Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus (i think)


  • Please log in to reply
32 replies to this topic

#1 High_THC242

High_THC242

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 18 January 2011 - 11:38 PM

Hey guys. im having a problem with my computer and i think its caused by a virus. I can not open any programs, software, etc except for mozilla firefox. i can not even open "My computer". when i double click a program to start, it shows the hour glass but after 2-4 seconds, it disappears and nothing happens. Also, i tried downloading a anti-virus software on safe mode and when i tried to, it froze.

Is there anyway i can remove what i think is a virus, or do i have to clean my computer out entirely? Thanks in advance

Edited by Budapest, 18 January 2011 - 11:39 PM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:15 PM

Posted 19 January 2011 - 09:20 AM

Hi High_THC242 and welcome to Bleeping Computer.

Step 1

Please reboot your computer in Safe Mode with Networking by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
You will need to use the 'keyboard arrow keys' to navigate on this menu.
* Select the option, to run Windows in Safe Mode with Networking, then press "Enter".
* Then choose your usual account.

Step 2

Start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options
Click on the Connections tab
Click on the Lan Settings button
Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen
Then press the OK button to close the Internet Options screen.

Internet Explorer should now work if that was the problem.
Or you can use Firefox to complete the next few steps.

Step 3
Please download RKill.com to your desktop from the following link.:
Rkill download link
Download page will open in a new tab or browser window.
When at the download page, click on the Download Now button to download RKill.com and save it on your desktop.
Once it is downloaded, double-click on the rkill.com icon.
If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself .

If the malware is persistant, you may have to run RKill a number of times.
When it has finished, the black window will automatically close and you can continue with the next step.

If you continue having problems running rkill.com, you can download iExplore or eXplorer.exe from the rkill download page. Both of these files are renamed copies of rkill.com, which you can try instead. Please note that the download page will open in a new browser window or tab.

Note
Please do not reboot your system until you have completed the following step, or the Malware will restart itself:

Step 4
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Post the MBAM report in your next reply and also let me know if the problem is continuing.

Thanks

BBPP6nz.png


#3 High_THC242

High_THC242
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 19 January 2011 - 03:45 PM

I can not open Internet Explorer even in safe mode (i think its deleted). Also, i can not download anything because when i tried to, the browser froze and i had to reopen it. Do you think i have to download the RKill on another computer and transfer it here? (if it actually opens)

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:15 PM

Posted 19 January 2011 - 05:34 PM

Do you think i have to download the RKill on another computer and transfer it here?

Yes that would work, but you'll also need to transfer MBAM.
But the program won't be updated with the latest definitions.
There is a way to transfer and update it ..... what OS are the 2 m/c's.
I take it the infected one is XP, but what's the OS of the good m/c.
Once i know i can give you precise instructions on how to complete all this.

It may be best if i get this thread moved to the malware forum.
It'll be easier to work on then.

Edited by Starbuck, 19 January 2011 - 05:37 PM.

BBPP6nz.png


#5 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,250 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:15 PM

Posted 19 January 2011 - 06:33 PM

Moved.

#6 High_THC242

High_THC242
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 22 January 2011 - 11:04 AM

Thanks alot, i will try this and see if it works. =D

#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:15 PM

Posted 22 January 2011 - 11:19 AM

Will the programs download using Firefox?

BBPP6nz.png


#8 High_THC242

High_THC242
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 22 January 2011 - 12:34 PM

Nope, so i had to transfer the rkill and the anti-malware program. Here is the log from the scan :

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5571

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

1/22/2011 11:21:27 AM
mbam-log-2011-01-22 (11-21-27).txt

Scan type: Full scan (C:\|)
Objects scanned: 179625
Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\summarunkens\workgroup (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\application data\microsoft\System\Services\svchost.exe (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\Desktop\Owner\my documents\downloads\cursormania.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\blacklovekid@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\davonte_lips@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\dontae14@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\jahboy23@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\lacoste_kingtino@live.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\peanuthead_perry@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\pinder_33@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\sexymanda1@live.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\sexyness_mya@live.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\shakeemd@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\shotta_vonte@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\snickers_summer130@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\local settings\application data\microsoft\messenger\tasia48@hotmail.com\mypornpics.scr (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\my documents\my chat logs\september 2010\workgroup (FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\summarunkens\application data\microsoft\internet explorer\quick launch\desktop security.lnk (Rogue.DesktopSecurity) -> Quarantined and deleted successfully."

After i have done this, i still can not open anything on the computer....maybe i will have to run the scan again?

#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:15 PM

Posted 22 January 2011 - 12:50 PM

Hi there,

Download this program and then transfer it to the infected system.
You can copy the custom scan part to a notepad doc and transfer that as well.
You'll be able to copy/paste it into the relevant section then.

  • Download OTL to your desktop.
    right click on the link and select 'Save Link/Target As'.

    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.
Posted Image
  • Now copy the lines in bold below.

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT


  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

    Posted Image
    .
  • Click the Run Scan button.

    Posted Image
  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

BBPP6nz.png


#10 High_THC242

High_THC242
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 22 January 2011 - 02:23 PM

Here's the OTL.Txt notepad:

OTL logfile created on: 1/22/2011 2:12:59 PM - Run 1
OTL by OldTimer - Version 3.2.20.4 Folder = C:\Documents and Settings\Administrator.COMPUTER1\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 768.00 Mb Available Physical Memory | 76.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 218.70 Gb Free Space | 93.91% Space Free | Partition Type: NTFS

Computer Name: COMPUTER1 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator.COMPUTER1\My Documents\Downloads\OTL.scr (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator.COMPUTER1\My Documents\Downloads\OTL.scr (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (npggsvc) -- C:\windows\System32\GameMon.des (INCA Internet Co., Ltd.)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)
SRV - (Diskeeper) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper® Corporation)


========== Driver Services (SafeList) ==========

DRV - (sptd) -- C:\windows\System32\Drivers\sptd.sys ()
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (FsUsbExDisk) -- C:\WINDOWS\system32\FsUsbExDisk.Sys ()
DRV - (VCSVADHWSer) Avnex Virtual Audio Device (WDM) -- C:\WINDOWS\system32\drivers\vcsvad.sys (Avnex)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (motmodem) -- C:\WINDOWS\system32\drivers\motmodem.sys (Motorola)
DRV - (RTL8187B) -- C:\WINDOWS\system32\drivers\rtl8187B.sys (Realtek Semiconductor Corporation )
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/02 23:00:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/09 22:38:09 | 000,000,000 | ---D | M]

[2011/01/22 13:26:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.COMPUTER1\Application Data\Mozilla\Extensions
[2011/01/22 13:26:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.COMPUTER1\Application Data\Mozilla\Firefox\Profiles\ddxywzk0.default\extensions
[2011/01/18 20:53:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/28 15:14:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/28 15:13:56 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/05/28 15:13:55 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\windows\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper® Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [MessengerPlusLiveUninstall] C:\Documents and Settings\Administrator.COMPUTER1\Local Settings\Temp\MsgPlusUninstall.exe (Yuna Software)
O4 - HKLM..\RunServices: [AboutBonjour] File not found
O4 - HKLM..\RunServices: [AboutBonjour31000] File not found
O4 - HKLM..\RunServices: [BASSAPEbassape] File not found
O4 - HKLM..\RunServices: [QuickTimeQuickTimeResources7.6.6] File not found
O4 - HKLM..\RunServices: [tbdresDiagnostics] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Airlink101 USB Wireless Configuration Utility.lnk = C:\Program Files\Airlink101\AWLL3028\RtWLan.exe (Realtek Semiconductor Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O20 - AppInit_DLLs: (C:\DOCUME~1\SUMMAR~1\APPLIC~1\IMVU\UPLMSC~1\msftldr.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O32 - Unable to open key or key not present!
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - File not found
MsConfig - StartUpReg: Pando Media Booster - hkey= - key= - File not found
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 30 Days ==========

[2011/01/22 14:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\My Documents\Downloads
[2011/01/22 13:47:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Application Data\Macromedia
[2011/01/22 13:47:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Application Data\Adobe
[2011/01/22 13:26:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Local Settings\Application Data\Mozilla
[2011/01/22 13:26:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Application Data\Mozilla
[2011/01/22 11:08:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2011/01/22 11:08:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/01/22 11:08:34 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2011/01/18 23:13:53 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Application Data\Microsoft
[2011/01/18 23:13:53 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Cookies
[2011/01/18 23:13:53 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\SendTo
[2011/01/18 23:13:53 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Application Data
[2011/01/18 23:13:53 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Start Menu\Programs\Startup
[2011/01/18 23:13:53 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Start Menu
[2011/01/18 23:13:53 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Start Menu\Programs\Accessories
[2011/01/18 23:13:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Templates
[2011/01/18 23:13:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Recent
[2011/01/18 23:13:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\PrintHood
[2011/01/18 23:13:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\NetHood
[2011/01/18 23:13:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Local Settings
[2011/01/18 23:13:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\My Documents
[2011/01/18 23:13:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Local Settings\Application Data\Microsoft
[2011/01/18 23:13:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Favorites
[2011/01/18 23:13:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.COMPUTER1\Desktop
[2011/01/16 16:02:49 | 000,059,264 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\drivers\USBAUDIO.sys
[2011/01/16 16:02:49 | 000,059,264 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\usbaudio.sys
[6 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
[3 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/22 13:23:31 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2011/01/22 13:01:00 | 000,000,316 | -HS- | M] () -- C:\windows\tasks\Dajz.job
[2011/01/22 11:08:38 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/22 10:25:31 | 000,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl
[6 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
[3 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/22 11:08:38 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/18 23:13:53 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator.COMPUTER1\Start Menu\Programs\Remote Assistance.lnk
[2011/01/18 23:13:53 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Administrator.COMPUTER1\Start Menu\Programs\Windows Media Player.lnk
[2010/10/14 20:04:42 | 000,685,816 | ---- | C] () -- C:\windows\System32\drivers\sptd.sys
[2010/08/03 22:54:59 | 001,970,176 | ---- | C] () -- C:\windows\System32\d3dx9.dll
[2010/06/28 13:08:08 | 000,110,592 | ---- | C] () -- C:\windows\System32\FsUsbExDevice.Dll
[2010/06/28 13:08:08 | 000,036,608 | ---- | C] () -- C:\windows\System32\FsUsbExDisk.Sys
[2010/03/19 23:26:36 | 000,004,161 | ---- | C] () -- C:\windows\ODBCINST.INI
[2010/03/19 04:46:20 | 000,147,456 | R--- | C] () -- C:\windows\System32\igfxCoIn_v4926.dll
[2007/10/25 16:26:10 | 000,005,632 | ---- | C] () -- C:\windows\System32\drivers\StarOpen.sys
[2004/07/17 04:36:38 | 000,027,440 | ---- | C] () -- C:\windows\System32\drivers\secdrv.sys

========== LOP Check ==========

[2010/05/25 19:47:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acoustica
[2010/08/01 23:31:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2010/05/26 13:13:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2010/05/26 07:16:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/06/28 13:11:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2010/09/23 14:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2010/10/08 20:54:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/13 23:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/01/22 13:01:00 | 000,000,316 | -HS- | M] () -- C:\windows\Tasks\Dajz.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/03 18:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/03 18:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 15:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2004/08/03 17:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/03 17:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/03 17:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/03 17:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 17:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/03 17:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[6 C:\windows\system32\*.tmp files -> C:\windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >
[2011/01/22 13:01:00 | 000,000,316 | -HS- | M] () Unable to obtain MD5 -- C:\windows\Tasks\Dajz.job

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/10/14 20:04:43 | 000,685,816 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >


Here's the Extras.Txt notepad:

OTL Extras logfile created on: 1/22/2011 2:12:59 PM - Run 1
OTL by OldTimer - Version 3.2.20.4 Folder = C:\Documents and Settings\Administrator.COMPUTER1\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 768.00 Mb Available Physical Memory | 76.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 218.70 Gb Free Space | 93.91% Space Free | Partition Type: NTFS

Computer Name: COMPUTER1 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"17621:TCP" = 17621:TCP:*:Enabled:BitComet 17621 TCP
"17621:UDP" = 17621:UDP:*:Enabled:BitComet 17621 UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
"C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows -- (Ares Development Group)
"C:\Documents and Settings\SummaRunkens\Application Data\IMVUClient\1VivoxVoice.exe" = C:\Documents and Settings\SummaRunkens\Application Data\IMVUClient\1VivoxVoice.exe:*:Enabled:1VivoxVoice
"C:\Documents and Settings\Owner\My Documents\Downloads\DO_Full-Client_Downloader.exe" = C:\Documents and Settings\Owner\My Documents\Downloads\DO_Full-Client_Downloader.exe:*:Enabled:Full-Client Downloader
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server
"C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet.exe


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0C38EB05-3259-4DD3-9663-74A60C80BA4E}" = Diskeeper Home Edition
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{889457D5-7B32-4939-A775-D6FF973B40E9}" = Airlink101 USB Wireless Configuration Utility
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"6194C28A8F62DD817EA1B918E6E46E806A21B452" = Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
"65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Ares" = Ares 2.1.5
"CCleaner" = CCleaner
"Cheat Engine 5.6_is1" = Cheat Engine 5.6
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Setup.divx.com" = DivX Setup
"E24870CB6AA1C3511635FF9020A3E9471287FBE7" = Windows Driver Package - MobileTop (sshpmdm) Modem (01/26/2008 2.6.0.0)
"HDMI" = Intel® Graphics Media Accelerator Driver
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"RocketDock_is1" = RocketDock 1.3.5
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/22/2011 12:08:14 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1005
Description = Windows cannot access the file C:\Documents and Settings\SummaRunkens\Local
Settings\History\History.IE5\index.dat for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on, or
the storage drivers installed on this computer; or the disk is missing. Windows
closed the program index.dat because of this error. Program: index.dat File: C:\Documents
and Settings\SummaRunkens\Local Settings\History\History.IE5\index.dat The error
value is listed in the Additional Data section. User Action 1. Open the file again.
This situation might be a temporary problem that corrects itself when the program
runs again. 2. If the file still cannot be accessed and - It is on the network, your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: C000009C Disk
type: 3

Error - 1/22/2011 12:08:20 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module wininet.dll, version 6.0.2900.3660, fault address 0x000060bd.

Error - 1/22/2011 12:39:03 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1005
Description = Windows cannot access the file C:\Documents and Settings\SummaRunkens\Local
Settings\History\History.IE5\index.dat for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on, or
the storage drivers installed on this computer; or the disk is missing. Windows
closed the program index.dat because of this error. Program: index.dat File: C:\Documents
and Settings\SummaRunkens\Local Settings\History\History.IE5\index.dat The error
value is listed in the Additional Data section. User Action 1. Open the file again.
This situation might be a temporary problem that corrects itself when the program
runs again. 2. If the file still cannot be accessed and - It is on the network, your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: C000009C Disk
type: 3

Error - 1/22/2011 12:39:08 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1000
Description = Faulting application AdobeARM.exe, version 1.4.7.0, faulting module
wininet.dll, version 6.0.2900.3660, fault address 0x000060bd.

Error - 1/22/2011 12:43:33 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1005
Description = Windows cannot access the file C:\Documents and Settings\SummaRunkens\Local
Settings\History\History.IE5\index.dat for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on, or
the storage drivers installed on this computer; or the disk is missing. Windows
closed the program index.dat because of this error. Program: index.dat File: C:\Documents
and Settings\SummaRunkens\Local Settings\History\History.IE5\index.dat The error
value is listed in the Additional Data section. User Action 1. Open the file again.
This situation might be a temporary problem that corrects itself when the program
runs again. 2. If the file still cannot be accessed and - It is on the network, your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: C000009C Disk
type: 3

Error - 1/22/2011 12:43:33 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/22/2011 12:48:00 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1005
Description = Windows cannot access the file C:\Documents and Settings\SummaRunkens\Local
Settings\History\History.IE5\index.dat for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on, or
the storage drivers installed on this computer; or the disk is missing. Windows
closed the program index.dat because of this error. Program: index.dat File: C:\Documents
and Settings\SummaRunkens\Local Settings\History\History.IE5\index.dat The error
value is listed in the Additional Data section. User Action 1. Open the file again.
This situation might be a temporary problem that corrects itself when the program
runs again. 2. If the file still cannot be accessed and - It is on the network, your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: C000009C Disk
type: 3

Error - 1/22/2011 12:48:06 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module wininet.dll, version 6.0.2900.3660, fault address 0x000060bd.

Error - 1/22/2011 2:07:51 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1005
Description = Windows cannot access the file C:\Documents and Settings\SummaRunkens\Local
Settings\History\History.IE5\index.dat for one of the following reasons: there
is a problem with the network connection, the disk that the file is stored on, or
the storage drivers installed on this computer; or the disk is missing. Windows
closed the program index.dat because of this error. Program: index.dat File: C:\Documents
and Settings\SummaRunkens\Local Settings\History\History.IE5\index.dat The error
value is listed in the Additional Data section. User Action 1. Open the file again.
This situation might be a temporary problem that corrects itself when the program
runs again. 2. If the file still cannot be accessed and - It is on the network, your
network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: C000009C Disk
type: 3

Error - 1/22/2011 2:07:58 PM | Computer Name = COMPUTER1 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module wininet.dll, version 6.0.2900.3660, fault address 0x000060bd.

[ System Events ]
Error - 1/22/2011 2:07:47 PM | Computer Name = COMPUTER1 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/22/2011 2:07:49 PM | Computer Name = COMPUTER1 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/22/2011 2:07:51 PM | Computer Name = COMPUTER1 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/22/2011 2:10:17 PM | Computer Name = COMPUTER1 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/22/2011 2:10:19 PM | Computer Name = COMPUTER1 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/22/2011 2:22:37 PM | Computer Name = COMPUTER1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/22/2011 2:23:58 PM | Computer Name = COMPUTER1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/22/2011 2:24:33 PM | Computer Name = COMPUTER1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/22/2011 2:25:07 PM | Computer Name = COMPUTER1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm

Error - 1/22/2011 2:28:36 PM | Computer Name = COMPUTER1 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460


< End of report >



i did actually download the OTL on the infected computer but it looks like i can only do this on the administrator user and not my normal one. i will try this on my normal user.

#11 High_THC242

High_THC242
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 22 January 2011 - 03:01 PM

Yes, i will have to transfer the OTL file to this computer as well -_-. Its seems that nothing works on my normal user profile...

#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:15 PM

Posted 22 January 2011 - 06:44 PM

Hi High_THC242,

Yes, all the programs we ask you to download and run must be run from an administrator account.

Try this:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Posted Image


Posted Image

This is an example, you may rename ComboFix to anything you want.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:

    Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    If running Vista, you may not see this screen
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Thanks

BBPP6nz.png


#13 High_THC242

High_THC242
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 10 February 2011 - 03:25 PM

Sorry for the late reply, i have been away but here is the ComboFix Log:


ComboFix 11-02-09.05 - SummaRunkens 02/10/2011 15:06:18.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.829 [GMT -5:00]
Running from: D:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\SummaRunkens\Application Data\Desktop Security
c:\windows\msnimport.exe

c:\windows\system32\drivers\cdrom.sys . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 )))))))))))))))))))))))))))))))
.

2011-01-24 23:13 . 2003-09-03 07:28 724992 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iKernel.dll
2011-01-24 23:13 . 2003-09-03 07:27 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\ctor.dll
2011-01-24 23:13 . 2003-09-03 07:26 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iscript.dll
2011-01-24 23:13 . 2003-09-03 07:26 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iuser.dll
2011-01-24 23:13 . 2003-09-03 07:25 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\DotNetInstaller.exe
2011-01-24 23:13 . 2011-01-24 23:13 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\Setup.dll
2011-01-24 23:13 . 2011-01-24 23:13 184452 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iGdi.dll
2011-01-22 16:08 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-22 16:08 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-19 04:13 . 2011-01-19 04:13 -------- d-----w- c:\documents and settings\Administrator.COMPUTER1
2011-01-16 21:02 . 2004-08-04 04:07 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2011-01-16 21:02 . 2004-08-04 04:07 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-17 16876032]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-25 196709]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Airlink101 USB Wireless Configuration Utility.lnk - c:\program files\Airlink101\AWLL3028\RtWLan.exe [2010-3-19 811008]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17621:TCP"= 17621:TCP:BitComet 17621 TCP
"17621:UDP"= 17621:UDP:BitComet 17621 UDP

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/14/2010 8:04 PM 685816]
R3 RTL8187B;Airlink101 802.11g USB 2.0 Adapter;c:\windows\system32\drivers\rtl8187B.sys [3/19/2010 9:40 AM 238208]
S0 xkgtue;xkgtue;c:\windows\system32\drivers\nmloujf.sys --> c:\windows\system32\drivers\nmloujf.sys [?]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [3/19/2010 9:39 AM 38144]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [6/28/2010 1:08 PM 36608]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [5/26/2010 11:06 PM 17792]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2405280
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\SummaRunkens\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\SummaRunkens\Application Data\Mozilla\Firefox\Profiles\8s9kw6eu.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
Notify-NavLogon - (no file)
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 15:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2011-02-10 15:13:20
ComboFix-quarantined-files.txt 2011-02-10 20:13

Pre-Run: 231,214,977,024 bytes free
Post-Run: 233,828,835,328 bytes free

- - End Of File - - 359E2A00F71127D33CAC2F0A7CA2F3BE
..




I have a question though, if you don't mind me asking. When I open windows task manager and I go to the process tab, there are a number of the same processes active. They are "dwwin.exe", "plugin-container.exe, and "svchost.exe". Could any of them be the problem?

#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:15 PM

Posted 11 February 2011 - 08:45 AM

Hi High_THC242,

When I open windows task manager and I go to the process tab, there are a number of the same processes active. They are "dwwin.exe", "plugin-container.exe, and "svchost.exe".

These are legit process's, so should be left alone.

Are you able to get onto the internet yet from the infected system?

BBPP6nz.png


#15 High_THC242

High_THC242
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 11 February 2011 - 07:55 PM

Yes, the only thing actually working is Mozilla Firefox.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users