Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown malware and can't run utilities


  • This topic is locked This topic is locked
43 replies to this topic

#1 bstrange

bstrange

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 23 November 2011 - 11:38 PM

I was watching an episode of Breaking Bad on videobb.com and broke my PC bad (pardon the pun). The Chrome window closed and it started popping up error messages. Everything disappeared out of the start menu and folders started disappearing. Most things wouldn't launch on double click but I did manage to establish a vnc connection with my other pc to capture a screenshot. Taskmgr would not open and basically the PC rebooted itself. When it came back up nothing was there.

I used cmd to navigate to program files and change it's attributes from hidden and then ran mbam.exe, it found one trojan.fakealert and removed it, and then I was able to shut it down and bring it back up in safemode. I ran mbam and it found nothing, I ran rkill and it found nothing, I tried to run gmer and it wont run, I tried to run DDS and it wouldn't run. I tried to run ASWMBR and it wouldn't run. Finally, I tried combofix and it got to 'Scanning for infected files...' which it stayed stuck on over night.

While I was at it, I unhid all folders. I am usually pretty good at identifying and removing malware, but since nothing will run but mbam, and mbam finds nothing, I am at a wall. I noticed many of the exe files in taskmanager were showing up as .3XE. I did get HJT to run, and it showed nothing (maybe 10 items) as opposed to the usual 40 or so line items. When I tried safe mode with networking, I could connect to the internet but it redirects me away from anything useful. HOSTS file does not appear to be altered.

Any thoughts on how I can begin to remove this without being able to run the most common tools to at least identify the malware? I was thinking of pulling the HD and swapping the registry files with the ones in system32/config/RegBack, but I am going to wait and see if anyone can think of something odd that the malware isn't accounting for that might give me an 'in'.

DDS Runs until there are exactly 50 '#' symbols, then locks up. The mouse disappears, ctrl/alt/del doesn't work. Nothing can be done except hard restarting the PC by holding down the power button.

When trying to load up GMER I get an error: "LoadDriver("C:\Users\MEDIACENTER2\AppData\Local\Temp\pxldypoc.sys") error 0xC000010E: An instance of this service is already running.

Once the GMER window finally comes up, all check boxes except services, registry, files, and ADS are greyed out and cannot be selected. I went forward and pressed scan so it would at least go through the 4 that were checked and not greyed out and after about 20 minutes, I got the following error: "C:\Users\MEDIACENTER2\ntuser.dat: The process cannot access the file because it is being used by another process." Then it pops up GMER hasn't found any system modifications.

I don't know what to do. I am thinking that the malware has made some serious registry or permission changes that target the specific tools commonly used to repair PCs... :(

Edit to add: The malware appears to schedule chkdsk on every system restart to prevent the system from being started in safe mode (safe mode load freezes on crcdisk.sys when chkdsk is pending). At first I thought I'd never get it into safe mode, but by starting it normally and allowing chkdsk to run and then mashing F8 as the chkdsk routine is restarting the system following it's scan, I can get it into safemode. The process must be repeated each time I want to enter safe mode.

Also, I scanned the drive with SeaTools and DFT and they found no problems so I have ruled out actual hard disk failure.

Is it safe to slave the drive on a working PC and run combo fix or other utilities from that PC or would I risk infecting an additional PC?

Attached Files


Edited by bstrange, 23 November 2011 - 11:46 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 28 November 2011 - 11:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/429124 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:56 PM

Posted 05 December 2011 - 08:29 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please disregard the post above as we are aware that tools are not running well on your machine.

Please post here within 5 days to let me know you are still here.
Posted Image
m0le is a proud member of UNITE

#4 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 05 December 2011 - 08:41 PM

Hi M0le Thanks for the help, let me know what you need :)

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:56 PM

Posted 05 December 2011 - 08:51 PM

This is very likely a rootkit called ZeroAccess which locks out a lot of tools. But not OTL...

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#6 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 05 December 2011 - 09:33 PM

OK I got OTL to run:

OTL.txt:


OTL logfile created on: 12/5/2011 9:24:03 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\MEDIACENTER2\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.56 Gb Available Physical Memory | 85.58% Memory free
4.39 Gb Paging File | 4.14 Gb Available in Paging File | 94.19% Paging File free
Paging file location(s): c:\pagefile.sys 1536 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.78 Gb Total Space | 57.91 Gb Free Space | 26.00% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.04 Gb Free Space | 50.41% Space Free | Partition Type: NTFS
Drive G: | 7.46 Gb Total Space | 1.50 Gb Free Space | 20.12% Space Free | Partition Type: FAT32

Computer Name: SLIM-PC | User Name: MEDIACENTER2 | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\MEDIACENTER2\Desktop\OTL (1).exe (OldTimer Tools)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - (AmmyyAdmin) -- File not found
SRV - (TuneUp.Defrag) -- C:\Windows\System32\TuneUpDefragService.exe (TuneUp Software GmbH)
SRV - (UxTuneUp) -- C:\Windows\System32\uxtuneup.dll (TuneUp Software GmbH)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AERTFilters) -- C:\Windows\System32\AERTSrv.exe (Andrea Electronics Corporation)
SRV - (Creative Labs Licensing Service) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe (Creative Labs)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)
SRV - (dlcx_device) -- C:\Windows\System32\dlcxcoms.exe ( )


========== Driver Services (SafeList) ==========

DRV - (SASDIFSV) -- C:\Users\MEDIACENTER2\Desktop\StandardPackage\OccasionalUse\SuperAntiSpyware\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Users\MEDIACENTER2\Desktop\StandardPackage\OccasionalUse\SuperAntiSpyware\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (OmniTV) -- C:\Windows\System32\drivers\OmniTV.sys (YUAN High-Tech Development Co. Ltd.)
DRV - (e1express) Intel® -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (RLDesignVirtualAudioCableWdm) -- C:\Windows\System32\drivers\livecamv.sys ()
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (HSXHWBS2) -- C:\Windows\System32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\MEDIACENTER2\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\MEDIACENTER2\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/11/25 03:01:43 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\MEDIACENTER2\AppData\Local\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\MEDIACENTER2\AppData\Local\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\MEDIACENTER2\AppData\Local\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: Google Update (Enabled) = C:\Users\MEDIACENTER2\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5469BAB6-AB9B-4344-B5B3-8E68D9F3298E}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EB95487D-B7F0-4237-BB23-7BEB46496F11}: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\microsoft shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) -C:\Windows\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -C:\Windows\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Users\MEDIACENTER2\Desktop\StandardPackage\OccasionalUse\SuperAntiSpyware\SUPERAntiSpyware\SASWINLO.DLL) - C:\Users\MEDIACENTER2\Desktop\StandardPackage\OccasionalUse\SuperAntiSpyware\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\Windows\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Users\MEDIACENTER2\Desktop\StandardPackage\OccasionalUse\SuperAntiSpyware\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O29 - HKLM SecurityProviders - (credssp.dll) -C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) -C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) -C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) -C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) -C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) -C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) -C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/05 21:20:07 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\MEDIACENTER2\Desktop\OTL (1).exe
[2011/11/23 09:44:33 | 000,000,000 | ---D | C] -- C:\Users\MEDIACENTER2\AppData\Local\Adobe
[2011/11/22 13:40:27 | 000,000,000 | --SD | C] -- C:\HPCPCmbo
[2011/11/22 10:16:45 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2011/11/22 10:16:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager
[2011/11/22 10:16:42 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2011/11/22 10:14:55 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\MEDIACENTER2\Desktop\hailmary.bat.exe
[2011/11/22 08:19:35 | 009,851,496 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\MEDIACENTER2\Desktop\softball.bat.exe
[2011/11/22 08:04:15 | 004,303,750 | R--- | C] (Swearware) -- C:\Users\MEDIACENTER2\Desktop\HPCPCmbo.exe
[2011/11/22 08:04:15 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\MEDIACENTER2\Desktop\aswMBR.exe
[2011/11/22 00:26:22 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/11/22 00:26:22 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/11/22 00:26:22 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/11/22 00:22:39 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/11/22 00:20:23 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/11/21 22:06:35 | 000,000,000 | ---D | C] -- C:\Users\MEDIACENTER2\AppData\Roaming\SUPERAntiSpyware.com
[2011/11/21 22:06:34 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2011/11/21 20:28:02 | 000,000,000 | ---D | C] -- C:\Users\MEDIACENTER2\AppData\Roaming\Malwarebytes
[2011/11/21 20:26:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/21 20:26:43 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/11/21 20:20:16 | 000,489,472 | ---- | C] (Reсvr Corp) -- C:\ProgramData\rKxvcCJKbICCWeF.exe
[2011/11/20 22:59:38 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2006/11/03 17:07:06 | 000,385,928 | ---- | C] ( ) -- C:\Windows\System32\dlcxih.exe
[2006/11/03 17:07:04 | 000,537,480 | ---- | C] ( ) -- C:\Windows\System32\dlcxcoms.exe
[2006/11/03 17:07:02 | 000,381,832 | ---- | C] ( ) -- C:\Windows\System32\dlcxcfg.exe
[2006/10/11 18:01:40 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\dlcxpmui.dll
[2006/10/11 17:59:56 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\dlcxserv.dll
[2006/10/11 17:54:10 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\dlcxcomm.dll
[2006/10/11 17:52:34 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\dlcxlmpm.dll
[2006/10/11 17:51:16 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\dlcxiesc.dll
[2006/10/11 17:48:58 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\dlcxpplc.dll
[2006/10/11 17:48:14 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\dlcxcomc.dll
[2006/10/11 17:47:42 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\dlcxprox.dll
[2006/10/11 17:41:42 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\dlcxinpa.dll
[2006/10/11 17:41:04 | 000,991,232 | ---- | C] ( ) -- C:\Windows\System32\dlcxusb1.dll
[2006/10/11 17:37:14 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\dlcxhbn3.dll

========== Files - Modified Within 30 Days ==========

[2011/12/05 21:23:00 | 000,626,894 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/05 21:23:00 | 000,112,764 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/05 21:21:10 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/05 20:52:34 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\MEDIACENTER2\Desktop\OTL (1).exe
[2011/11/25 13:45:56 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/25 13:45:56 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/23 01:15:20 | 000,302,592 | ---- | M] () -- C:\Users\MEDIACENTER2\Desktop\c0x4bk8d.exe
[2011/11/22 13:28:29 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/11/22 12:59:59 | 000,000,480 | ---- | M] () -- C:\Windows\tasks\1-Click Maintenance.job
[2011/11/22 12:48:01 | 000,000,936 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3588807880-1084180615-2467039641-1003UA1cc8d614db3b9b0.job
[2011/11/22 10:12:08 | 002,086,240 | ---- | M] () -- C:\Users\MEDIACENTER2\Desktop\SecurityTaskManager_Setup.exe
[2011/11/22 08:44:07 | 000,000,941 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/22 07:59:56 | 004,303,750 | R--- | M] (Swearware) -- C:\Users\MEDIACENTER2\Desktop\HPCPCmbo.exe
[2011/11/22 07:59:06 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\MEDIACENTER2\Desktop\softball.bat.exe
[2011/11/22 07:51:26 | 000,684,297 | ---- | M] () -- C:\Users\MEDIACENTER2\Desktop\unhide.exe
[2011/11/22 07:32:16 | 001,008,092 | ---- | M] () -- C:\Users\MEDIACENTER2\Desktop\rkill.com
[2011/11/22 07:26:38 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\MEDIACENTER2\Desktop\hailmary.bat.exe
[2011/11/22 07:26:38 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\MEDIACENTER2\Desktop\aswMBR.exe
[2011/11/22 01:12:09 | 000,384,040 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/11/21 20:16:32 | 000,489,472 | ---- | M] (Reсvr Corp) -- C:\ProgramData\rKxvcCJKbICCWeF.exe
[2011/11/18 02:48:52 | 000,002,117 | ---- | M] () -- C:\Users\MEDIACENTER2\Desktop\Google Chrome.lnk

========== Files Created - No Company Name ==========

[2011/11/23 01:47:25 | 000,302,592 | ---- | C] () -- C:\Users\MEDIACENTER2\Desktop\c0x4bk8d.exe
[2011/11/22 10:14:07 | 002,086,240 | ---- | C] () -- C:\Users\MEDIACENTER2\Desktop\SecurityTaskManager_Setup.exe
[2011/11/22 08:44:07 | 000,000,941 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/22 08:04:15 | 001,008,092 | ---- | C] () -- C:\Users\MEDIACENTER2\Desktop\rkill.com
[2011/11/22 08:04:15 | 000,684,297 | ---- | C] () -- C:\Users\MEDIACENTER2\Desktop\unhide.exe
[2011/11/22 01:11:56 | 000,384,040 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/11/22 00:26:22 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/11/22 00:26:22 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/11/22 00:26:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/11/22 00:26:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/11/22 00:26:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/10/03 01:00:24 | 000,014,713 | ---- | C] () -- C:\Windows\System32\RaCoInst.dat
[2011/10/03 00:57:50 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2010/12/06 20:18:50 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2010/12/06 20:18:50 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/02/11 18:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2008/02/11 18:34:48 | 002,215,364 | ---- | C] () -- C:\Windows\System32\igklg400.bin
[2008/02/11 18:34:48 | 001,971,732 | ---- | C] () -- C:\Windows\System32\igklg450.bin
[2008/02/11 18:34:48 | 000,029,932 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.bin
[2008/01/02 16:57:36 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/01/02 16:47:22 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/01/02 16:47:22 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2007/11/26 06:00:21 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/11/26 06:00:21 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1322.dll
[2007/11/26 06:00:21 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/11/25 22:45:45 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/11/25 22:25:53 | 000,000,075 | RHS- | C] () -- C:\Windows\CT4CET.bin
[2007/11/25 22:24:31 | 000,031,616 | ---- | C] () -- C:\Windows\System32\drivers\livecamv.sys
[2007/11/25 22:19:48 | 000,000,628 | ---- | C] () -- C:\Windows\System32\PCI_VEN_1102&DEV_FF05&SUBSYS_00001102.ini
[2007/11/25 22:19:47 | 000,101,376 | ---- | C] () -- C:\Windows\System32\APOMngr.dll
[2007/11/25 22:19:47 | 000,066,560 | ---- | C] () -- C:\Windows\System32\CmdRtr.dll
[2007/11/25 22:15:59 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2006/11/10 08:26:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/07 14:25:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,626,894 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,112,764 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/10/28 10:31:44 | 000,344,064 | ---- | C] () -- C:\Windows\System32\dlcxcoin.dll
[2006/10/20 20:07:32 | 000,106,496 | ---- | C] () -- C:\Windows\System32\dlcxinsr.dll
[2006/10/20 20:06:44 | 000,036,864 | ---- | C] () -- C:\Windows\System32\dlcxcur.dll
[2006/10/20 20:03:28 | 000,139,264 | ---- | C] () -- C:\Windows\System32\dlcxjswr.dll
[2006/10/20 19:57:40 | 000,176,128 | ---- | C] () -- C:\Windows\System32\dlcxinsb.dll
[2006/10/20 19:56:52 | 000,086,016 | ---- | C] () -- C:\Windows\System32\dlcxcub.dll
[2006/10/20 19:55:28 | 000,073,728 | ---- | C] () -- C:\Windows\System32\dlcxcu.dll
[2006/10/20 19:54:42 | 000,176,128 | ---- | C] () -- C:\Windows\System32\dlcxins.dll
[2006/10/20 19:48:38 | 000,454,656 | ---- | C] () -- C:\Windows\System32\dlcxutil.dll
[2006/10/20 19:46:42 | 000,188,416 | ---- | C] () -- C:\Windows\System32\dlcxgrd.dll
[2006/09/22 07:42:38 | 000,065,536 | ---- | C] () -- C:\Windows\System32\dlcxcaps.dll
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/09/06 06:13:14 | 000,073,728 | ---- | C] () -- C:\Windows\System32\dlcxcfg.dll
[2006/08/08 15:58:04 | 000,692,224 | ---- | C] () -- C:\Windows\System32\dlcxdrs.dll
[2006/04/24 15:09:58 | 000,040,960 | ---- | C] () -- C:\Windows\System32\dlcxvs.dll
[2006/03/19 19:03:04 | 000,061,440 | ---- | C] () -- C:\Windows\System32\dlcxcnv4.dll

========== LOP Check ==========

[2011/11/22 12:59:59 | 000,000,480 | ---- | M] () -- C:\Windows\Tasks\1-Click Maintenance.job
[2011/11/22 13:28:30 | 000,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >



Extras.txt:


OTL Extras logfile created on: 12/5/2011 9:24:03 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\MEDIACENTER2\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.56 Gb Available Physical Memory | 85.58% Memory free
4.39 Gb Paging File | 4.14 Gb Available in Paging File | 94.19% Paging File free
Paging file location(s): c:\pagefile.sys 1536 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.78 Gb Total Space | 57.91 Gb Free Space | 26.00% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.04 Gb Free Space | 50.41% Space Free | Partition Type: NTFS
Drive G: | 7.46 Gb Total Space | 1.50 Gb Free Space | 20.12% Space Free | Partition Type: FAT32

Computer Name: SLIM-PC | User Name: MEDIACENTER2 | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3588807880-1084180615-2467039641-1003]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{05A65FF0-D7C8-4B8A-91FA-A4410184E896}" = lport=138 | protocol=17 | dir=in | app=system |
"{070527B2-083E-4618-930D-A1E887FC4FF5}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{10D51BD3-0900-40C6-857D-EE28B0C3C61F}" = lport=445 | protocol=6 | dir=in | app=system |
"{1CB51A19-6766-43F0-A0B5-3874D11B298D}" = lport=10243 | protocol=6 | dir=in | app=system |
"{317DAB73-87DC-4AE7-883D-79078E85C01F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{355B5E51-C4C7-4EDA-8788-B57B5C79BA08}" = lport=137 | protocol=17 | dir=in | app=system |
"{3A941485-166A-4FD9-A857-2B6270C1E084}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{5A89F21A-845E-43FC-84DF-401091EB8848}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{5BE0971C-1372-4DCD-B6CF-C5EF11DFBA33}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{77B1278B-ABB2-4B2E-8DC4-F68547DAF442}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7DC4487E-5CE6-4490-B78C-A19DCA9B66D9}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{8B784624-16A5-460F-8250-0D6E7AF800BD}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{942063D4-B5C3-4B87-AC5E-6AC9C4B57848}" = lport=139 | protocol=6 | dir=in | app=system |
"{94928816-274C-44AC-A643-EA256894370C}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{A28010C5-D09E-47DE-99E0-7A00EA974F9A}" = rport=445 | protocol=6 | dir=out | app=system |
"{B513B3EA-A017-42AA-A9D3-96C3CC6F0EF2}" = rport=137 | protocol=17 | dir=out | app=system |
"{CE6622F7-04F2-4DA3-A22C-2977B26395F9}" = rport=10243 | protocol=6 | dir=out | app=system |
"{D5F7A16E-0792-4923-BF39-F4150519EB3B}" = lport=2869 | protocol=6 | dir=in | app=system |
"{D70361FE-A66C-41CF-B40E-CF71F3F6D702}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{DA01B061-5852-4770-9D91-B9B4741F03E1}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{DBCEC716-0401-44BA-9B41-A7AB045AED6A}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{E775FE29-8A96-4649-AFE2-DEF68FE8600C}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E98276D3-1C70-4E64-852D-A0005D864C06}" = rport=139 | protocol=6 | dir=out | app=system |
"{E9B34A0B-0C5D-4408-BE0E-BD702AB9789F}" = rport=138 | protocol=17 | dir=out | app=system |
"{EE4EFB64-5903-4C25-A893-CC6E0FFFF096}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{F4024CBE-FF23-4AC7-86DF-D7951F3C90BD}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{FEE9D989-E6CE-4E32-B64F-D13928BFF2FF}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0121BBC7-8266-49C1-9C24-CFD91EB711D8}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{13F98C07-0CBE-4CC1-84B9-5840C8D1CA92}" = protocol=6 | dir=out | app=system |
"{17E3DCFC-E1B1-4FA4-A229-8B9D558B3B7E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1918D8B8-EDB1-4F6D-9F1B-83798C482D34}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{19C25984-056C-42F8-A0E3-B71CBB1B2883}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{1AB68850-E066-45EB-9A45-E7FF6F0007EA}" = protocol=6 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"{1BAD16F3-8EA6-4F8D-995C-7CE2E42FFAFD}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{1E4A77B3-E027-43B5-A2F7-2758A81BD507}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{3CE43AD7-7AAA-4F6E-9C0D-559BE0B5DD7F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{3F538A9A-6129-4F3B-8D3A-E2CF7A21C758}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{4856AA43-1A43-4CC2-8A48-35A4C2452A25}" = protocol=17 | dir=in | app=c:\windows\system32\dlcxcoms.exe |
"{517A8B3E-AE80-4C9F-BE7C-F5F6AE3CBE9A}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{676E5E26-F894-472E-B38D-3B576D790836}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{71F58C98-B7B9-44E7-95F3-A3EF280FD7C3}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{724F8FC0-1F7E-4689-82E2-C7A20ADCBED4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{72A8A2AA-E5A6-435D-AF5D-1E4AB513E3FF}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{733A1B17-AC56-4244-8485-0AA59C3CB82D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{7D26A6DF-D8B5-47E0-B731-8D642B110886}" = protocol=17 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"{89705139-D32B-421D-B3E2-A2B7140AAE69}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{939EF21F-B133-4E2C-9CE0-449A0B858FD9}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{D1921EB8-D7AC-4310-9776-3AE70719395F}" = protocol=6 | dir=in | app=c:\windows\system32\dlcxcoms.exe |
"{D624311D-E9D4-4F33-A27E-64E40EE88C7A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{E683ECEF-19F7-4691-9514-800883FCEA0A}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{EA110AFA-EDE0-465E-A92F-487E0D557F59}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{EB93812F-9F88-4C5D-88AE-B735677079A7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{EC6ADBF3-0154-4EA4-A491-EEE232D8819C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"TCP Query User{35B61918-17D4-4FA3-A8E3-EAFABD9E6546}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{187D8E93-451D-40A6-AA7A-75CDC7FFBB95}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{06040048-3E21-46D6-9A91-D927BA08F41D}" = Microsoft Encarta Encyclopedia Standard 2006
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{17E3A651-12B9-4149-BAE8-E6FB9A5ADC4F}" = Microsoft Works Suite Add-in for Microsoft Word
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 26
"{2C6C74C2-042F-4D36-B7B0-0C538FCF01AB}" = Dell DataSafe Online
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{5888428E-699C-4E71-BF71-94EE06B497DA}" = TuneUp Utilities 2008
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{5D95AD35-368F-47D5-B63A-A082DDF00116}" = Microsoft Digital Image Standard 2006 Editor
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{691F4068-81BF-49E3-B32E-FE3E16400112}" = Microsoft Digital Image Standard 2006 Library
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.11.0
"{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}" = Microsoft Streets & Trips 2006
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}" = Azurewave Wireless LAN Card
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}" = Ralink RT2860 Wireless LAN Card
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{DE1AF137-C455-494A-A817-EFE44BCCFDEE}" = Works Upgrade
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F751C062-87DA-4D33-8A12-6E7F1D4C051C}" = Netflix in Windows Media Center
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"DELL Webcam Center" = DELL Webcam Center
"DELL Webcam Manager" = DELL Webcam Manager
"HDMI" = Intel® Graphics Media Accelerator Driver
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Money2006b" = Microsoft Money 2006
"PictureItPrem_v11" = Microsoft Digital Image Standard 2006
"PROSetDX" = Intel® PRO Network Connections 12.1.11.0
"Security Task Manager" = Security Task Manager 1.8d
"Works2006Setup" = Microsoft Works Suite 2006 Setup Launcher

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/22/2011 1:26:57 AM | Computer Name = SLIM-PC | Source = System Restore | ID = 8193
Description =

Error - 11/22/2011 2:40:06 AM | Computer Name = SLIM-PC | Source = VSS | ID = 18
Description =

Error - 11/22/2011 2:40:06 AM | Computer Name = SLIM-PC | Source = VSS | ID = 8193
Description =

Error - 11/22/2011 2:40:06 AM | Computer Name = SLIM-PC | Source = System Restore | ID = 8193
Description =

Error - 11/22/2011 9:03:07 AM | Computer Name = SLIM-PC | Source = EventSystem | ID = 4609
Description =

Error - 11/22/2011 9:11:35 AM | Computer Name = SLIM-PC | Source = EventSystem | ID = 4609
Description =

Error - 11/22/2011 9:23:19 AM | Computer Name = SLIM-PC | Source = VSS | ID = 18
Description =

Error - 11/22/2011 9:23:19 AM | Computer Name = SLIM-PC | Source = VSS | ID = 8193
Description =

Error - 11/22/2011 9:23:19 AM | Computer Name = SLIM-PC | Source = System Restore | ID = 8193
Description =

Error - 11/22/2011 10:53:19 AM | Computer Name = SLIM-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 0.0.0.0, time stamp 0x4d334d98,
faulting module iexplore.exe, version 0.0.0.0, time stamp 0x4d334d98, exception
code 0x40000015, fault offset 0x0008cb40, process id 0xa14, application start time
0x01cca926794ce853.

[ Media Center Events ]
Error - 6/25/2011 5:29:25 PM | Computer Name = MEDIACENTER2 | Source = ehRecvr | ID = 4
Description =

Error - 6/25/2011 5:35:17 PM | Computer Name = MEDIACENTER2 | Source = ehRecvr | ID = 4
Description =

Error - 7/5/2011 4:18:26 PM | Computer Name = MEDIACENTER2 | Source = ehRecvr | ID = 4
Description =

Error - 8/31/2011 11:25:09 PM | Computer Name = MEDIACENTER2 | Source = ehRecvr | ID = 4
Description =

[ System Events ]
Error - 11/22/2011 2:28:28 PM | Computer Name = SLIM-PC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 11/22/2011 2:28:28 PM | Computer Name = SLIM-PC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 11/22/2011 2:28:28 PM | Computer Name = SLIM-PC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 11/22/2011 2:28:28 PM | Computer Name = SLIM-PC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 11/22/2011 2:28:28 PM | Computer Name = SLIM-PC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 11/22/2011 2:28:28 PM | Computer Name = SLIM-PC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 11/22/2011 2:28:28 PM | Computer Name = SLIM-PC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 11/22/2011 2:28:28 PM | Computer Name = SLIM-PC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 11/22/2011 2:28:28 PM | Computer Name = SLIM-PC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 12/5/2011 10:27:17 PM | Computer Name = SLIM-PC | Source = DCOM | ID = 10005
Description =


< End of report >

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:56 PM

Posted 06 December 2011 - 05:42 PM

No signs there of the danger files so please run Combofix at this stage

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 07 December 2011 - 01:14 AM

Ok so I tried to follow your instructions to the letter but there were obstacles:

- Could not get to this page regardless of how I tried, via run command, via IE or Chrome, via this page as saved MHT and clicking on the link, all attempts go to pages that are not this page, some sort of search results page that looks 'sort of' like Google. HOSTS file is windows default btw (double checked).
- Downloaded Combofix to flash restarted PC, loaded black desktop, no windows shortcuts worked, no ctrl alt del
-restarted safe mode with networking, same thing
-restarted safe mode (no networking) combofix would extract to about 70% and disappear with self extractor displaying "OUTPUT FOLDER C:\32788R22FWJFW" regardless of how long I waited nothing further occurred.
-removed network card and was able to start in normal mode
-ran combofix, like safe mode, all disappeared at about 70% of extraction but after a couple mins, the creating restore point message would pop up, then Scanning for infected files message... 30 mins + and never an entry for stage 1 complate, just flashing cursor on Administrator: AutoScan cmd window. Tried again after waiting 1 full hour and had system message PEV.3XE has stopped working with option to cancel or go online and check. Chose close, Administrator: AutoScan stayed up but never progressed to stage 1
-ran rkill, then reran combofix, watched TV for an hour or so, came back and on stage 3, went back to watching TV for another hour or so, looooong story short-3hrs later it finally completes, results as follows:


ComboFix 11-12-06.01 - MEDIACENTER2 12/07/2011 0:03.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3060.2105 [GMT -5:00]
Running from: c:\users\MEDIACENTER2\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\AMMYY
c:\programdata\AMMYY\hr
c:\programdata\AMMYY\hr3
c:\programdata\AMMYY\settings.bin
c:\programdata\AMMYY\settings3.bin
c:\programdata\rKxvcCJKbICCWeF.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
.
.
2011-12-07 05:32 . 2011-12-07 05:34 -------- d-----w- c:\users\MEDIACENTER2\AppData\Local\temp
2011-12-07 05:32 . 2011-12-07 05:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-07 04:43 . 2011-12-07 04:43 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A469F3F9-6777-4C84-BD17-2295C72C3BA3}\offreg.dll
2011-11-23 14:44 . 2011-11-23 14:44 -------- d-----w- c:\users\MEDIACENTER2\AppData\Local\Adobe
2011-11-22 17:41 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A469F3F9-6777-4C84-BD17-2295C72C3BA3}\mpengine.dll
2011-11-22 15:16 . 2011-11-22 15:19 -------- d-----w- c:\programdata\SecTaskMan
2011-11-22 15:16 . 2011-11-22 15:16 -------- d-----w- c:\program files\Security Task Manager
2011-11-22 03:06 . 2011-11-22 03:06 -------- d-----w- c:\users\MEDIACENTER2\AppData\Roaming\SUPERAntiSpyware.com
2011-11-22 03:06 . 2011-11-22 03:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-11-22 01:28 . 2011-11-22 01:28 -------- d-----w- c:\users\MEDIACENTER2\AppData\Roaming\Malwarebytes
2011-11-22 01:26 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 03:59 . 2011-11-21 03:59 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\users\MEDIACENTER2\Desktop\StandardPackage\OccasionalUse\SuperAntiSpyware\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\users\MEDIACENTER2\Desktop\StandardPackage\OccasionalUse\SuperAntiSpyware\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-12 00:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-12 00:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 16:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 16:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-12 00:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-17 11:22 4907008 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2006-11-27 14:14 180224 ------w- c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 14:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3588807880-1084180615-2467039641-1003]
"EnableNotificationsRef"=dword:00000001
.
R0 nshhmx;nshhmx;c:\windows\System32\drivers\jfuj.sys [x]
R2 AmmyyAdmin;Ammyy Admin;c:\users\MEDIACENTER2\Desktop\AMMYY_Admin.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2009-01-20 517120]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe [2006-11-03 537480]
S1 SASDIFSV;SASDIFSV;c:\users\MEDIACENTER2\Desktop\StandardPackage\OccasionalUse\SuperAntiSpyware\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\users\MEDIACENTER2\Desktop\StandardPackage\OccasionalUse\SuperAntiSpyware\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\DRIVERS\OmniTV.sys [2008-04-29 401280]
S3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2007-01-15 31616]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-07 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 14:09]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3588807880-1084180615-2467039641-1003Core1cc8d614cf3c510.job
- c:\users\MEDIACENTER2\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-26 03:06]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3588807880-1084180615-2467039641-1003UA1cc8d614db3b9b0.job
- c:\users\MEDIACENTER2\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-26 03:06]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 10.0.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-%PROVIDERID% - bin\sprtcmd.exe
MSConfigStartUp-DellSupport - c:\program files\DellSupport\DSAgnt.exe
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-dscactivate - c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-07 00:34
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-07 00:50:12
ComboFix-quarantined-files.txt 2011-12-07 05:49
.
Pre-Run: 62,839,042,048 bytes free
Post-Run: 62,988,673,024 bytes free
.
- - End Of File - - FD7AD22D91EF336BB4A4538A834CF579

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:56 PM

Posted 07 December 2011 - 08:46 PM

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\32788R22FWJFW
  • Press Create button and post the content of the Result.txt.

Posted Image
m0le is a proud member of UNITE

#10 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 07 December 2011 - 09:52 PM

It looks like that link is a 404

n/m got it now, changed 'Maker' from the posted link to 'Creator' and found the page

Result.txt

DummyCreator by Farbar
Ran by MEDIACENTER2 (administrator) on 07-12-2011 at 22:01:10
**************************************************************

C:\32788R22FWJFW [07-12-2011 22:01:11]

== End of log ==

Edited by bstrange, 07 December 2011 - 10:02 PM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:56 PM

Posted 08 December 2011 - 09:04 PM

Looks like farbar renamed it. Thanks for the heads-up.

That file kills tools so you should now be able to run Combofix
Posted Image
m0le is a proud member of UNITE

#12 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 08 December 2011 - 09:40 PM

So that first run (the one that took 3(ish) hours produced a false report?

I'll run it again just to be safe if you'd like :)

Update: Tried to run combofix again as instructed. Error when opening:

"Error opening file for writing:

C:\32788R22FWJFW\023.dat

Click Abort to stop the installation,
Retry to try again, or
Ignore to skip the file."


I'm not sure, but I think we used DummyCreator to lock up the default combofix extract directory... will redownload CF and try again

Edit to Add: Redownloaded, replaced old combofix.exe on desktop, initialized it, program failed when it got to OUTPUT FOLDER C:\32788R22FWJFW

It would appear to me that C:\32788R22FWJFW is a hard coded extraction folder for CF... we need to undo what we did with DummyCreator

Edited by bstrange, 08 December 2011 - 09:55 PM.


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:56 PM

Posted 10 December 2011 - 04:58 PM

Yes, I have mistaken the Combofix file for the ZeroAccess file. It might be an idea to delete DummyCreator and then uninstall Combofix.
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


The first run would actually be okay now. Can you now run the ESET online scanner

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#14 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 11 December 2011 - 01:10 PM

Eset found no additional viruses

Yay! :)

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:56 PM

Posted 11 December 2011 - 07:35 PM

That's a good result. How is the machine running now though?
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users