Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Antivirus Scan, Now BSOD


  • This topic is locked This topic is locked
20 replies to this topic

#1 matthewdf

matthewdf

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 10 January 2011 - 11:47 PM

Someone asked me to look at their computer because they felt that it may be infected. I looked at it, and indeed it was infected with Antivirus Scan. I ran Malwarebytes on it, and it found multiple instances, and upon completion of the removal process, it needed to reboot the computer. Now it gets a BSOD every time it boots back up, regardless if I start it normally, safe mode, safe mode with networking, safe mode with command prompt, last known good config, or anything else. The BSOD is STOP: c000021a {Fatal System Error} The windows logon process system system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000). The system has been shut down.

Please help with this.

Matt

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 11 January 2011 - 02:52 AM

What version of Windows is this and do you have the Windows CD/DVD at hand?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 matthewdf

matthewdf
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 11 January 2011 - 01:00 PM

This is Windows XP Media Center. I have an XP Pro and XP Home disc available. I can possibly get an XP Media center disc if needed.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 11 January 2011 - 01:13 PM

Best is to use your XP pro disk. It doesn't matter you have Media Center.

In the mean time, I'll move this topic to a more appropriate forum.

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output:
    • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    • Download the RunScanner plugin and save it to your desktop

    http://www.paraglidernc.com/Files/RunScanner10025.cab

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


    • Press the Plugin button on the PE Builder interface
    • Press the Add button and navigate to the location of the RunScanner plugin to install
    • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
  • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility

==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.

  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to Use Safelist
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!
  • Push Posted Image
  • A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 21 January 2011 - 06:25 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 22 January 2011 - 02:20 AM

This topic has been re-opened at the request of the person who originally posted.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 matthewdf

matthewdf
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 22 January 2011 - 09:51 AM

Here are the logs from the scan.

OTL logfile created on: 1/21/2011 6:10:07 PM - Run
OTLPE by OldTimer - Version 3.1.44.0 Folder = D:\OTLPE\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 750.00 Mb Available Physical Memory | 84.00% Memory free
821.00 Mb Paging File | 791.00 Mb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.16 Gb Total Space | 26.03 Gb Free Space | 50.87% Space Free | Partition Type: NTFS
Drive D: | 7.46 Gb Total Space | 1.81 Gb Free Space | 24.18% Space Free | Partition Type: NTFS
Drive X: | 151.75 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MININT-JVC | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (HidServ)
SRV - [2008/05/19 21:17:14 | 001,475,936 | ---- | M] (Trend Micro Inc.) [Auto] -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe -- (PcCtlCom)
SRV - [2007/08/27 15:36:34 | 000,111,912 | ---- | M] (SingleClick Systems) [Auto] -- C:\Program Files\Dell Network Assistant\hnm_svc.exe -- (hnmsvc)
SRV - [2006/08/23 22:13:28 | 000,380,928 | ---- | M] (Dell Inc.) [Auto] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2006/05/18 20:36:10 | 000,495,616 | ---- | M] ( ) [On_Demand] -- C:\WINDOWS\System32\dlcxcoms.exe -- (dlcx_device)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (PCASp50)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2008/04/13 18:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 18:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 16:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/06/16 04:15:04 | 000,022,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbsermpt.sys -- (usbsermpt)
DRV - [2007/02/27 19:31:28 | 000,021,504 | ---- | M] (Motorola) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/02/09 00:28:42 | 000,101,280 | ---- | M] (Kyocera Wireless Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\kwusbnt.sys -- (kwkpcusb)
DRV - [2006/12/18 23:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\packet.sys -- (Packet)
DRV - [2006/12/17 15:06:17 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/09/23 08:56:40 | 001,681,920 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/09/22 17:47:52 | 000,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/09/22 17:06:26 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/08/17 19:55:16 | 000,044,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/07/02 04:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/01/10 17:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/12/01 13:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 13:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 13:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/11/03 01:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/08/12 23:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/15 05:58:14 | 000,028,544 | ---- | M] (REDC) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2004/08/04 04:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/09 14:29:56 | 000,006,977 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\DDMI2.sys -- (SDDMI2)
DRV - [2001/08/17 20:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 20:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 20:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 20:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 20:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 19:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 19:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 19:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 19:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 19:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 19:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 19:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 19:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 19:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 19:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061217
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061217


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061217
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061217
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061217
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061217
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Ashlee_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061217
IE - HKU\Ashlee_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Ashlee_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.msn.com/
IE - HKU\Ashlee_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\Ashlee_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Ashlee_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074

IE - HKU\Justin_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061217
IE - HKU\Justin_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
IE - HKU\Justin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061217
IE - HKU\Justin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0






O1 HOSTS File: ([2007/01/21 02:14:51 | 000,000,761 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 80.175.31.124 www.winmx.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKU\Ashlee_ON_C\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKU\Justin_ON_C\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [Easy Dock] C:\Documents and Settings\Ashlee\My Documents\RCA easyRip\EZDock.exe (Audiovox Electronics Corp.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKU\Administrator_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\Administrator_ON_C..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKU\Administrator_ON_C..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKU\Ashlee_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\Ashlee_ON_C..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKU\Ashlee_ON_C..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKU\Justin_ON_C..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKU\Justin_ON_C..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\Justin_ON_C..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk = C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\Ashlee\Start Menu\Programs\Startup\RCA Detective.lnk = File not found
O4 - Startup: C:\Documents and Settings\Justin\Start Menu\Programs\Startup\Dora Fairytale Adventures Registration.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Ashlee_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Justin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.33.128.10 209.143.0.10
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 10:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/11/02 20:04:58 | 000,000,046 | R--- | M] () - X:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/11 03:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ashlee\Application Data\Malwarebytes
[2011/01/11 03:43:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/01/11 03:43:11 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/01/11 03:43:11 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/01/11 03:36:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ashlee\Desktop\32bit
[2011/01/11 03:35:58 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Ashlee\Desktop\mbam-setup-1.50.1.1100.exe
[2010/12/23 03:54:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ashlee\My Documents\fwmec345kvtakeoff
[2007/06/16 04:02:30 | 000,092,064 | ---- | C] (MCCI) -- C:\Documents and Settings\Ashlee\mqdmmdm.sys
[2007/06/16 04:02:30 | 000,079,328 | ---- | C] (MCCI) -- C:\Documents and Settings\Ashlee\mqdmserd.sys
[2007/06/16 04:02:30 | 000,066,656 | ---- | C] (MCCI) -- C:\Documents and Settings\Ashlee\mqdmbus.sys
[2007/06/16 04:02:30 | 000,009,232 | ---- | C] (MCCI) -- C:\Documents and Settings\Ashlee\mqdmmdfl.sys
[2007/06/16 04:02:30 | 000,006,208 | ---- | C] (MCCI) -- C:\Documents and Settings\Ashlee\mqdmcmnt.sys
[2007/06/16 04:02:30 | 000,005,936 | ---- | C] (MCCI) -- C:\Documents and Settings\Ashlee\mqdmwhnt.sys
[2007/06/16 04:02:30 | 000,004,048 | ---- | C] (MCCI) -- C:\Documents and Settings\Ashlee\mqdmcr.sys
[2007/06/16 04:02:29 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Ashlee\usbsermptxp.sys
[2007/06/16 04:02:29 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Ashlee\usbsermpt.sys
[2006/05/18 20:54:20 | 000,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxpmui.dll
[2006/05/18 20:53:04 | 001,187,840 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxserv.dll
[2006/05/18 20:47:36 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxcomm.dll
[2006/05/18 20:39:18 | 000,393,216 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxiesc.dll
[2006/05/18 20:37:06 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxinpa.dll
[2006/05/18 20:36:20 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxpplc.dll
[2006/05/18 20:35:28 | 000,610,304 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxcomc.dll
[2006/05/18 20:34:44 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxprox.dll
[2006/05/18 20:32:06 | 000,983,040 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxusb1.dll
[2006/05/18 20:28:16 | 000,532,480 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxlmpm.dll
[2006/05/18 20:27:22 | 000,688,128 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxhbn3.dll
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/13 23:33:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/13 23:33:35 | 937,537,536 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/11 03:40:28 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/11 03:34:54 | 002,281,369 | ---- | M] () -- C:\Documents and Settings\Ashlee\Desktop\32bit.exe
[2011/01/11 03:20:08 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Ashlee\Desktop\mbam-setup-1.50.1.1100.exe
[2010/12/31 20:41:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\aGAhEhsUk
[2010/12/31 20:41:28 | 000,000,047 | ---- | M] () -- C:\WINDOWS\wMhwL
[2010/12/31 20:41:28 | 000,000,047 | ---- | M] () -- C:\WINDOWS\rAN7VLcsJi
[2010/12/31 20:41:28 | 000,000,047 | ---- | M] () -- C:\WINDOWS\kTetkiUNn5
[2010/12/31 20:41:28 | 000,000,046 | ---- | M] () -- C:\WINDOWS\qqtX4
[2010/12/31 20:41:28 | 000,000,046 | ---- | M] () -- C:\WINDOWS\phEx45E
[2010/12/31 20:41:28 | 000,000,046 | ---- | M] () -- C:\WINDOWS\mAn1T2tUw
[2010/12/31 20:41:28 | 000,000,046 | ---- | M] () -- C:\WINDOWS\AE5mB2cG7
[2010/12/31 20:41:28 | 000,000,046 | ---- | M] () -- C:\WINDOWS\A5RpSGbTV4
[2010/12/31 20:41:28 | 000,000,046 | ---- | M] () -- C:\WINDOWS\6OMU44uWOW
[2010/12/31 20:41:28 | 000,000,045 | ---- | M] () -- C:\WINDOWS\wFyfJt
[2010/12/31 20:41:28 | 000,000,045 | ---- | M] () -- C:\WINDOWS\Tclwf
[2010/12/31 20:41:28 | 000,000,045 | ---- | M] () -- C:\WINDOWS\kkU1VPSLP
[2010/12/31 20:41:28 | 000,000,045 | ---- | M] () -- C:\WINDOWS\AqcTjYS4
[2010/12/31 20:41:28 | 000,000,044 | ---- | M] () -- C:\WINDOWS\Y6NxdTNG
[2010/12/31 20:41:28 | 000,000,044 | ---- | M] () -- C:\WINDOWS\N5hbL6aH
[2010/12/31 20:41:28 | 000,000,044 | ---- | M] () -- C:\WINDOWS\eXywNfD
[2010/12/31 20:41:28 | 000,000,044 | ---- | M] () -- C:\WINDOWS\dUxpqMMDA
[2010/12/31 20:41:28 | 000,000,044 | ---- | M] () -- C:\WINDOWS\cNY4SQa1ek
[2010/12/31 20:41:28 | 000,000,044 | ---- | M] () -- C:\WINDOWS\BliukY4HP
[2010/12/31 20:41:28 | 000,000,044 | ---- | M] () -- C:\WINDOWS\4i2CHc316
[2010/12/31 20:41:28 | 000,000,043 | ---- | M] () -- C:\WINDOWS\w3Sya
[2010/12/31 20:41:28 | 000,000,043 | ---- | M] () -- C:\WINDOWS\RuCWc
[2010/12/31 20:41:28 | 000,000,043 | ---- | M] () -- C:\WINDOWS\gy8PxTd2
[2010/12/31 20:41:28 | 000,000,043 | ---- | M] () -- C:\WINDOWS\e2BRs7XCOc
[2010/12/31 20:41:28 | 000,000,043 | ---- | M] () -- C:\WINDOWS\8DDlY
[2010/12/31 20:41:28 | 000,000,043 | ---- | M] () -- C:\WINDOWS\3tDqVkUOoG
[2010/12/31 20:41:28 | 000,000,042 | ---- | M] () -- C:\WINDOWS\oF1CKLrj
[2010/12/31 20:41:28 | 000,000,042 | ---- | M] () -- C:\WINDOWS\KJLfO5
[2010/12/31 20:41:28 | 000,000,042 | ---- | M] () -- C:\WINDOWS\DX7CfXOvPi
[2010/12/31 20:41:28 | 000,000,042 | ---- | M] () -- C:\WINDOWS\C7XHWqda3J
[2010/12/31 20:41:28 | 000,000,041 | ---- | M] () -- C:\WINDOWS\XeBrLSBhFa
[2010/12/31 20:41:28 | 000,000,041 | ---- | M] () -- C:\WINDOWS\U5DiVlAr
[2010/12/31 20:41:28 | 000,000,041 | ---- | M] () -- C:\WINDOWS\TtMYc336j
[2010/12/31 20:41:28 | 000,000,041 | ---- | M] () -- C:\WINDOWS\SHAcB
[2010/12/31 20:41:28 | 000,000,041 | ---- | M] () -- C:\WINDOWS\OerVNcIU
[2010/12/31 20:41:28 | 000,000,041 | ---- | M] () -- C:\WINDOWS\iW1xkQGf
[2010/12/31 20:41:28 | 000,000,041 | ---- | M] () -- C:\WINDOWS\fAmoEI
[2010/12/31 20:41:28 | 000,000,041 | ---- | M] () -- C:\WINDOWS\aMk1aAKjeK
[2010/12/31 20:41:28 | 000,000,040 | ---- | M] () -- C:\WINDOWS\pXNtfL
[2010/12/31 20:41:28 | 000,000,040 | ---- | M] () -- C:\WINDOWS\kAcXHdPa
[2010/12/31 20:41:28 | 000,000,040 | ---- | M] () -- C:\WINDOWS\HfSCj
[2010/12/31 20:41:28 | 000,000,040 | ---- | M] () -- C:\WINDOWS\Ggic7
[2010/12/31 20:41:28 | 000,000,040 | ---- | M] () -- C:\WINDOWS\7BP46dfh
[2010/12/31 20:41:28 | 000,000,040 | ---- | M] () -- C:\WINDOWS\31smHNO
[2010/12/31 20:41:28 | 000,000,040 | ---- | M] () -- C:\WINDOWS\144jkRfYe5
[2010/12/31 20:41:28 | 000,000,039 | ---- | M] () -- C:\WINDOWS\xWab4
[2010/12/31 20:41:28 | 000,000,039 | ---- | M] () -- C:\WINDOWS\VYheTgWVhv
[2010/12/31 20:41:28 | 000,000,039 | ---- | M] () -- C:\WINDOWS\qqvYDwBc1
[2010/12/31 20:41:28 | 000,000,039 | ---- | M] () -- C:\WINDOWS\nlFAbIa
[2010/12/31 20:41:28 | 000,000,039 | ---- | M] () -- C:\WINDOWS\K1288ihQ
[2010/12/31 20:41:28 | 000,000,039 | ---- | M] () -- C:\WINDOWS\iMBu3o
[2010/12/31 20:41:28 | 000,000,038 | ---- | M] () -- C:\WINDOWS\u8Qfaq
[2010/12/31 20:41:28 | 000,000,038 | ---- | M] () -- C:\WINDOWS\M5UPkoM
[2010/12/31 20:41:28 | 000,000,038 | ---- | M] () -- C:\WINDOWS\JnGCQ
[2010/12/31 20:41:28 | 000,000,038 | ---- | M] () -- C:\WINDOWS\bfxio
[2010/12/31 20:41:28 | 000,000,037 | ---- | M] () -- C:\WINDOWS\y4FDpTTw
[2010/12/31 20:41:28 | 000,000,037 | ---- | M] () -- C:\WINDOWS\Xs6kVY
[2010/12/31 20:41:28 | 000,000,037 | ---- | M] () -- C:\WINDOWS\KKYECa7cX
[2010/12/31 20:41:28 | 000,000,037 | ---- | M] () -- C:\WINDOWS\EsxjCr
[2010/12/31 20:41:28 | 000,000,037 | ---- | M] () -- C:\WINDOWS\6foPCe7qNo
[2010/12/31 20:41:28 | 000,000,036 | ---- | M] () -- C:\WINDOWS\xcYbidTs
[2010/12/31 20:41:28 | 000,000,036 | ---- | M] () -- C:\WINDOWS\O7E1iaf22s
[2010/12/31 20:41:28 | 000,000,036 | ---- | M] () -- C:\WINDOWS\djc3GMAv
[2010/12/31 20:41:28 | 000,000,036 | ---- | M] () -- C:\WINDOWS\CmEm4WQT1
[2010/12/31 20:41:28 | 000,000,035 | ---- | M] () -- C:\WINDOWS\pLjsPVkfn1
[2010/12/31 20:41:28 | 000,000,035 | ---- | M] () -- C:\WINDOWS\CCLOgpM
[2010/12/31 20:41:28 | 000,000,035 | ---- | M] () -- C:\WINDOWS\8EAjHymp
[2010/12/31 20:41:28 | 000,000,035 | ---- | M] () -- C:\WINDOWS\8AM1o
[2010/12/31 20:41:28 | 000,000,034 | ---- | M] () -- C:\WINDOWS\MAGsm
[2010/12/31 20:41:28 | 000,000,034 | ---- | M] () -- C:\WINDOWS\jvCdUC
[2010/12/31 20:41:28 | 000,000,034 | ---- | M] () -- C:\WINDOWS\gNADHr
[2010/12/31 20:41:28 | 000,000,033 | ---- | M] () -- C:\WINDOWS\vxy1p3
[2010/12/31 20:41:28 | 000,000,033 | ---- | M] () -- C:\WINDOWS\JMuXAGjvk
[2010/12/31 20:41:28 | 000,000,032 | ---- | M] () -- C:\WINDOWS\Xpf2Mm2KO
[2010/12/31 20:41:28 | 000,000,032 | ---- | M] () -- C:\WINDOWS\urWpo
[2010/12/31 20:41:28 | 000,000,032 | ---- | M] () -- C:\WINDOWS\qF7MFv
[2010/12/31 20:41:28 | 000,000,032 | ---- | M] () -- C:\WINDOWS\JsIqItNQ
[2010/12/31 20:41:28 | 000,000,032 | ---- | M] () -- C:\WINDOWS\JGgYi
[2010/12/31 20:41:28 | 000,000,032 | ---- | M] () -- C:\WINDOWS\ekHFhX4c
[2010/12/31 20:41:28 | 000,000,032 | ---- | M] () -- C:\WINDOWS\BNL5qes
[2010/12/31 20:41:28 | 000,000,031 | ---- | M] () -- C:\WINDOWS\QBlXkV4
[2010/12/31 20:41:28 | 000,000,031 | ---- | M] () -- C:\WINDOWS\BKESmNn
[2010/12/31 20:41:28 | 000,000,030 | ---- | M] () -- C:\WINDOWS\QcFIC
[2010/12/31 20:41:28 | 000,000,030 | ---- | M] () -- C:\WINDOWS\oSIru3SWY
[2010/12/31 20:41:28 | 000,000,030 | ---- | M] () -- C:\WINDOWS\8PpDHAfK3i
[2010/12/31 20:41:28 | 000,000,029 | ---- | M] () -- C:\WINDOWS\v7VdnYqe
[2010/12/31 20:41:28 | 000,000,029 | ---- | M] () -- C:\WINDOWS\tYPYrCGdab
[2010/12/31 20:41:28 | 000,000,029 | ---- | M] () -- C:\WINDOWS\ObunXm6t
[2010/12/31 20:41:28 | 000,000,029 | ---- | M] () -- C:\WINDOWS\k2UcdPmmu
[2010/12/31 20:41:28 | 000,000,029 | ---- | M] () -- C:\WINDOWS\5hhALccVlp
[2010/12/31 20:41:28 | 000,000,029 | ---- | M] () -- C:\WINDOWS\1QlCEMCW
[2010/12/31 20:41:28 | 000,000,028 | ---- | M] () -- C:\WINDOWS\UouBhbn
[2010/12/31 20:41:28 | 000,000,028 | ---- | M] () -- C:\WINDOWS\bw8VjavCUR
[2010/12/31 20:41:28 | 000,000,028 | ---- | M] () -- C:\WINDOWS\BhsWaf
[2010/12/31 20:41:28 | 000,000,027 | ---- | M] () -- C:\WINDOWS\xNiEn
[2010/12/31 20:41:28 | 000,000,027 | ---- | M] () -- C:\WINDOWS\jNINWpX8E
[2010/12/31 20:41:28 | 000,000,027 | ---- | M] () -- C:\WINDOWS\fyPWpUc
[2010/12/31 20:41:28 | 000,000,026 | ---- | M] () -- C:\WINDOWS\xO8HATyLOY
[2010/12/31 20:41:28 | 000,000,026 | ---- | M] () -- C:\WINDOWS\T3kUj
[2010/12/31 20:41:28 | 000,000,026 | ---- | M] () -- C:\WINDOWS\qWab5IJ
[2010/12/31 20:41:28 | 000,000,026 | ---- | M] () -- C:\WINDOWS\1caPV
[2010/12/31 20:41:28 | 000,000,025 | ---- | M] () -- C:\WINDOWS\vARUH
[2010/12/31 20:41:28 | 000,000,025 | ---- | M] () -- C:\WINDOWS\kXEPL1AT3
[2010/12/31 20:41:28 | 000,000,025 | ---- | M] () -- C:\WINDOWS\78ErIXU
[2010/12/31 20:41:28 | 000,000,024 | ---- | M] () -- C:\WINDOWS\kc5EkqCghH
[2010/12/31 20:41:28 | 000,000,024 | ---- | M] () -- C:\WINDOWS\icybByB7U
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/11 04:40:09 | 937,537,536 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/11 03:35:48 | 002,281,369 | ---- | C] () -- C:\Documents and Settings\Ashlee\Desktop\32bit.exe
[2010/12/31 20:41:28 | 000,000,049 | ---- | C] () -- C:\WINDOWS\aGAhEhsUk
[2010/12/31 20:41:28 | 000,000,047 | ---- | C] () -- C:\WINDOWS\wMhwL
[2010/12/31 20:41:28 | 000,000,047 | ---- | C] () -- C:\WINDOWS\rAN7VLcsJi
[2010/12/31 20:41:28 | 000,000,047 | ---- | C] () -- C:\WINDOWS\kTetkiUNn5
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\qqtX4
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\phEx45E
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\mAn1T2tUw
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\AE5mB2cG7
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\A5RpSGbTV4
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\6OMU44uWOW
[2010/12/31 20:41:28 | 000,000,045 | ---- | C] () -- C:\WINDOWS\wFyfJt
[2010/12/31 20:41:28 | 000,000,045 | ---- | C] () -- C:\WINDOWS\Tclwf
[2010/12/31 20:41:28 | 000,000,045 | ---- | C] () -- C:\WINDOWS\kkU1VPSLP
[2010/12/31 20:41:28 | 000,000,045 | ---- | C] () -- C:\WINDOWS\AqcTjYS4
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\Y6NxdTNG
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\N5hbL6aH
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\eXywNfD
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\dUxpqMMDA
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\cNY4SQa1ek
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\BliukY4HP
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\4i2CHc316
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\w3Sya
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\RuCWc
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gy8PxTd2
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\e2BRs7XCOc
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\8DDlY
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\3tDqVkUOoG
[2010/12/31 20:41:28 | 000,000,042 | ---- | C] () -- C:\WINDOWS\oF1CKLrj
[2010/12/31 20:41:28 | 000,000,042 | ---- | C] () -- C:\WINDOWS\KJLfO5
[2010/12/31 20:41:28 | 000,000,042 | ---- | C] () -- C:\WINDOWS\DX7CfXOvPi
[2010/12/31 20:41:28 | 000,000,042 | ---- | C] () -- C:\WINDOWS\C7XHWqda3J
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\XeBrLSBhFa
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\U5DiVlAr
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\TtMYc336j
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\SHAcB
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\OerVNcIU
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\iW1xkQGf
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\fAmoEI
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\aMk1aAKjeK
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\pXNtfL
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\kAcXHdPa
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\HfSCj
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\Ggic7
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\7BP46dfh
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\31smHNO
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\144jkRfYe5
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\xWab4
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\VYheTgWVhv
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\qqvYDwBc1
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\nlFAbIa
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\K1288ihQ
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\iMBu3o
[2010/12/31 20:41:28 | 000,000,038 | ---- | C] () -- C:\WINDOWS\u8Qfaq
[2010/12/31 20:41:28 | 000,000,038 | ---- | C] () -- C:\WINDOWS\M5UPkoM
[2010/12/31 20:41:28 | 000,000,038 | ---- | C] () -- C:\WINDOWS\JnGCQ
[2010/12/31 20:41:28 | 000,000,038 | ---- | C] () -- C:\WINDOWS\bfxio
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\y4FDpTTw
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\Xs6kVY
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\KKYECa7cX
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\EsxjCr
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\6foPCe7qNo
[2010/12/31 20:41:28 | 000,000,036 | ---- | C] () -- C:\WINDOWS\xcYbidTs
[2010/12/31 20:41:28 | 000,000,036 | ---- | C] () -- C:\WINDOWS\O7E1iaf22s
[2010/12/31 20:41:28 | 000,000,036 | ---- | C] () -- C:\WINDOWS\djc3GMAv
[2010/12/31 20:41:28 | 000,000,036 | ---- | C] () -- C:\WINDOWS\CmEm4WQT1
[2010/12/31 20:41:28 | 000,000,035 | ---- | C] () -- C:\WINDOWS\pLjsPVkfn1
[2010/12/31 20:41:28 | 000,000,035 | ---- | C] () -- C:\WINDOWS\CCLOgpM
[2010/12/31 20:41:28 | 000,000,035 | ---- | C] () -- C:\WINDOWS\8EAjHymp
[2010/12/31 20:41:28 | 000,000,035 | ---- | C] () -- C:\WINDOWS\8AM1o
[2010/12/31 20:41:28 | 000,000,034 | ---- | C] () -- C:\WINDOWS\MAGsm
[2010/12/31 20:41:28 | 000,000,034 | ---- | C] () -- C:\WINDOWS\jvCdUC
[2010/12/31 20:41:28 | 000,000,034 | ---- | C] () -- C:\WINDOWS\gNADHr
[2010/12/31 20:41:28 | 000,000,033 | ---- | C] () -- C:\WINDOWS\vxy1p3
[2010/12/31 20:41:28 | 000,000,033 | ---- | C] () -- C:\WINDOWS\JMuXAGjvk
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\Xpf2Mm2KO
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\urWpo
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\qF7MFv
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\JsIqItNQ
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\JGgYi
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\ekHFhX4c
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\BNL5qes
[2010/12/31 20:41:28 | 000,000,031 | ---- | C] () -- C:\WINDOWS\QBlXkV4
[2010/12/31 20:41:28 | 000,000,031 | ---- | C] () -- C:\WINDOWS\BKESmNn
[2010/12/31 20:41:28 | 000,000,030 | ---- | C] () -- C:\WINDOWS\QcFIC
[2010/12/31 20:41:28 | 000,000,030 | ---- | C] () -- C:\WINDOWS\oSIru3SWY
[2010/12/31 20:41:28 | 000,000,030 | ---- | C] () -- C:\WINDOWS\8PpDHAfK3i
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\v7VdnYqe
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\tYPYrCGdab
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\ObunXm6t
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\k2UcdPmmu
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\5hhALccVlp
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\1QlCEMCW
[2010/12/31 20:41:28 | 000,000,028 | ---- | C] () -- C:\WINDOWS\UouBhbn
[2010/12/31 20:41:28 | 000,000,028 | ---- | C] () -- C:\WINDOWS\bw8VjavCUR
[2010/12/31 20:41:28 | 000,000,028 | ---- | C] () -- C:\WINDOWS\BhsWaf
[2010/12/31 20:41:28 | 000,000,027 | ---- | C] () -- C:\WINDOWS\xNiEn
[2010/12/31 20:41:28 | 000,000,027 | ---- | C] () -- C:\WINDOWS\jNINWpX8E
[2010/12/31 20:41:28 | 000,000,027 | ---- | C] () -- C:\WINDOWS\fyPWpUc
[2010/12/31 20:41:28 | 000,000,026 | ---- | C] () -- C:\WINDOWS\xO8HATyLOY
[2010/12/31 20:41:28 | 000,000,026 | ---- | C] () -- C:\WINDOWS\T3kUj
[2010/12/31 20:41:28 | 000,000,026 | ---- | C] () -- C:\WINDOWS\qWab5IJ
[2010/12/31 20:41:28 | 000,000,026 | ---- | C] () -- C:\WINDOWS\1caPV
[2010/12/31 20:41:28 | 000,000,025 | ---- | C] () -- C:\WINDOWS\vARUH
[2010/12/31 20:41:28 | 000,000,025 | ---- | C] () -- C:\WINDOWS\kXEPL1AT3
[2010/12/31 20:41:28 | 000,000,025 | ---- | C] () -- C:\WINDOWS\78ErIXU
[2010/12/31 20:41:28 | 000,000,024 | ---- | C] () -- C:\WINDOWS\kc5EkqCghH
[2010/12/31 20:41:28 | 000,000,024 | ---- | C] () -- C:\WINDOWS\icybByB7U
[2008/07/15 18:38:30 | 000,000,119 | ---- | C] () -- C:\WINDOWS\disney.ini
[2007/11/23 20:00:34 | 000,000,196 | ---- | C] () -- C:\Documents and Settings\Ashlee\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2007/08/16 00:33:24 | 000,015,770 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem36.PNF
[2007/08/16 00:33:24 | 000,009,842 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem36.inf
[2007/08/16 00:33:24 | 000,007,546 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem34.PNF
[2007/08/16 00:33:24 | 000,007,074 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem35.PNF
[2007/08/16 00:33:24 | 000,006,921 | ---- | C] () -- C:\Documents and Settings\Ashlee\1187224404-(null)
[2007/08/16 00:33:24 | 000,004,406 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem35.inf
[2007/08/16 00:33:23 | 000,015,690 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem33.PNF
[2007/08/16 00:33:23 | 000,012,762 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem31.PNF
[2007/08/16 00:33:23 | 000,012,356 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem32.PNF
[2007/08/16 00:33:23 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem33.inf
[2007/08/16 00:33:23 | 000,006,061 | ---- | C] () -- C:\Documents and Settings\Ashlee\1187224403-(null)
[2007/08/16 00:33:23 | 000,005,813 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem32.inf
[2007/08/16 00:33:22 | 000,014,230 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem29.PNF
[2007/08/16 00:33:22 | 000,012,836 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (3) of oem30.PNF
[2007/08/16 00:33:22 | 000,007,141 | ---- | C] () -- C:\Documents and Settings\Ashlee\1187224402-(null)
[2007/08/16 00:33:22 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem30.inf
[2007/06/16 16:14:27 | 000,016,010 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem36.PNF
[2007/06/16 16:14:27 | 000,015,690 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem33.PNF
[2007/06/16 16:14:27 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem36.inf
[2007/06/16 16:14:27 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Ashlee\1182010467-(null)
[2007/06/16 16:14:27 | 000,007,762 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem34.PNF
[2007/06/16 16:14:27 | 000,007,322 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem35.PNF
[2007/06/16 16:14:27 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem34.inf
[2007/06/16 16:14:27 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem35.inf
[2007/06/16 16:14:26 | 000,014,342 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem29.PNF
[2007/06/16 16:14:26 | 000,012,836 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem30.PNF
[2007/06/16 16:14:26 | 000,012,802 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem31.PNF
[2007/06/16 16:14:26 | 000,012,428 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem32.PNF
[2007/06/16 16:14:26 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Ashlee\1182010465-(null)
[2007/06/16 16:14:26 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem31.inf
[2007/06/16 16:14:26 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy (2) of oem32.inf
[2007/06/16 16:14:26 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Ashlee\1182010466-(null)
[2007/06/16 04:15:03 | 000,015,770 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem36.PNF
[2007/06/16 04:15:03 | 000,015,690 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem33.PNF
[2007/06/16 04:15:03 | 000,014,230 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem29.PNF
[2007/06/16 04:15:03 | 000,012,836 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem30.PNF
[2007/06/16 04:15:03 | 000,012,762 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem31.PNF
[2007/06/16 04:15:03 | 000,012,356 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem32.PNF
[2007/06/16 04:15:03 | 000,009,842 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem36.inf
[2007/06/16 04:15:03 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem33.inf
[2007/06/16 04:15:03 | 000,007,546 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem34.PNF
[2007/06/16 04:15:03 | 000,007,141 | ---- | C] () -- C:\Documents and Settings\Ashlee\1181967303-(null)
[2007/06/16 04:15:03 | 000,007,074 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem35.PNF
[2007/06/16 04:15:03 | 000,006,921 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem34.inf
[2007/06/16 04:15:03 | 000,006,061 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem31.inf
[2007/06/16 04:15:03 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem30.inf
[2007/06/16 04:15:03 | 000,005,813 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem32.inf
[2007/06/16 04:15:03 | 000,004,406 | ---- | C] () -- C:\Documents and Settings\Ashlee\Copy of oem35.inf
[2007/06/16 04:02:30 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Ashlee\MCCI_MDM.INF
[2007/06/16 04:02:30 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Ashlee\USB_MOT_BRIT.INF
[2007/06/16 04:02:30 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Ashlee\MCCI_BUS.INF
[2007/06/16 04:02:30 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Ashlee\MCCI_SDM.INF
[2007/06/16 04:02:29 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Ashlee\USBMOT2000.INF
[2007/06/16 04:02:29 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\Ashlee\USBMOT2000XP.INF
[2007/06/16 04:02:29 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\Ashlee\USB_MOT_A1000.INF
[2007/06/16 04:02:29 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Ashlee\USB_CMCS_2000.INF
[2007/06/16 04:02:04 | 000,063,286 | ---- | C] () -- C:\Documents and Settings\Ashlee\Motorola_Driver_Log.txt
[2007/01/04 01:04:40 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/01/01 19:10:25 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/01/01 19:10:25 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\2B4D430438.sys
[2006/12/29 04:28:47 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\fusioncache.dat
[2006/12/28 02:13:10 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Ashlee\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/12/26 22:53:24 | 000,331,776 | R--- | C] () -- C:\WINDOWS\System32\dlcxcoin.dll
[2006/12/26 21:10:01 | 000,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/12/24 15:09:27 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Ashlee\Local Settings\Application Data\fusioncache.dat
[2006/12/24 15:08:37 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Default User\Local Settings\Application Data\fusioncache.dat
[2006/12/17 15:21:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/12/17 15:07:49 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/12/17 15:03:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/12/17 14:24:10 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/12/17 14:24:04 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/12/17 14:23:38 | 000,000,390 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/06/29 04:22:40 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlcxinsr.dll
[2006/06/29 04:22:32 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcxcur.dll
[2006/06/29 04:22:04 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\dlcxjswr.dll
[2006/06/29 04:21:00 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcxinsb.dll
[2006/06/29 04:20:54 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcxcub.dll
[2006/06/29 04:20:42 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcxcu.dll
[2006/06/29 04:20:38 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\dlcxins.dll
[2006/06/29 04:19:02 | 000,450,560 | ---- | C] () -- C:\WINDOWS\System32\dlcxutil.dll
[2006/06/29 04:18:36 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\dlcxgrd.dll
[2006/06/14 12:55:10 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\dlcxdrs.dll
[2006/05/29 08:49:24 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcxcfg.dll
[2006/05/18 15:12:32 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcxcaps.dll
[2006/03/20 00:03:04 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlcxcnv4.dll
[2005/08/17 02:52:01 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/08/16 10:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 10:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/05 20:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/07/08 08:11:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlcxvs.dll
[2003/01/07 21:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >


OTL Extras logfile created on: 1/21/2011 6:10:10 PM - Run
OTLPE by OldTimer - Version 3.1.44.0 Folder = D:\OTLPE\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 750.00 Mb Available Physical Memory | 84.00% Memory free
821.00 Mb Paging File | 791.00 Mb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.16 Gb Total Space | 26.03 Gb Free Space | 50.87% Space Free | Partition Type: NTFS
Drive D: | 7.46 Gb Total Space | 1.81 Gb Free Space | 24.18% Space Free | Partition Type: NTFS
Drive X: | 151.75 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MININT-JVC | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1"
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1"
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"10421:UDP" = 10421:UDP:*:Enabled:SingleClick Discovery Protocol
"10426:UDP" = 10426:UDP:*:Enabled:SingleClick ICC

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0
"C:\Documents and Settings\Ashlee\My Documents\LimeWire\LimeWire.exe" = C:\Documents and Settings\Ashlee\My Documents\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer -- (LimeWire)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Ares Ultra\Ares Ultra.exe" = C:\Program Files\Ares Ultra\Ares Ultra.exe:*:Enabled:Ares Ultra
"C:\Program Files\WinMX\WinMX.exe" = C:\Program Files\WinMX\WinMX.exe:*:Enabled:WinMX Application -- (Frontcode Technologies)
"C:\Program Files\Dell Network Assistant\ezi_hnm2.exe" = C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant -- (SingleClick Systems)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Disabled:Google Earth


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0240BDFB-2995-4A3F-8C96-18D41282B716}" = Dell Network Assistant
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{209AE7EF-DEBA-46D1-BB51-E3942386B4E5}" = Kyocera Wireless USB Driver for Data Cards
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{AC6AE077-1566-4655-BE73-38A869C150DC}" = ATI Catalyst Control Center
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{BA68600E-96D9-4E92-80F2-26B9681B5A63}" = Microsoft Office Outlook 2003 with Business Contact Manager Update
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C1771DDC-BEA1-4375-B2A2-B46F43ACB476}" = Wal-Mart Digital Photo Manager
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E8C06CB3-5DB2-4689-B1DC-4A0220DEA96C}" = Consumer Complete Care Services Agreement
"{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}" = Trend Micro PC-cillin Internet Security 14
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ATI Display Driver" = ATI Display Driver
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Dell Game Console" = Dell Game Console
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IrfanView" = IrfanView (remove only)
"LimeWire" = LimeWire 5.1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"QuickLink Mobile" = QuickLink Mobile
"QuickTime" = QuickTime
"RCA Detective™_is1" = RCA Detective™ 2.0.0.99
"RCA easyRip_is1" = RCA easyRip 2.2.1.0
"RealPlayer 6.0" = RealPlayer Basic
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TmPcc" = Trend Micro PC-cillin Internet Security 14
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

< End of report >

#8 matthewdf

matthewdf
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 22 January 2011 - 09:51 AM

I haven't yet tried to turn the computer back on after booting up with the PE disc.

Edited by matthewdf, 22 January 2011 - 09:53 AM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 22 January 2011 - 09:54 AM

Hello again, please rerun OTLPE, and copy/paste the following text into the "custom scan/fix" field. Click the NONE button and then click the Run Scan button. Post me the resulting log.
/md5start
explorer.exe
winlogon.exe
/md5stop

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 matthewdf

matthewdf
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 22 January 2011 - 10:08 AM

Here is the latest log

OTL logfile created on: 1/22/2011 9:03:25 AM - Run
OTLPE by OldTimer - Version 3.1.44.0 Folder = D:\OTLPE\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 750.00 Mb Available Physical Memory | 84.00% Memory free
821.00 Mb Paging File | 790.00 Mb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.16 Gb Total Space | 26.03 Gb Free Space | 50.87% Space Free | Partition Type: NTFS
Drive D: | 7.46 Gb Total Space | 1.80 Gb Free Space | 24.18% Space Free | Partition Type: NTFS
Drive X: | 151.75 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MININT-JVC | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
Using ControlSet: ControlSet001

========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 11:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 10:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/10 11:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=F54D30E8C799B962C380EA2961C74733 -- C:\WINDOWS\explorer.exe

< MD5 for: WINLOGON.EXE >
[2004/08/10 11:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
[2004/08/10 11:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/14 00:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=5FAC810673F3BC3E9965AD9468788120 -- C:\WINDOWS\system32\winlogon.exe
[2008/04/14 00:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
< End of report >

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 22 January 2011 - 10:21 AM

Hello again, please rerun OTLPE and copy/paste the following text into the "custom scan/fix" field. Click Run Fix and when done, reboot normally and let me know what happens.

:files
C:\WINDOWS\explorer.exe|C:\WINDOWS\ServicePackFiles\i386\explorer.exe /replace
C:\WINDOWS\system32\winlogon.exe|C:\WINDOWS\ServicePackFiles\i386\winlogon.exe /replace

:otl
IE - HKU\Ashlee_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\Ashlee_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074
[2010/12/31 20:41:28 | 000,000,049 | ---- | C] () -- C:\WINDOWS\aGAhEhsUk
[2010/12/31 20:41:28 | 000,000,047 | ---- | C] () -- C:\WINDOWS\wMhwL
[2010/12/31 20:41:28 | 000,000,047 | ---- | C] () -- C:\WINDOWS\rAN7VLcsJi
[2010/12/31 20:41:28 | 000,000,047 | ---- | C] () -- C:\WINDOWS\kTetkiUNn5
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\qqtX4
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\phEx45E
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\mAn1T2tUw
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\AE5mB2cG7
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\A5RpSGbTV4
[2010/12/31 20:41:28 | 000,000,046 | ---- | C] () -- C:\WINDOWS\6OMU44uWOW
[2010/12/31 20:41:28 | 000,000,045 | ---- | C] () -- C:\WINDOWS\wFyfJt
[2010/12/31 20:41:28 | 000,000,045 | ---- | C] () -- C:\WINDOWS\Tclwf
[2010/12/31 20:41:28 | 000,000,045 | ---- | C] () -- C:\WINDOWS\kkU1VPSLP
[2010/12/31 20:41:28 | 000,000,045 | ---- | C] () -- C:\WINDOWS\AqcTjYS4
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\Y6NxdTNG
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\N5hbL6aH
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\eXywNfD
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\dUxpqMMDA
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\cNY4SQa1ek
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\BliukY4HP
[2010/12/31 20:41:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\4i2CHc316
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\w3Sya
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\RuCWc
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gy8PxTd2
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\e2BRs7XCOc
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\8DDlY
[2010/12/31 20:41:28 | 000,000,043 | ---- | C] () -- C:\WINDOWS\3tDqVkUOoG
[2010/12/31 20:41:28 | 000,000,042 | ---- | C] () -- C:\WINDOWS\oF1CKLrj
[2010/12/31 20:41:28 | 000,000,042 | ---- | C] () -- C:\WINDOWS\KJLfO5
[2010/12/31 20:41:28 | 000,000,042 | ---- | C] () -- C:\WINDOWS\DX7CfXOvPi
[2010/12/31 20:41:28 | 000,000,042 | ---- | C] () -- C:\WINDOWS\C7XHWqda3J
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\XeBrLSBhFa
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\U5DiVlAr
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\TtMYc336j
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\SHAcB
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\OerVNcIU
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\iW1xkQGf
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\fAmoEI
[2010/12/31 20:41:28 | 000,000,041 | ---- | C] () -- C:\WINDOWS\aMk1aAKjeK
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\pXNtfL
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\kAcXHdPa
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\HfSCj
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\Ggic7
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\7BP46dfh
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\31smHNO
[2010/12/31 20:41:28 | 000,000,040 | ---- | C] () -- C:\WINDOWS\144jkRfYe5
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\xWab4
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\VYheTgWVhv
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\qqvYDwBc1
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\nlFAbIa
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\K1288ihQ
[2010/12/31 20:41:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\iMBu3o
[2010/12/31 20:41:28 | 000,000,038 | ---- | C] () -- C:\WINDOWS\u8Qfaq
[2010/12/31 20:41:28 | 000,000,038 | ---- | C] () -- C:\WINDOWS\M5UPkoM
[2010/12/31 20:41:28 | 000,000,038 | ---- | C] () -- C:\WINDOWS\JnGCQ
[2010/12/31 20:41:28 | 000,000,038 | ---- | C] () -- C:\WINDOWS\bfxio
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\y4FDpTTw
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\Xs6kVY
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\KKYECa7cX
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\EsxjCr
[2010/12/31 20:41:28 | 000,000,037 | ---- | C] () -- C:\WINDOWS\6foPCe7qNo
[2010/12/31 20:41:28 | 000,000,036 | ---- | C] () -- C:\WINDOWS\xcYbidTs
[2010/12/31 20:41:28 | 000,000,036 | ---- | C] () -- C:\WINDOWS\O7E1iaf22s
[2010/12/31 20:41:28 | 000,000,036 | ---- | C] () -- C:\WINDOWS\djc3GMAv
[2010/12/31 20:41:28 | 000,000,036 | ---- | C] () -- C:\WINDOWS\CmEm4WQT1
[2010/12/31 20:41:28 | 000,000,035 | ---- | C] () -- C:\WINDOWS\pLjsPVkfn1
[2010/12/31 20:41:28 | 000,000,035 | ---- | C] () -- C:\WINDOWS\CCLOgpM
[2010/12/31 20:41:28 | 000,000,035 | ---- | C] () -- C:\WINDOWS\8EAjHymp
[2010/12/31 20:41:28 | 000,000,035 | ---- | C] () -- C:\WINDOWS\8AM1o
[2010/12/31 20:41:28 | 000,000,034 | ---- | C] () -- C:\WINDOWS\MAGsm
[2010/12/31 20:41:28 | 000,000,034 | ---- | C] () -- C:\WINDOWS\jvCdUC
[2010/12/31 20:41:28 | 000,000,034 | ---- | C] () -- C:\WINDOWS\gNADHr
[2010/12/31 20:41:28 | 000,000,033 | ---- | C] () -- C:\WINDOWS\vxy1p3
[2010/12/31 20:41:28 | 000,000,033 | ---- | C] () -- C:\WINDOWS\JMuXAGjvk
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\Xpf2Mm2KO
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\urWpo
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\qF7MFv
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\JsIqItNQ
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\JGgYi
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\ekHFhX4c
[2010/12/31 20:41:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\BNL5qes
[2010/12/31 20:41:28 | 000,000,031 | ---- | C] () -- C:\WINDOWS\QBlXkV4
[2010/12/31 20:41:28 | 000,000,031 | ---- | C] () -- C:\WINDOWS\BKESmNn
[2010/12/31 20:41:28 | 000,000,030 | ---- | C] () -- C:\WINDOWS\QcFIC
[2010/12/31 20:41:28 | 000,000,030 | ---- | C] () -- C:\WINDOWS\oSIru3SWY
[2010/12/31 20:41:28 | 000,000,030 | ---- | C] () -- C:\WINDOWS\8PpDHAfK3i
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\v7VdnYqe
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\tYPYrCGdab
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\ObunXm6t
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\k2UcdPmmu
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\5hhALccVlp
[2010/12/31 20:41:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\1QlCEMCW
[2010/12/31 20:41:28 | 000,000,028 | ---- | C] () -- C:\WINDOWS\UouBhbn
[2010/12/31 20:41:28 | 000,000,028 | ---- | C] () -- C:\WINDOWS\bw8VjavCUR
[2010/12/31 20:41:28 | 000,000,028 | ---- | C] () -- C:\WINDOWS\BhsWaf
[2010/12/31 20:41:28 | 000,000,027 | ---- | C] () -- C:\WINDOWS\xNiEn
[2010/12/31 20:41:28 | 000,000,027 | ---- | C] () -- C:\WINDOWS\jNINWpX8E
[2010/12/31 20:41:28 | 000,000,027 | ---- | C] () -- C:\WINDOWS\fyPWpUc
[2010/12/31 20:41:28 | 000,000,026 | ---- | C] () -- C:\WINDOWS\xO8HATyLOY
[2010/12/31 20:41:28 | 000,000,026 | ---- | C] () -- C:\WINDOWS\T3kUj
[2010/12/31 20:41:28 | 000,000,026 | ---- | C] () -- C:\WINDOWS\qWab5IJ
[2010/12/31 20:41:28 | 000,000,026 | ---- | C] () -- C:\WINDOWS\1caPV
[2010/12/31 20:41:28 | 000,000,025 | ---- | C] () -- C:\WINDOWS\vARUH
[2010/12/31 20:41:28 | 000,000,025 | ---- | C] () -- C:\WINDOWS\kXEPL1AT3
[2010/12/31 20:41:28 | 000,000,025 | ---- | C] () -- C:\WINDOWS\78ErIXU
[2010/12/31 20:41:28 | 000,000,024 | ---- | C] () -- C:\WINDOWS\kc5EkqCghH
[2010/12/31 20:41:28 | 000,000,024 | ---- | C] () -- C:\WINDOWS\icybByB7U

:commands
[emptytemp]
[resethosts]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 matthewdf

matthewdf
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 22 January 2011 - 01:22 PM

During the fix I received about 4 or 5 external exception errors. I clicked on OK to go through them. I then attempted to boot the computer and it booted up just fine. I haven't done anything with it since. I will await your advice from here.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 22 January 2011 - 04:24 PM

I'm glad to hear it boots up fin now. There was a lot of malware showing, so lets see if we got everything.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 matthewdf

matthewdf
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 22 January 2011 - 06:46 PM

Ok, here is the combofix log. I really appreciate all of your help!

ComboFix 11-01-22.01 - Ashlee 01/22/2011 17:37:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.543 [GMT -6:00]
Running from: c:\documents and settings\Ashlee\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *Enabled/Outdated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Application Data\Microsoft

.
((((((((((((((((((((((((( Files Created from 2010-12-22 to 2011-01-22 )))))))))))))))))))))))))))))))
.

2011-01-22 23:36 . 2011-01-22 23:36 -------- d-----w- c:\windows\LastGood
2011-01-22 12:18 . 2011-01-22 12:18 -------- d-----w- C:\_OTL
2011-01-11 03:43 . 2011-01-11 03:43 -------- d-----w- c:\documents and settings\Ashlee\Application Data\Malwarebytes
2011-01-11 03:43 . 2011-01-11 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-11 03:43 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-11 03:43 . 2011-01-11 03:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-11 03:43 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-31 21:31 . 2010-12-31 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2005-08-16 10:40 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2005-08-16 10:18 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2005-08-16 10:18 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2005-08-16 10:18 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2005-08-16 10:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2005-08-16 10:18 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-17 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 136600]
"Easy Dock"="c:\documents and settings\Ashlee\My Documents\RCA easyRip\EZDock.exe" [2009-05-08 573440]

c:\documents and settings\Justin\Start Menu\Programs\Startup\
Dora Fairytale Adventures Registration.lnk - D:\ATR1.exe [N/A]

c:\documents and settings\Ashlee\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\documents and settings\Ashlee\My Documents\RCA Detective\RCADetective.exe [2009-12-25 942592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-12-17 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-17 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

S3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S3 kwkpcusb;Kyocera CDMA Wireless Modem Driver for KPC;c:\windows\system32\drivers\kwusbnt.sys [2/8/2007 6:28 PM 101280]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-22 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2452)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-22 17:43:38
ComboFix-quarantined-files.txt 2011-01-22 23:43

Pre-Run: 27,826,569,216 bytes free
Post-Run: 28,091,719,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 2ED0A541595A2D2DDFAA929A574393B0

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:10 AM

Posted 23 January 2011 - 02:49 AM

That looks good! How are things running now?

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:8074
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users