\AppData\Roaming\Uvqada folder moved successfully.
C:\Users\Rich\AppData\Roaming\Vypi folder moved successfully.
C:\Users\Rich\AppData\Roaming\Wuyds folder moved successfully.
C:\Users\Rich\AppData\Roaming\Xoekvy folder moved successfully.
C:\Users\Rich\AppData\Roaming\Yhavo folder moved successfully.
C:\Users\Rich\AppData\Roaming\Yqoced folder moved successfully.
C:\Users\Rich\AppData\Roaming\Yrin folder moved successfully.
C:\Users\Rich\AppData\Roaming\Yvuwos folder moved successfully.
C:\Users\Rich\AppData\Roaming\Yxuw folder moved successfully.
C:\Users\Rich\AppData\Roaming\Yxve folder moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.11.0 log created on 09172010_214618


The next scan log...







OTL logfile created on: 9/17/2010 9:47:18 PM - Run 3
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Rich\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 242.91 Gb Free Space | 81.49% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 184.10 Gb Free Space | 79.05% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 0.01 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive G: | 95.41 Gb Total Space | 0.67 Gb Free Space | 0.70% Space Free | Partition Type: NTFS
Drive H: | 94.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 931.51 Gb Total Space | 330.38 Gb Free Space | 35.47% Space Free | Partition Type: NTFS
Drive J: | 465.76 Gb Total Space | 93.99 Gb Free Space | 20.18% Space Free | Partition Type: NTFS
Drive K: | 37.24 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive L: | 95.42 Gb Total Space | 31.11 Gb Free Space | 32.60% Space Free | Partition Type: NTFS
Drive M: | 931.51 Gb Total Space | 249.59 Gb Free Space | 26.79% Space Free | Partition Type: NTFS
Drive N: | 465.76 Gb Total Space | 50.33 Gb Free Space | 10.81% Space Free | Partition Type: NTFS
Drive O: | 1863.01 Gb Total Space | 1142.34 Gb Free Space | 61.32% Space Free | Partition Type: NTFS

Computer Name: ARSENAL
Current User Name: Rich
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Rich\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\rdpclip.exe (Microsoft Corporation)
PRC - C:\Windows\System32\sppsvc.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Rich\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\rsaenh.dll (Microsoft Corporation)
MOD - C:\Windows\System32\winsta.dll (Microsoft Corporation)
MOD - C:\Windows\System32\WindowsCodecs.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\srvcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\slc.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\RpcRtRemote.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\mssprxy.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\EhStorShell.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptsp.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cscapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (AMPingService) -- C:\Users\Rich\AppData\Local\Temp\AMPing.exe File not found
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe ()
SRV - (mpich2_smpd) -- C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe ()
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (Hamachi2Svc) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (Stereo Service) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (wlidsvc) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (NeroMediaHomeService.4) -- C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero AG)


========== Driver Services (SafeList) ==========

DRV - (cpuz132) -- C:\Users\Rich\AppData\Local\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (catchme) -- C:\Users\Rich\AppData\Local\Temp\catchme.sys File not found
DRV - (ulsata2) -- C:\Windows\system32\DRIVERS\ulsata2.sys (Promise Technology, Inc.)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (Ultra) -- C:\Windows\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (dontgo) -- C:\Windows\system32\DRIVERS\DontGo.sys (Promise Technology, Inc.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 8D 44 78 6C 4F CB 01 [binary data]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/02/28 22:54:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\msntoolbar@msn.com: C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\Firefox [2010/08/16 14:50:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/08/16 14:50:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{26219C14-C623-468F-8788-A0C3A5361435}: C:\Windows\system32\config\systemprofile\AppData\Local\{26219C14-C623-468F-8788-A0C3A5361435}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{531D1D90-9A3B-49CF-96F1-E3061BEB61B7}: C:\Users\Rich\AppData\Local\{531D1D90-9A3B-49CF-96F1-E3061BEB61B7}\


O1 HOSTS File: ([2010/08/16 17:00:56 | 000,000,002 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (EXPLORER.EXE) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\System32\livessp.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/06/24 04:25:46 | 000,000,298 | R--- | M] () - H:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/17 21:46:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/09/08 15:18:03 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/09/08 15:15:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo! Companion
[2010/09/08 09:18:45 | 000,000,000 | ---D | C] -- C:\Program Files\riv87
[2010/09/07 00:04:28 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/09/05 23:31:25 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/09/05 23:31:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/09/05 23:31:25 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/09/05 23:31:18 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/09/05 23:31:16 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/09/05 23:30:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/05 23:30:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/09/05 23:30:35 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/09/05 23:22:17 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Rich\Desktop\OTL.exe
[2010/09/05 02:08:06 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Roaming\Nero
[2010/09/05 02:08:00 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Local\Nero
[2010/09/05 02:00:19 | 000,000,000 | ---D | C] -- C:\Program Files\Nero
[2010/09/05 01:59:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Nero
[2010/09/05 01:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2010/08/25 08:41:14 | 000,000,000 | ---D | C] -- C:\Program Files\sys2
[2010/08/23 13:17:04 | 000,000,000 | ---D | C] -- C:\Program Files\ssns
[2010/08/22 21:47:44 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/08/21 11:39:03 | 000,000,000 | ---D | C] -- C:\Program Files\syst

========== Files - Modified Within 30 Days ==========

[2010/09/17 21:47:28 | 002,621,440 | -HS- | M] () -- C:\Users\Rich\NTUSER.DAT
[2010/09/17 21:45:47 | 000,020,144 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/17 21:45:47 | 000,020,144 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/17 21:29:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4177623686-3169190636-2548671302-1001UA.job
[2010/09/17 16:29:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4177623686-3169190636-2548671302-1001Core.job
[2010/09/15 23:17:38 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/15 23:17:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/15 23:17:31 | 1508,016,128 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/15 23:17:28 | 206,207,874 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/09/15 22:43:42 | 001,670,762 | -H-- | M] () -- C:\Users\Rich\AppData\Local\IconCache.db
[2010/09/15 22:37:46 | 000,293,376 | ---- | M] () -- C:\Users\Rich\Desktop\g3dzd78s.exe
[2010/09/15 14:29:34 | 000,002,403 | ---- | M] () -- C:\Users\Rich\Desktop\Google Chrome.lnk
[2010/09/08 15:17:19 | 000,000,966 | ---- | M] () -- C:\Users\Rich\Documents\cc_20100908_151714.reg
[2010/09/08 15:15:50 | 000,001,012 | ---- | M] () -- C:\Users\Rich\Desktop\CCleaner.lnk
[2010/09/08 13:38:30 | 000,000,000 | ---- | M] () -- C:\Users\Rich\defogger_reenable
[2010/09/08 13:15:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Rich\Desktop\OTL.exe
[2010/09/07 16:22:50 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/09/07 16:22:50 | 000,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/09/07 16:22:50 | 000,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/09/05 23:29:02 | 003,837,097 | R--- | M] () -- C:\Users\Rich\Desktop\ComboFix.exe
[2010/09/05 02:14:57 | 000,004,608 | ---- | M] () -- C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/03 11:19:08 | 000,108,544 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\System32\drivers\ulsata2.sys
[2010/08/25 13:38:57 | 000,266,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/08/25 13:13:31 | 000,000,172 | ---- | M] () -- C:\Windows\System32\MRT.INI

========== Files Created - No Company Name ==========

[2010/09/15 23:00:17 | 206,207,874 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/09/15 22:37:44 | 000,293,376 | ---- | C] () -- C:\Users\Rich\Desktop\g3dzd78s.exe
[2010/09/08 15:17:16 | 000,000,966 | ---- | C] () -- C:\Users\Rich\Documents\cc_20100908_151714.reg
[2010/09/08 13:38:30 | 000,000,000 | ---- | C] () -- C:\Users\Rich\defogger_reenable
[2010/09/07 08:37:10 | 000,001,024 | -H-- | C] () -- C:\Users\Rich\ntuser.dat.LOG
[2010/09/05 23:31:25 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/09/05 23:31:25 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/09/05 23:31:25 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/09/05 23:31:25 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/09/05 23:31:25 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/09/05 23:29:00 | 003,837,097 | R--- | C] () -- C:\Users\Rich\Desktop\ComboFix.exe
[2010/09/05 02:13:58 | 000,004,608 | ---- | C] () -- C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/25 13:13:31 | 000,000,172 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010/03/25 16:57:07 | 000,000,244 | ---- | C] () -- C:\Windows\maketorrent.ini
[2009/11/03 10:11:40 | 001,380,352 | ---- | C] () -- C:\Windows\System32\mpich2shmp.dll
[2009/11/03 10:11:40 | 001,196,032 | ---- | C] () -- C:\Windows\System32\mpich2.dll
[2009/11/03 10:11:40 | 001,175,552 | ---- | C] () -- C:\Windows\System32\mpich2shm.dll
[2009/11/03 10:11:40 | 000,102,400 | ---- | C] () -- C:\Windows\System32\mpich2mpi.dll
[2009/09/21 11:01:28 | 000,000,052 | ---- | C] () -- C:\Windows\MediaGUI.INI
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll

========== LOP Check ==========

[2010/05/09 00:22:27 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\AKM Antivirus 2010 Pro
[2010/06/24 22:34:07 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\D-Link Media Server
[2010/09/08 15:52:41 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Folding@home-gpu
[2010/02/28 22:55:46 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\ImgBurn
[2010/02/28 22:55:46 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\InstallPad
[2010/02/28 22:55:48 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\MediaServerDump
[2010/09/14 13:38:10 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\TeraCopy
[2010/09/17 21:45:04 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\uTorrent
[2010/08/21 17:47:33 | 000,020,382 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >

I would greatly appreciate it if you could explain a little bit of what you are looking for and why as we go so I can learn as well. This is the first infection of any sort that I was unable to clean.

And thank you for your help!


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 PM

Posted 17 September 2010 - 09:08 PM

Sure, I would normally provide some info. Desktopplayer.exe is not the problem as such so we have to see what's the controller here.

Gmer looks for rootkits, of which there are none.

OTL shows me a couple of trash files

QUOTE
Mlafeqovaruyuq.dat
Udunab.bin


Not in themselves a problem but a great indicator of trojan activity. The trojan is found further down in the folders section, lowsec. Lowsec is a trojan which Combofix blows away but a Windows 7 version of Combofix isn't available so we need to remove this and the other trojan folders manually.

That takes us to the new OTL log... this looks much better so let's test the removal with a new MBAM run. The first run did find some evidence of the trojan.agent which is nasty and hides its files well. Having removed the main problem we now do the clean up.

Instructions below to make sure we get the right detail.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.




Posted Image
m0le is a proud member of UNITE

#11 DickNervous

DickNervous
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Levittown, NY
  • Local time:08:44 AM

Posted 17 September 2010 - 09:40 PM

Thanks for extra info.

MBAM was already installed so I updated it and it is running. As you know from the OTL logs, there is a ton of stuff on that machine (it is my server after all) so it will probably take some time for MBAM to scan it all.

Didn't take as long as I thought it would.....


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4643

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/17/2010 11:57:21 PM
mbam-log-2010-09-17 (23-57-21).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|I:\|J:\|K:\|L:\|M:\|N:\|O:\|)
Objects scanned: 479188
Time elapsed: 1 hour(s), 21 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\cleansweep.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\3092cfc6-7d13731e (Rootkit.Agent.Gen) -> Quarantined and deleted successfully.
C:\Windows Activation 2010 AIO\RemoveWAT 2.25.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\cleansweep.exe\config.bin (Trojan.Agent) -> Quarantined and deleted successfully.


After reboot I ran the OTL Scan again.. here is the log.


OTL logfile created on: 9/18/2010 12:41:44 AM - Run 4
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Rich\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 242.85 Gb Free Space | 81.47% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 184.10 Gb Free Space | 79.05% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 0.01 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive G: | 95.41 Gb Total Space | 0.67 Gb Free Space | 0.70% Space Free | Partition Type: NTFS
Drive H: | 94.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 931.51 Gb Total Space | 330.38 Gb Free Space | 35.47% Space Free | Partition Type: NTFS
Drive J: | 465.76 Gb Total Space | 93.99 Gb Free Space | 20.18% Space Free | Partition Type: NTFS
Drive K: | 37.24 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive L: | 95.42 Gb Total Space | 31.11 Gb Free Space | 32.60% Space Free | Partition Type: NTFS
Drive M: | 931.51 Gb Total Space | 249.59 Gb Free Space | 26.79% Space Free | Partition Type: NTFS
Drive N: | 465.76 Gb Total Space | 50.33 Gb Free Space | 10.81% Space Free | Partition Type: NTFS
Drive O: | 1863.01 Gb Total Space | 1142.34 Gb Free Space | 61.32% Space Free | Partition Type: NTFS

Computer Name: ARSENAL
Current User Name: Rich
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Rich\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\rdpclip.exe (Microsoft Corporation)
PRC - C:\Windows\System32\sppsvc.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Rich\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\winsta.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (AMPingService) -- C:\Users\Rich\AppData\Local\Temp\AMPing.exe File not found
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe ()
SRV - (mpich2_smpd) -- C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe ()
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (Hamachi2Svc) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (Stereo Service) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (wlidsvc) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (NeroMediaHomeService.4) -- C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero AG)


========== Driver Services (SafeList) ==========

DRV - (cpuz132) -- C:\Users\Rich\AppData\Local\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (catchme) -- C:\Users\Rich\AppData\Local\Temp\catchme.sys File not found
DRV - (ulsata2) -- C:\Windows\system32\DRIVERS\ulsata2.sys (Promise Technology, Inc.)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (Ultra) -- C:\Windows\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (dontgo) -- C:\Windows\system32\DRIVERS\DontGo.sys (Promise Technology, Inc.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 8D 44 78 6C 4F CB 01 [binary data]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/02/28 22:54:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\msntoolbar@msn.com: C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\Firefox [2010/08/16 14:50:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/08/16 14:50:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{26219C14-C623-468F-8788-A0C3A5361435}: C:\Windows\system32\config\systemprofile\AppData\Local\{26219C14-C623-468F-8788-A0C3A5361435}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{531D1D90-9A3B-49CF-96F1-E3061BEB61B7}: C:\Users\Rich\AppData\Local\{531D1D90-9A3B-49CF-96F1-E3061BEB61B7}\


O1 HOSTS File: ([2010/08/16 17:00:56 | 000,000,002 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (EXPLORER.EXE) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\System32\livessp.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/06/24 04:25:46 | 000,000,298 | R--- | M] () - H:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/17 21:46:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/09/08 15:18:03 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/09/08 15:15:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo! Companion
[2010/09/08 09:18:45 | 000,000,000 | ---D | C] -- C:\Program Files\riv87
[2010/09/07 00:04:28 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/09/05 23:31:25 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/09/05 23:31:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/09/05 23:31:25 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/09/05 23:31:18 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/09/05 23:31:16 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/09/05 23:30:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/05 23:30:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/09/05 23:30:35 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/09/05 23:22:17 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Rich\Desktop\OTL.exe
[2010/09/05 02:08:06 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Roaming\Nero
[2010/09/05 02:08:00 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Local\Nero
[2010/09/05 02:00:19 | 000,000,000 | ---D | C] -- C:\Program Files\Nero
[2010/09/05 01:59:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Nero
[2010/09/05 01:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2010/08/25 08:41:14 | 000,000,000 | ---D | C] -- C:\Program Files\sys2
[2010/08/23 13:17:04 | 000,000,000 | ---D | C] -- C:\Program Files\ssns
[2010/08/22 21:47:44 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/08/21 11:39:03 | 000,000,000 | ---D | C] -- C:\Program Files\syst

========== Files - Modified Within 30 Days ==========

[2010/09/18 00:42:11 | 002,621,440 | -HS- | M] () -- C:\Users\Rich\NTUSER.DAT
[2010/09/18 00:29:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4177623686-3169190636-2548671302-1001UA.job
[2010/09/18 00:00:21 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/18 00:00:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/18 00:00:17 | 1508,016,128 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/17 23:59:03 | 001,671,858 | -H-- | M] () -- C:\Users\Rich\AppData\Local\IconCache.db
[2010/09/17 23:45:47 | 000,020,144 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/17 23:45:47 | 000,020,144 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/17 16:29:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4177623686-3169190636-2548671302-1001Core.job
[2010/09/15 23:17:28 | 206,207,874 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/09/15 22:37:46 | 000,293,376 | ---- | M] () -- C:\Users\Rich\Desktop\g3dzd78s.exe
[2010/09/15 14:29:34 | 000,002,403 | ---- | M] () -- C:\Users\Rich\Desktop\Google Chrome.lnk
[2010/09/08 15:17:19 | 000,000,966 | ---- | M] () -- C:\Users\Rich\Documents\cc_20100908_151714.reg
[2010/09/08 15:15:50 | 000,001,012 | ---- | M] () -- C:\Users\Rich\Desktop\CCleaner.lnk
[2010/09/08 13:38:30 | 000,000,000 | ---- | M] () -- C:\Users\Rich\defogger_reenable
[2010/09/08 13:15:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Rich\Desktop\OTL.exe
[2010/09/07 16:22:50 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/09/07 16:22:50 | 000,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/09/07 16:22:50 | 000,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/09/05 23:29:02 | 003,837,097 | R--- | M] () -- C:\Users\Rich\Desktop\ComboFix.exe
[2010/09/05 02:14:57 | 000,004,608 | ---- | M] () -- C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/03 11:19:08 | 000,108,544 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\System32\drivers\ulsata2.sys
[2010/08/25 13:38:57 | 000,266,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/08/25 13:13:31 | 000,000,172 | ---- | M] () -- C:\Windows\System32\MRT.INI

========== Files Created - No Company Name ==========

[2010/09/15 23:00:17 | 206,207,874 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/09/15 22:37:44 | 000,293,376 | ---- | C] () -- C:\Users\Rich\Desktop\g3dzd78s.exe
[2010/09/08 15:17:16 | 000,000,966 | ---- | C] () -- C:\Users\Rich\Documents\cc_20100908_151714.reg
[2010/09/08 13:38:30 | 000,000,000 | ---- | C] () -- C:\Users\Rich\defogger_reenable
[2010/09/07 08:37:10 | 000,001,024 | -H-- | C] () -- C:\Users\Rich\ntuser.dat.LOG
[2010/09/05 23:31:25 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/09/05 23:31:25 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/09/05 23:31:25 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/09/05 23:31:25 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/09/05 23:31:25 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/09/05 23:29:00 | 003,837,097 | R--- | C] () -- C:\Users\Rich\Desktop\ComboFix.exe
[2010/09/05 02:13:58 | 000,004,608 | ---- | C] () -- C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/25 13:13:31 | 000,000,172 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010/03/25 16:57:07 | 000,000,244 | ---- | C] () -- C:\Windows\maketorrent.ini
[2009/11/03 10:11:40 | 001,380,352 | ---- | C] () -- C:\Windows\System32\mpich2shmp.dll
[2009/11/03 10:11:40 | 001,196,032 | ---- | C] () -- C:\Windows\System32\mpich2.dll
[2009/11/03 10:11:40 | 001,175,552 | ---- | C] () -- C:\Windows\System32\mpich2shm.dll
[2009/11/03 10:11:40 | 000,102,400 | ---- | C] () -- C:\Windows\System32\mpich2mpi.dll
[2009/09/21 11:01:28 | 000,000,052 | ---- | C] () -- C:\Windows\MediaGUI.INI
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll

========== LOP Check ==========

[2010/05/09 00:22:27 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\AKM Antivirus 2010 Pro
[2010/06/24 22:34:07 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\D-Link Media Server
[2010/09/08 15:52:41 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Folding@home-gpu
[2010/02/28 22:55:46 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\ImgBurn
[2010/02/28 22:55:46 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\InstallPad
[2010/02/28 22:55:48 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\MediaServerDump
[2010/09/14 13:38:10 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\TeraCopy
[2010/09/17 21:45:04 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\uTorrent
[2010/08/21 17:47:33 | 000,020,634 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >

I also ran another MBAM full scan, and it came out clean.

Edited by DickNervous, 18 September 2010 - 06:42 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 PM

Posted 18 September 2010 - 05:36 PM

Please run ESET
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Now run a DDS log and post that too.
Posted Image
m0le is a proud member of UNITE

#13 DickNervous

DickNervous
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Levittown, NY
  • Local time:08:44 AM

Posted 18 September 2010 - 10:30 PM

Damn.. ESET Found more stuff.. Here it is:


C:\0.Laptop Backups\backup 20090331\My Documents\Norton 360.iso probably a variant of Win32/Spy.Agent.GHLRJE trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\55208680-39eb0eae Java/TrojanDownloader.Agent.NBJ trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6ce61b00-56399080 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\77e04b00-54c03609 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\15e2fd8b-5e487e59 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\131d74cc-25a78e28 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\315bd94d-10b52fab multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\235428ce-115e78c5 a variant of OSX/Exploit.Smid.C trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\519aa24f-4d1a6005 a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\78b96a0f-4b99762d multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\7aeb698f-1927ea1a multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\8df5f4f-6528e033 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\c84ea10-4a103931 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\2d5382d1-2c93dfb7 probably a variant of Win32/Agent.LHGXRNN trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\45ceaf12-1d8cd3af OSX/Exploit.Smid.B trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\6b71a192-52b2003a multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\b137d12-67553f32 Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\3c3a7413-2a9f8307 a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\28c08482-189b1415 OSX/Exploit.Smid.B trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\2ccbb382-6d1d25cf multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\71a84e95-3a08e4af OSX/Exploit.Smid.B trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\2a8a5d56-6d2a36ff multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\31ba8d7-2fc59df8 probably a variant of Win32/Agent.LHGXRNN trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\16465f18-4079c93e a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\55716358-5d14b376 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\67603bd8-5433d364 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\441bf59-1ae5fd1d multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\5c835199-6014c802 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\611715da-73e46d1d multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\6413efda-330a1bb0 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\2a80cb9d-1bc9e91d multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\37249183-3caa180d multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\47abd383-1439e226 Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\4fd90e9e-20581131 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\2969eda0-2c66a130 a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\71f292a1-3f00805c a variant of OSX/Exploit.Smid.C trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\73736d21-3e8610df multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\15115563-5b9f44ae a variant of OSX/Exploit.Smid.C trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\5622da25-74d7fa62 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\7a082265-1e56dff5 probably a variant of Win32/Agent.LHGXRNN trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\77fbf727-5c0ec230 a variant of OSX/Exploit.Smid.C trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\11bd72c4-5da44a83 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\5a0850a9-4bfe879c a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\5b140feb-1e81bcf3 Java/TrojanDownloader.Agent.AF trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\4c4f29af-373e6cc6 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\4c4f29af-51cf5166 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\4c4f29af-7779065d multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\64561daf-701e9930 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\684cd2ef-5bb10f08 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\3b356d70-7f2afcce a variant of Java/Exploit.Agent.W trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\43440f85-1af3518f a variant of OSX/Exploit.Smid.C trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\73fc27f5-3105ddec multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\13860b6-5e2d2b87 probably a variant of Win32/Agent.YUPEXU trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\1fda1f6-7019c28a multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\262cfe77-20f12c95 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\45a35b8-38116808 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\697f4eb8-27571058 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\299564fa-1abeba64 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\5837bdbc-5f114845 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\562f53fe-44357eaf probably a variant of Win32/Agent.LHGXRNN trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\1e87fd7f-366c444d multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\14c25947-70bb61f5 multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\f505007-3c307e0b multiple threats deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\4e447048-233c0073 probably a variant of Win32/Agent.NXHSWPF trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\568765c8-65e33532 a variant of OSX/Exploit.Smid.C trojan deleted - quarantined
C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\2c537489-24b32e82 probably a variant of Win32/Agent.YUPEXU trojan deleted - quarantined
C:\Users\Rich\Downloads\Driver_Detective_6_4_1_crack.zip a variant of Win32/Nebuler.AU trojan deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\60c7b913-3bfb5eaf multiple threats deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\7fd2fe96-1a5424c2 multiple threats deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\52ddf5ec-26e1fbc9 Java/Mugademel.A trojan deleted - quarantined
E:\0.Laptop Backups\backup 20080921\Norton 360.iso probably a variant of Win32/Spy.Agent.GHLRJE trojan deleted - quarantined
O:\.torrent files\Driver_Detective_6_4_1_crack.zip a variant of Win32/Nebuler.AU trojan deleted - quarantined
O:\downloads\X-Files Edition v1.5.5\Windows_Home_Server_DVD.iso Win32/Adware.ADON application deleted - quarantined


And here is the DDS Log


DDS (Ver_10-03-17.01) - NTFSx86
Run by Rich at 23:25:43.43 on Sat 09/18/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1918.1152 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\LogonUI.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Rich\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rich\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rich\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {CB6FD85F-9872-46BE-98AE-B9C90DB3D938} = 68.237.161.12,71.243.0.12

============= SERVICES / DRIVERS ===============

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2004-6-29 7680]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-8 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-8 20952]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S4 AMPingService;AMPingService;c:\users\rich\appdata\local\temp\amping.exe --> c:\users\rich\appdata\local\temp\AMPing.exe [?]
S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]
S4 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\folding@home windows smp client v1.01\smpd.exe [2009-11-3 1135616]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
S4 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-13 1343400]

=============== Created Last 30 ================

2010-09-18 01:46:18 0 d-----w- C:\_OTL
2010-09-16 03:00:17 206207874 ----a-w- c:\windows\MEMORY.DMP
2010-09-08 19:18:03 0 d-----w- c:\program files\ESET
2010-09-08 19:15:52 0 d-----w- c:\programdata\Yahoo! Companion
2010-09-08 17:38:30 0 ----a-w- c:\users\rich\defogger_reenable
2010-09-08 13:18:45 0 d-----w- c:\program files\riv87
2010-09-07 04:04:28 0 d-----w- c:\windows\pss
2010-09-06 03:31:25 98816 ----a-w- c:\windows\sed.exe
2010-09-06 03:31:25 77312 ----a-w- c:\windows\MBR.exe
2010-09-06 03:31:25 256512 ----a-w- c:\windows\PEV.exe
2010-09-06 03:31:25 161792 ----a-w- c:\windows\SWREG.exe
2010-09-06 03:31:16 0 d-s---w- C:\ComboFix
2010-09-05 06:00:19 0 d-----w- c:\program files\Nero
2010-09-05 05:59:10 0 d-----w- c:\programdata\Nero
2010-08-25 17:13:31 172 ----a-w- c:\windows\system32\MRT.INI
2010-08-25 12:41:14 0 d-----w- c:\program files\sys2
2010-08-24 18:02:22 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-23 17:17:04 0 d-----w- c:\program files\ssns
2010-08-21 15:39:03 0 d-----w- c:\program files\syst

==================== Find3M ====================

2010-09-03 15:19:08 108544 ----a-w- c:\windows\system32\drivers\ulsata2.sys
2010-08-25 17:38:31 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2010-08-24 14:07:54 16384 ----a-w- c:\windows\system32\drivers\ws2ifsl.sys
2010-08-17 04:31:35 201030 ----a-w- C:\lspfix.zip
2010-08-17 04:25:49 51776 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-08-17 04:15:01 1133429 ----a-w- C:\tdsskiller.zip
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 23:26:11.28 ===============




#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 PM

Posted 19 September 2010 - 06:24 AM

Actually that's exactly why I run ESET here. It removes the Java cache items (these are copies of the infection which are stored accidentally).

It is also excellent at removing the infected files. MBAM and other tools don't go after the infected files just the original malware. These items are the files which got in to the system in the first place. Note the word Torrent here whistling.gif

Please rerun MBAM on the Quick Scan option and post the log. We should be clean and then we can wind this up. smile.gif
Posted Image
m0le is a proud member of UNITE

#15 DickNervous

DickNervous
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Levittown, NY
  • Local time:08:44 AM

Posted 19 September 2010 - 06:58 AM

Oh, I know exactly where the infection came from. No need to drop subtle (or not so subtle) hints. blink.gif

So the key to this infection was finding and eliminating "lowsec"? Once that was cleaned up with OTL, then MBAM and ESET could do their jobs of cleaning everything else. Right?

ANd here is the, as you predicted, clean MBM log.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4650

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/19/2010 7:48:22 AM
mbam-log-2010-09-19 (07-48-22).txt

Scan type: Quick scan
Objects scanned: 144397
Time elapsed: 3 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thank you for all your help.
thumbup.gif thumbup.gif thumbup.gif thumbup.gif thumbup.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users