Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus/Infection


  • This topic is locked This topic is locked
40 replies to this topic

#1 swamptrack

swamptrack

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 06 March 2012 - 06:36 AM

A couple of days ago i noticed that my antivirus had stopped working (avira Free edition) and i could not access any other antivirus websites I unistalled avira and downloaded windows defender onto a cd on another pc and installed it ok but it would not update on the internet. I did some searching on the net and think i must have a virus so downloaded superantispyware and malwarebytes, malwarebytes found Trojan.Zlob Trojan.Inject Trojan.agent Trojan.Ambler and removed them but when i scanned again found the same. Super antispyware found 1 Trojan.

Also i can not boot up my pc in safe mode it just starts with the black screen then re-boots to windows

I am running xp home service pack 3

I have attached the DDS , GMER Logs after the advice of broni after first posting this in the "am i infected" forum Am i Infected forum

Attached Files



BC AdBot (Login to Remove)

 


#2 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:40 PM

Posted 08 March 2012 - 12:05 PM

Hello swamptrack,

My name is ratman and and I will be helping you with your computer problems.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.

====================================================================================

Please download ComboFix from the followingl location:* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on Combofix icon Posted Image & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

====================================================================================

In your next reply, please copy/paste (easier for me to read than attaching) the contents of the following:
  • C:\Combofix.txt
  • aswMBR Log

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#3 swamptrack

swamptrack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 08 March 2012 - 01:26 PM

Hi Ratman,

I have completed the scans , I could not access the bleeping computers web page from my infected pc is this a result of the virus?













ComboFix 12-03-04.01 - David Wieland 08/03/2012 17:37:07.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1520 [GMT 0:00]
Running from: c:\documents and settings\David Wieland\My Documents\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\David Wieland\Local Settings\Application Data\ddjkwsdt.log
c:\documents and settings\David Wieland\Local Settings\Application Data\iulparor.log
c:\documents and settings\David Wieland\Local Settings\Application Data\kgywlrqf.log
c:\documents and settings\David Wieland\Local Settings\Application Data\lwgkhrxc.log
c:\documents and settings\David Wieland\Local Settings\Application Data\mtvafybs.log
c:\documents and settings\David Wieland\Local Settings\Application Data\pptrqnhw.log
c:\documents and settings\David Wieland\Local Settings\Application Data\wvaxfkcs.log
c:\documents and settings\David Wieland\Local Settings\Application Data\yoqurjgv.log
c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe
c:\documents and settings\LocalService\Local Settings\Application Data\ddjkwsdt.log
c:\documents and settings\LocalService\Local Settings\Application Data\iulparor.log
c:\documents and settings\LocalService\Local Settings\Application Data\lwgkhrxc.log
c:\documents and settings\LocalService\Local Settings\Application Data\mtvafybs.log
c:\documents and settings\LocalService\Local Settings\Application Data\pptrqnhw.log
c:\documents and settings\LocalService\Local Settings\Application Data\wvaxfkcs.log
c:\documents and settings\LocalService\Local Settings\Application Data\yoqurjgv.log
c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2012-02-08 to 2012-03-08 )))))))))))))))))))))))))))))))
.
.
2012-03-06 10:21 . 2012-03-08 17:51 98048 ---ha-w- c:\windows\system32\lDQrcf3
2012-03-05 10:44 . 2012-03-05 10:44 -------- d-----w- c:\documents and settings\David Wieland\Application Data\SUPERAntiSpyware.com
2012-03-05 10:44 . 2012-03-05 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-05 10:31 . 2012-03-05 10:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-05 09:33 . 2012-03-05 09:33 388096 ----a-r- c:\documents and settings\David Wieland\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-05 09:33 . 2012-03-05 09:33 -------- d-----w- c:\program files\Trend Micro
2012-03-05 08:45 . 2012-03-08 17:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar
2012-03-04 14:10 . 2012-03-04 14:10 -------- d-----w- c:\program files\Windows Defender
2012-03-04 09:56 . 2012-03-04 09:56 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-03-04 07:57 . 2012-03-04 07:57 -------- d-----w- c:\documents and settings\David Wieland\Application Data\Malwarebytes
2012-03-04 07:57 . 2012-03-04 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-04 07:57 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-03 19:17 . 2012-03-03 19:17 -------- d-----w- c:\program files\AVAST Software
2012-03-03 19:17 . 2012-03-04 09:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-03 17:04 . 2006-09-25 16:37 90112 ----a-w- c:\windows\system32\AVASTSS.scr
2012-03-03 17:04 . 2004-01-09 10:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2012-03-03 13:58 . 2012-03-06 16:08 -------- d-----w- c:\documents and settings\David Wieland\Local Settings\Application Data\byhpyhar
2012-02-27 17:04 . 2011-02-21 21:25 2323520 ----a-w- c:\windows\system32\gdpicturepro5.ocx
2012-02-27 17:04 . 2011-02-10 23:34 6600192 ----a-w- c:\windows\system32\LicProtector310.exe
2012-02-26 15:43 . 2012-02-26 15:43 -------- d-----w- c:\windows\speech
2012-02-26 15:42 . 1999-01-12 16:19 195584 ----a-w- c:\windows\system32\XVoice.dll
2012-02-26 15:42 . 1999-10-09 15:11 190464 ----a-w- c:\windows\system32\landplot.dll
2012-02-26 15:42 . 1997-01-16 01:00 958224 ----a-w- c:\windows\system32\MSCHART.OCX
2012-02-26 15:40 . 1997-01-16 01:00 71680 ----a-w- c:\windows\ST5UNST.EXE
2012-02-26 15:40 . 1997-01-16 01:00 29696 ----a-w- c:\windows\system32\VB5StKit.dll
2012-02-16 10:50 . 2012-02-16 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-02-15 22:30 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 22:30 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2002-08-29 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-01 10:00 . 2012-01-01 10:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-17 19:46 . 2006-06-23 10:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-29 68856]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware.exe" [2012-01-20 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-20 385024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"QveCtl2Tray"="c:\program files\Philips\PSA2\skin\QveCplSk.EXE" [2002-11-04 671744]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="d:\program files\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-31 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
"JfvBcqka"="c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe" [2012-03-08 98048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
jfvbcqka.exe [2012-3-8 98048]
.
c:\documents and settings\David Wieland\Start Menu\Programs\Startup\
jfvbcqka.exe [2012-3-6 98048]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- d:\program files\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"d:\\program files from c\\Return to Castle Wolfenstein\\WolfMP.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 SASDIFSV;SASDIFSV;d:\program files\sasdifsv.sys [22/07/2011 16:27 12880]
R1 SASKUTIL;SASKUTIL;d:\program files\SASKUTIL.SYS [12/07/2011 21:55 67664]
R2 !SASCORE;SAS Core Service;d:\program files\SASCore.exe [11/08/2011 23:38 116608]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [03/05/2011 17:11 10448]
R2 MBAMService;MBAMService;d:\program files\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [04/03/2012 07:57 652360]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/03/2012 07:57 20464]
R3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [30/09/2006 14:25 365460]
R3 QsndEnum;QSound Virtual Audio Devices Bus Enumerator;c:\windows\system32\drivers\QsndEnum.sys [30/09/2006 14:25 9600]
R3 QSoftAud;Philips Sound Agent 2 (WDM);c:\windows\system32\drivers\QSoftAud.sys [30/09/2006 14:25 411008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/04/2011 16:59 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\DAVIDW~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\DAVIDW~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07/04/2011 16:59 136176]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [04/03/2012 09:56 24064]
S3 pohci13F;pohci13F;\??\c:\docume~1\DAVIDW~1\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\DAVIDW~1\LOCALS~1\Temp\pohci13F.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [29/08/2002 12:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-07 16:59]
.
2012-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-07 16:59]
.
2012-03-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali 10.0
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} - hxxp://67.15.101.3/g_bin/eng/roulette_2_0_0_25.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-08 17:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1417001333-1383384898-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0A89BF71-126A-2666-9EF6-72C920DC9C60}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hajlianbhkclmmag"=hex:61,61,00,00
"hajlianbnkilfjni"=hex:61,61,00,00
"iankgkpoogcjefdjjc"=hex:6a,61,67,70,6f,67,6a,6d,70,65,6f,68,63,63,64,6f,6d,6b,
6b,64,00,30
"hadolciaolbomfjl"=hex:6a,61,67,70,6f,67,6a,6d,6a,65,6d,66,68,67,6c,68,6c,6f,
66,6d,00,30
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0A89BF71-126A-2666-9EF6-72C920DC9C60}\InProcServer32*]
"iahobhpillemggddpb"=hex:61,61,00,00
"iahobhpillkkmghhnh"=hex:61,61,00,00
"jahofjhmiofkhfhgekpp"=hex:6a,61,67,70,6f,67,6a,6d,70,65,6f,68,63,63,64,6f,6d,
6b,6b,64,00,30
"iaholknipgpnohebem"=hex:6a,61,67,70,6f,67,6a,6d,70,65,6f,68,63,63,64,6f,6d,6b,
6b,64,00,30
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(900)
d:\program files\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\crypserv.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2012-03-08 18:09:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-08 18:09
ComboFix2.txt 2012-03-05 08:57
.
Pre-Run: 11,026,415,616 bytes free
Post-Run: 11,115,175,936 bytes free
.
- - End Of File - - ACC92165C3B22FF607CEFDE27A4A535F






aswMBR version 0.9.9.1649 Copyrightę 2011 AVAST Software
Run date: 2012-03-08 18:10:23
-----------------------------
18:10:23.262 OS Version: Windows 5.1.2600 Service Pack 3
18:10:23.262 Number of processors: 1 586 0xA00
18:10:23.262 ComputerName: DAVID-GCET3PMFR UserName: David Wieland
18:10:24.504 Initialize success
18:10:44.542 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
18:10:44.542 Disk 0 Vendor: MAXTOR_6L040J2 AR1.0400 Size: 38172MB BusType: 3
18:10:44.552 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
18:10:44.552 Disk 1 Vendor: Maxtor_6Y120L0 YAR41VW0 Size: 117246MB BusType: 3
18:10:44.572 Disk 0 MBR read successfully
18:10:44.572 Disk 0 MBR scan
18:10:44.572 Disk 0 Windows XP default MBR code
18:10:44.572 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38162 MB offset 63
18:10:44.592 Disk 0 scanning sectors +78156225
18:10:44.683 Disk 0 scanning C:\WINDOWS\system32\drivers
18:11:06.764 Service scanning
18:11:47.733 Modules scanning
18:12:44.685 Disk 0 trace - called modules:
18:12:44.715 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys
18:12:44.725 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa28ab8]
18:12:44.725 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\0000005f[0x8aa2f890]
18:12:44.725 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8aa32d98]
18:12:44.725 Scan finished successfully
18:13:01.730 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\David Wieland\Desktop\MBR.dat"
18:13:01.810 The log file has been saved successfully to "C:\Documents and Settings\David Wieland\Desktop\aswMBR.txt"

#4 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:40 PM

Posted 08 March 2012 - 06:38 PM

Hello swamptrack,

I could not access the bleeping computers web page from my infected pc is this a result of the virus?

This is quit possible, it has been seen before.

I need you to run a CFScript:.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uRun: [JfvBcqka] c:\documents and settings\localservice\local settings\application data\byhpyhar\jfvbcqka.exe
dRun: [JfvBcqka] c:\documents and settings\localservice\local settings\application data\byhpyhar\jfvbcqka.exe

File::
c:\windows\system32\lDQrcf3


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==============================================================================



In your next reply, please copy/paste the contents of the following:
  • C:\ComboFix.txt
How is your machine behaving now?

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#5 swamptrack

swamptrack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 09 March 2012 - 03:19 AM

Hi ratman,

Thanks for your fast response, I have completed the new scan and posted below.
My infected pc will now access the bleeping computers web page but no other antivrus web pages and windows defender still does not update (error found: Code 0x80072efd.
I also tried booting in safe mode and this still starts the black page with the scroling text then just re-boots.













ComboFix 12-03-04.01 - David Wieland 09/03/2012 7:36.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1542 [GMT 0:00]
Running from: c:\documents and settings\David Wieland\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David Wieland\Desktop\CFScript.txt,.txt
.
FILE ::
"c:\windows\system32\lDQrcf3"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\localservice\local settings\application data\byhpyhar\jfvbcqka.exe
c:\documents and settings\LocalService\Local Settings\Application Data\ddjkwsdt.log
c:\documents and settings\LocalService\Local Settings\Application Data\lwgkhrxc.log
c:\documents and settings\LocalService\Local Settings\Application Data\mtvafybs.log
c:\documents and settings\LocalService\Local Settings\Application Data\pptrqnhw.log
c:\documents and settings\LocalService\Local Settings\Application Data\wvaxfkcs.log
c:\documents and settings\LocalService\Local Settings\Application Data\yoqurjgv.log
c:\windows\system32\lDQrcf3
c:\documents and settings\localservice\local settings\application data\byhpyhar\jfvbcqka.exe . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
2012-03-05 10:44 . 2012-03-05 10:44 -------- d-----w- c:\documents and settings\David Wieland\Application Data\SUPERAntiSpyware.com
2012-03-05 10:44 . 2012-03-05 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-05 10:31 . 2012-03-05 10:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-05 09:33 . 2012-03-05 09:33 388096 ----a-r- c:\documents and settings\David Wieland\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-05 09:33 . 2012-03-05 09:33 -------- d-----w- c:\program files\Trend Micro
2012-03-05 08:45 . 2012-03-09 07:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar
2012-03-04 14:10 . 2012-03-04 14:10 -------- d-----w- c:\program files\Windows Defender
2012-03-04 09:56 . 2012-03-04 09:56 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-03-04 07:57 . 2012-03-04 07:57 -------- d-----w- c:\documents and settings\David Wieland\Application Data\Malwarebytes
2012-03-04 07:57 . 2012-03-04 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-04 07:57 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-03 19:17 . 2012-03-03 19:17 -------- d-----w- c:\program files\AVAST Software
2012-03-03 19:17 . 2012-03-04 09:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-03 17:04 . 2006-09-25 16:37 90112 ----a-w- c:\windows\system32\AVASTSS.scr
2012-03-03 17:04 . 2004-01-09 10:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2012-03-03 13:58 . 2012-03-06 16:08 -------- d-----w- c:\documents and settings\David Wieland\Local Settings\Application Data\byhpyhar
2012-02-27 17:04 . 2011-02-21 21:25 2323520 ----a-w- c:\windows\system32\gdpicturepro5.ocx
2012-02-27 17:04 . 2011-02-10 23:34 6600192 ----a-w- c:\windows\system32\LicProtector310.exe
2012-02-26 15:43 . 2012-02-26 15:43 -------- d-----w- c:\windows\speech
2012-02-26 15:42 . 1999-01-12 16:19 195584 ----a-w- c:\windows\system32\XVoice.dll
2012-02-26 15:42 . 1999-10-09 15:11 190464 ----a-w- c:\windows\system32\landplot.dll
2012-02-26 15:42 . 1997-01-16 01:00 958224 ----a-w- c:\windows\system32\MSCHART.OCX
2012-02-26 15:40 . 1997-01-16 01:00 71680 ----a-w- c:\windows\ST5UNST.EXE
2012-02-26 15:40 . 1997-01-16 01:00 29696 ----a-w- c:\windows\system32\VB5StKit.dll
2012-02-16 10:50 . 2012-02-16 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-02-15 22:30 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 22:30 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2002-08-29 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-01 10:00 . 2012-01-01 10:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-17 19:46 . 2006-06-23 10:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-29 68856]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware.exe" [2012-01-20 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-20 385024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"QveCtl2Tray"="c:\program files\Philips\PSA2\skin\QveCplSk.EXE" [2002-11-04 671744]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="d:\program files\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-31 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
"JfvBcqka"="c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe" [2012-03-09 98048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
jfvbcqka.exe [2012-3-9 98048]
.
c:\documents and settings\David Wieland\Start Menu\Programs\Startup\
jfvbcqka.exe [2012-3-6 98048]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- d:\program files\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"d:\\program files from c\\Return to Castle Wolfenstein\\WolfMP.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 SASDIFSV;SASDIFSV;d:\program files\sasdifsv.sys [22/07/2011 16:27 12880]
R1 SASKUTIL;SASKUTIL;d:\program files\SASKUTIL.SYS [12/07/2011 21:55 67664]
R2 !SASCORE;SAS Core Service;d:\program files\SASCore.exe [11/08/2011 23:38 116608]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [03/05/2011 17:11 10448]
R2 MBAMService;MBAMService;d:\program files\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [04/03/2012 07:57 652360]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/03/2012 07:57 20464]
R3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [30/09/2006 14:25 365460]
R3 QsndEnum;QSound Virtual Audio Devices Bus Enumerator;c:\windows\system32\drivers\QsndEnum.sys [30/09/2006 14:25 9600]
R3 QSoftAud;Philips Sound Agent 2 (WDM);c:\windows\system32\drivers\QSoftAud.sys [30/09/2006 14:25 411008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/04/2011 16:59 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\DAVIDW~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\DAVIDW~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07/04/2011 16:59 136176]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [04/03/2012 09:56 24064]
S3 pohci13F;pohci13F;\??\c:\docume~1\DAVIDW~1\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\DAVIDW~1\LOCALS~1\Temp\pohci13F.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [29/08/2002 12:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-07 16:59]
.
2012-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-07 16:59]
.
2012-03-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali 10.0
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} - hxxp://67.15.101.3/g_bin/eng/roulette_2_0_0_25.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-09 07:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1417001333-1383384898-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0A89BF71-126A-2666-9EF6-72C920DC9C60}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hajlianbhkclmmag"=hex:61,61,00,00
"hajlianbnkilfjni"=hex:61,61,00,00
"iankgkpoogcjefdjjc"=hex:6a,61,67,70,6f,67,6a,6d,70,65,6f,68,63,63,64,6f,6d,6b,
6b,64,00,30
"hadolciaolbomfjl"=hex:6a,61,67,70,6f,67,6a,6d,6a,65,6d,66,68,67,6c,68,6c,6f,
66,6d,00,30
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0A89BF71-126A-2666-9EF6-72C920DC9C60}\InProcServer32*]
"iahobhpillemggddpb"=hex:61,61,00,00
"iahobhpillkkmghhnh"=hex:61,61,00,00
"jahofjhmiofkhfhgekpp"=hex:6a,61,67,70,6f,67,6a,6d,70,65,6f,68,63,63,64,6f,6d,
6b,6b,64,00,30
"iaholknipgpnohebem"=hex:6a,61,67,70,6f,67,6a,6d,70,65,6f,68,63,63,64,6f,6d,6b,
6b,64,00,30
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(896)
d:\program files\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(2580)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\crypserv.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2012-03-09 08:04:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-09 08:04
ComboFix2.txt 2012-03-08 18:09
ComboFix3.txt 2012-03-05 08:57
.
Pre-Run: 11,072,884,736 bytes free
Post-Run: 11,113,508,864 bytes free
.
- - End Of File - - A35C06FC371CFC6AF619DF5A3165AD35

#6 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:40 PM

Posted 09 March 2012 - 09:20 AM

Hello swamptrack,

I need you to run another CFScript:.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\jfvbcqka.exe
c:\documents and settings\David Wieland\Start Menu\Programs\Startup\jfvbcqka.exe

Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"JfvBcqka"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==============================================================================

I want you to run TDSSKiller:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.9.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

===================================================================================


In your next reply, please copy/paste the contents of the following:
  • C:\ComboFix.txt
  • TDSSKiller Log
How is your machine running now?

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#7 swamptrack

swamptrack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 09 March 2012 - 10:30 AM

Hello ratman,

Ran the combofix results below, also ran tdsskiller which found nothing.
computer seems the same cant access antivirus web pages and cant load in safe mode


ComboFix 12-03-04.01 - David Wieland 09/03/2012 14:43:48.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1543 [GMT 0:00]
Running from: c:\documents and settings\David Wieland\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David Wieland\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\David Wieland\Start Menu\Programs\Startup\jfvbcqka.exe"
"c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\jfvbcqka.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\David Wieland\Start Menu\Programs\Startup\jfvbcqka.exe
c:\documents and settings\LocalService\Local Settings\Application Data\ddjkwsdt.log
c:\documents and settings\LocalService\Local Settings\Application Data\lwgkhrxc.log
c:\documents and settings\LocalService\Local Settings\Application Data\mtvafybs.log
c:\documents and settings\LocalService\Local Settings\Application Data\pptrqnhw.log
c:\documents and settings\LocalService\Local Settings\Application Data\wvaxfkcs.log
c:\documents and settings\LocalService\Local Settings\Application Data\yoqurjgv.log
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\jfvbcqka.exe
c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar . . . . Failed to delete
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\jfvbcqka.exe . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
2012-03-09 08:22 . 2012-03-09 15:00 98048 ---ha-w- c:\windows\system32\lDQrcf3
2012-03-05 10:44 . 2012-03-05 10:44 -------- d-----w- c:\documents and settings\David Wieland\Application Data\SUPERAntiSpyware.com
2012-03-05 10:44 . 2012-03-05 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-05 10:31 . 2012-03-05 10:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-05 09:33 . 2012-03-05 09:33 388096 ----a-r- c:\documents and settings\David Wieland\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-05 09:33 . 2012-03-05 09:33 -------- d-----w- c:\program files\Trend Micro
2012-03-05 08:45 . 2012-03-09 15:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar
2012-03-04 14:10 . 2012-03-04 14:10 -------- d-----w- c:\program files\Windows Defender
2012-03-04 09:56 . 2012-03-04 09:56 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-03-04 07:57 . 2012-03-04 07:57 -------- d-----w- c:\documents and settings\David Wieland\Application Data\Malwarebytes
2012-03-04 07:57 . 2012-03-04 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-04 07:57 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-03 19:17 . 2012-03-03 19:17 -------- d-----w- c:\program files\AVAST Software
2012-03-03 19:17 . 2012-03-04 09:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-03 17:04 . 2006-09-25 16:37 90112 ----a-w- c:\windows\system32\AVASTSS.scr
2012-03-03 17:04 . 2004-01-09 10:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2012-03-03 13:58 . 2012-03-06 16:08 -------- d-----w- c:\documents and settings\David Wieland\Local Settings\Application Data\byhpyhar
2012-02-27 17:04 . 2011-02-21 21:25 2323520 ----a-w- c:\windows\system32\gdpicturepro5.ocx
2012-02-27 17:04 . 2011-02-10 23:34 6600192 ----a-w- c:\windows\system32\LicProtector310.exe
2012-02-26 15:43 . 2012-02-26 15:43 -------- d-----w- c:\windows\speech
2012-02-26 15:42 . 1999-01-12 16:19 195584 ----a-w- c:\windows\system32\XVoice.dll
2012-02-26 15:42 . 1999-10-09 15:11 190464 ----a-w- c:\windows\system32\landplot.dll
2012-02-26 15:42 . 1997-01-16 01:00 958224 ----a-w- c:\windows\system32\MSCHART.OCX
2012-02-26 15:40 . 1997-01-16 01:00 71680 ----a-w- c:\windows\ST5UNST.EXE
2012-02-26 15:40 . 1997-01-16 01:00 29696 ----a-w- c:\windows\system32\VB5StKit.dll
2012-02-16 10:50 . 2012-02-16 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-02-15 22:30 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 22:30 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2002-08-29 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-01 10:00 . 2012-01-01 10:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-17 19:46 . 2006-06-23 10:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-29 68856]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware.exe" [2012-01-20 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-20 385024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"QveCtl2Tray"="c:\program files\Philips\PSA2\skin\QveCplSk.EXE" [2002-11-04 671744]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="d:\program files\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-31 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
"JfvBcqka"="c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe" [2012-03-09 98048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
jfvbcqka.exe [2012-3-9 98048]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- d:\program files\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"d:\\program files from c\\Return to Castle Wolfenstein\\WolfMP.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"d:\\Program Files\\Farming Simulator 2011 Demo\\FarmingSimulator2011.exe"=
"d:\\Program Files\\Farming Simulator 2011 Demo\\game.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 SASDIFSV;SASDIFSV;d:\program files\sasdifsv.sys [22/07/2011 16:27 12880]
R1 SASKUTIL;SASKUTIL;d:\program files\SASKUTIL.SYS [12/07/2011 21:55 67664]
R2 !SASCORE;SAS Core Service;d:\program files\SASCore.exe [11/08/2011 23:38 116608]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [03/05/2011 17:11 10448]
R2 MBAMService;MBAMService;d:\program files\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [04/03/2012 07:57 652360]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/03/2012 07:57 20464]
R3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [30/09/2006 14:25 365460]
R3 QsndEnum;QSound Virtual Audio Devices Bus Enumerator;c:\windows\system32\drivers\QsndEnum.sys [30/09/2006 14:25 9600]
R3 QSoftAud;Philips Sound Agent 2 (WDM);c:\windows\system32\drivers\QSoftAud.sys [30/09/2006 14:25 411008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/04/2011 16:59 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\DAVIDW~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\DAVIDW~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07/04/2011 16:59 136176]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [04/03/2012 09:56 24064]
S3 pohci13F;pohci13F;\??\c:\docume~1\DAVIDW~1\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\DAVIDW~1\LOCALS~1\Temp\pohci13F.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [29/08/2002 12:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-07 16:59]
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-07 16:59]
.
2012-03-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali 10.0
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} - hxxp://67.15.101.3/g_bin/eng/roulette_2_0_0_25.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-09 15:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1417001333-1383384898-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0A89BF71-126A-2666-9EF6-72C920DC9C60}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hajlianbhkclmmag"=hex:61,61,00,00
"hajlianbnkilfjni"=hex:61,61,00,00
"iankgkpoogcjefdjjc"=hex:6a,61,67,70,6f,67,6a,6d,70,65,6f,68,63,63,64,6f,6d,6b,
6b,64,00,30
"hadolciaolbomfjl"=hex:6a,61,67,70,6f,67,6a,6d,6a,65,6d,66,68,67,6c,68,6c,6f,
66,6d,00,30
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0A89BF71-126A-2666-9EF6-72C920DC9C60}\InProcServer32*]
"iahobhpillemggddpb"=hex:61,61,00,00
"iahobhpillkkmghhnh"=hex:61,61,00,00
"jahofjhmiofkhfhgekpp"=hex:6a,61,67,70,6f,67,6a,6d,70,65,6f,68,63,63,64,6f,6d,
6b,6b,64,00,30
"iaholknipgpnohebem"=hex:6a,61,67,70,6f,67,6a,6d,70,65,6f,68,63,63,64,6f,6d,6b,
6b,64,00,30
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
d:\program files\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(3096)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\crypserv.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2012-03-09 15:14:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-09 15:14
ComboFix2.txt 2012-03-09 08:04
ComboFix3.txt 2012-03-08 18:09
ComboFix4.txt 2012-03-05 08:57
.
Pre-Run: 11,044,753,408 bytes free
Post-Run: 11,079,430,144 bytes free
.
- - End Of File - - 3A321466A4202BAE70ED37A024BA3C50

#8 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:40 PM

Posted 09 March 2012 - 06:32 PM

Hello swamptrack,

We need to create an OTL Report
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

====================================================================================


In your next reply, please copy/paste the contents of the following:
  • OTL.txt
  • Extra.txt

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#9 swamptrack

swamptrack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 10 March 2012 - 04:12 AM

Hi ratman,

When i booted my pc to run the scans it stopped on error 1073741819 and re-booted, it booted ok but the desktop had no tool bar or program icons i re started again and it was ok





OTL Extras logfile created on: 10/03/2012 08:59:17 - Run 1
OTL by OldTimer - Version 3.2.36.2 Folder = C:\Documents and Settings\David Wieland\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.58 Gb Available Physical Memory | 78.90% Memory free
9.85 Gb Paging File | 9.61 Gb Available in Paging File | 97.50% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 10.21 Gb Free Space | 27.39% Space Free | Partition Type: NTFS
Drive D: | 114.49 Gb Total Space | 36.80 Gb Free Space | 32.15% Space Free | Partition Type: NTFS

Computer Name: DAVID-GCET3PMFR | User Name: David Wieland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"D:\program files from c\Return to Castle Wolfenstein\WolfMP.exe" = D:\program files from c\Return to Castle Wolfenstein\WolfMP.exe:*:Enabled:WolfMP -- ()
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"D:\Program Files\Farming Simulator 2011 Demo\FarmingSimulator2011.exe" = D:\Program Files\Farming Simulator 2011 Demo\FarmingSimulator2011.exe:*:Enabled:Farming Simulator 2011 Demo -- (GIANTS Software GmbH)
"D:\Program Files\Farming Simulator 2011 Demo\game.exe" = D:\Program Files\Farming Simulator 2011 Demo\game.exe:*:Enabled:Farming Simulator 2011 Demo -- (GIANTS Software GmbH)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP210_series" = Canon MP210 series
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23AAEA74-A836-4565-9903-684BC87A5529}" = DesignPro 5
"{2BAE6A53-E241-11D5-873A-0050DABC2539}" = Tropico: Paradise Island
"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}" = Zoom ADSL USB Modem
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{679F739E-5C76-4A41-B562-F9392156B6DD}" = System Requirements Lab CYRI
"{7104189A-C592-4A56-AC9E-7C0CA135DA3C}" = AGEIA PhysX v6.10.25
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7196E6BD-4B65-43F9-9D30-73A8E58D0E84}" = Avery Wizard 4.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7602015C-88CB-4301-934D-C285B5BAA700}" = Philips Sound Agent 2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{818FB39B-1A57-4F1B-A54D-391C33D6C586}" = Tropico
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{9720C029-0C2C-4D1E-9DE0-E89971C4C8C7}" = Silent Hunter III
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{AC76BA86-7AD7-2448-0000-900000000003}" = Chinese Traditional Fonts Support For Adobe Reader 9
"{AC76BA86-7AD7-5760-0000-900000000003}" = Japanese Fonts Support For Adobe Reader 9
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 266.58
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 266.58
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 135.50
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}" = Free DWG Viewer 6.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"3D Font Maker" = 3D Font Maker
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"BitZipper_is1" = BitZipper 5.0.2
"Business Card Maker" = Business Card Maker
"Canon MP210 series User Registration" = Canon MP210 series User Registration
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F50&SUBSYS_207C14F1" = Soft Voice SoftRing Modem with SmartSP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Cosmi's Photo Editor" = Cosmi's Photo Editor
"Cross of Iron Mod Version 1.34 GOLD" = Cross of Iron Mod Version 1.34 GOLD
"DesignCAD 3000" = DesignCAD 3000
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"FarmingSimulator2011DemoEN_is1" = Farming Simulator 2011 Demo
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{23AAEA74-A836-4565-9903-684BC87A5529}" = DesignPro 5
"InstallShield_{9720C029-0C2C-4D1E-9DE0-E89971C4C8C7}" = Silent Hunter III
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Master of Orion 1 and 2_is1" = Master of Orion 1 and 2
"Micrografx Designer 7" = Micrografx Designer 7
"Micrografx Graphics Suite 2 Enterprise" = Micrografx Graphics Suite 2 Enterprise
"Micrografx Picture Publisher 7" = Micrografx Picture Publisher 7
"Micrografx QuickVector" = Micrografx QuickVector
"Micrografx Simply 3D 2" = Micrografx Simply 3D 2
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Monsters Inc Calendar" = Monsters Inc Calendar Screen Saver
"MP Navigator EX 1.0" = Canon MP Navigator EX 1.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Operation Hagelsturm - BaseMod incl. TigerDivision" = Operation Hagelsturm - BaseMod incl. TigerDivision
"Photo Editor Plus" = Photo Editor Plus
"Scale Convertor" = Scale Convertor
"sp6" = Logitech SetPoint 6.22
"ST5UNST #1" = Oil Tycoon
"Stationery Maker with Wizards" = Stationery Maker with Wizards
"Tropico3" = Tropico 3 1.00
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01005" = Microsoft User-Mode Driver Framework Feature Pack 1.5

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1417001333-1383384898-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


OTL logfile created on: 10/03/2012 08:59:17 - Run 1
OTL by OldTimer - Version 3.2.36.2 Folder = C:\Documents and Settings\David Wieland\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.58 Gb Available Physical Memory | 78.90% Memory free
9.85 Gb Paging File | 9.61 Gb Available in Paging File | 97.50% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 10.21 Gb Free Space | 27.39% Space Free | Partition Type: NTFS
Drive D: | 114.49 Gb Total Space | 36.80 Gb Free Space | 32.15% Space Free | Partition Type: NTFS

Computer Name: DAVID-GCET3PMFR | User Name: David Wieland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/10 07:47:31 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David Wieland\Desktop\OTL.exe
PRC - [2012/01/31 13:13:44 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- D:\Program Files\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/08/11 23:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- D:\Program Files\SASCore.exe
PRC - [2010/11/09 20:08:58 | 000,146,000 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe
PRC - [2010/10/28 23:32:48 | 001,352,272 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPointP\SetPoint.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2002/11/04 13:05:44 | 000,671,744 | ---- | M] (QSound Labs, Inc.) -- C:\Program Files\Philips\PSA2\Skin\QveCplSk.exe
PRC - [2001/10/25 01:02:00 | 000,090,112 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PRC - [2000/06/29 08:45:10 | 000,052,224 | ---- | M] (Kenonic Controls Ltd.) -- C:\WINDOWS\system32\Crypserv.exe


========== Modules (No Company Name) ==========

MOD - [2010/11/04 08:51:44 | 000,555,624 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\nView\nvShell.dll
MOD - [2001/10/28 16:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2012/01/31 13:13:44 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- D:\Program Files\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/11 23:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- D:\Program Files\SASCORE.EXE -- (!SASCORE)
SRV - [2010/10/28 10:13:30 | 000,293,456 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/12/01 10:59:52 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2001/10/25 01:02:00 | 000,090,112 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2)
SRV - [2000/06/29 08:45:10 | 000,052,224 | ---- | M] (Kenonic Controls Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (pohci13F)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (MREMPR5)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (cpuz130)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (AmdLLD)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (adiusbaw)
DRV - File not found [Kernel | Auto | Stopped] -- -- (ADILOADER) General Purpose USB Driver (adildr.sys)
DRV - [2012/03/04 09:56:48 | 000,024,064 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/07/22 16:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\Program Files\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 21:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\Program Files\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/08/24 17:31:02 | 000,037,328 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2010/08/24 17:30:52 | 000,038,864 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2010/08/24 17:30:18 | 000,010,448 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2009/01/03 10:50:02 | 000,003,201 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WinFlash.sys -- (WINFLASH)
DRV - [2008/05/02 10:58:28 | 000,008,064 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2008/04/13 18:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/02/25 12:54:56 | 000,105,088 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/11/08 16:00:10 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/11/08 15:59:36 | 000,257,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/08/04 05:41:35 | 000,606,684 | ---- | M] (LT) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2004/08/04 05:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2002/10/28 10:17:00 | 000,411,008 | ---- | M] (QSound Labs, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QSoftAud.sys -- (QSoftAud) Philips Sound Agent 2 (WDM)
DRV - [2002/08/27 15:33:32 | 000,365,460 | ---- | M] (Philips Components (PSS)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pscaudio.sys -- (PSC60x) Philips PCI Audio Driver (WDM)
DRV - [2002/07/18 13:47:42 | 000,009,600 | ---- | M] (QSound Labs, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QsndEnum.sys -- (QsndEnum)
DRV - [2001/08/17 14:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2000/02/03 19:53:12 | 000,024,608 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk/
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\..\SearchScopes,DefaultScope = Google
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\..\SearchScopes\{8736E120-547B-4602-974C-AB5154B975D8}: "URL" = http://search.yahoo.com/search?ei=utf-8&fr=vmn&type=vendio&p={searchTerms}
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.com/route/?d=$instd$&v=$ver$&i=$dchid$&tp=chrome&q={searchTerms}&lng={moz:locale}&iy=&ychte=uk
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\..\SearchScopes\{FCFBFEDD-E5DD-492A-A753-D98DCA94F5AF}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\..\SearchScopes\Google: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7_____en-GB
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2012/03/09 15:02:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (PCTools Site Guard) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll File not found
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] D:\Program Files\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [QveCtl2Tray] C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE (QSound Labs, Inc.)
O4 - HKU\.DEFAULT..\Run: [JfvBcqka] C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found
O4 - HKU\S-1-5-18..\Run: [JfvBcqka] C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found
O4 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004..\Run: [JfvBcqka] C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found
O4 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\NPJPI150.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - Reg Error: Key error. File not found
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe File not found
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} http://67.15.101.3/g_bin/eng/roulette_2_0_0_25.cab (GameDesire Roulette)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab (EPUImageControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159633003400 (WUWebControl Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1304157849229 (MUWebControl Class)
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} http://67.15.101.3/g_bin/eng/poker_2_0_0_45.cab (GameDesire Poker Games)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.21.0.cab (SysInfo Class)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll (PCPitstop Exam)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe) - C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - (D:\Program Files\SASWINLO.DLL) - D:\Program Files\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\David Wieland\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\David Wieland\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\Program Files\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/30 14:14:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/10 08:58:20 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\David Wieland\Desktop\OTL.exe
[2012/03/09 15:50:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/09 15:14:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/03/09 14:38:46 | 002,063,920 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\David Wieland\Desktop\tdsskiller(1).exe
[2012/03/09 14:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Farming Simulator 2011 Demo
[2012/03/08 17:31:26 | 004,831,232 | ---- | C] (AVAST Software) -- C:\Documents and Settings\David Wieland\My Documents\aswMBR.exe
[2012/03/08 17:30:52 | 004,831,232 | ---- | C] (AVAST Software) -- C:\Documents and Settings\All Users\Documents\aswMBR.exe
[2012/03/08 17:30:39 | 004,426,766 | R--- | C] (Swearware) -- C:\Documents and Settings\David Wieland\Desktop\ComboFix.exe
[2012/03/06 14:48:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2012/03/06 08:24:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Wieland\My Documents\New Folder (2)
[2012/03/05 15:10:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Wieland\My Documents\bootkey
[2012/03/05 10:44:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Wieland\Application Data\SUPERAntiSpyware.com
[2012/03/05 10:44:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2012/03/05 10:44:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2012/03/05 10:43:33 | 015,125,536 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\David Wieland\Desktop\SUPERAntiSpyware.exe
[2012/03/05 10:31:21 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/03/05 09:33:56 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/03/05 09:33:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Wieland\Start Menu\Programs\HiJackThis
[2012/03/05 08:45:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar
[2012/03/05 08:31:02 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/05 08:29:07 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/05 08:29:07 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/05 08:29:07 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/05 08:29:07 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/05 08:28:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/05 08:28:45 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/04 14:10:12 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2012/03/04 07:57:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Wieland\Application Data\Malwarebytes
[2012/03/04 07:57:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/04 07:57:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/03/04 07:57:27 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/03 19:17:35 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/03/03 19:17:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/03/03 17:04:44 | 000,090,112 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AVASTSS.scr
[2012/03/03 15:05:11 | 000,126,160 | ---- | C] (RealNetworks, Inc.) -- C:\Documents and Settings\David Wieland\My Documents\jddgsetup-dm.exe
[2012/03/03 13:58:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Wieland\Local Settings\Application Data\byhpyhar
[2012/02/27 17:14:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Downloads
[2012/02/27 17:14:23 | 000,126,160 | ---- | C] (RealNetworks, Inc.) -- C:\Documents and Settings\David Wieland\My Documents\OilTycoonSetup-dm.exe
[2012/02/27 17:04:28 | 006,600,192 | ---- | C] (Mirage Systems) -- C:\WINDOWS\System32\LicProtector310.exe
[2012/02/27 17:04:28 | 002,323,520 | ---- | C] (gdpicture.com) -- C:\WINDOWS\System32\gdpicturepro5.ocx
[2012/02/26 15:43:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\speech
[2012/02/26 15:42:43 | 000,195,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XVoice.dll
[2012/02/26 15:42:42 | 000,958,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCHART.OCX
[2012/02/26 15:40:00 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\ST5UNST.EXE
[2012/02/26 15:40:00 | 000,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB5StKit.dll
[2012/02/26 15:39:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Wieland\My Documents\Oil Tycoon
[2012/02/16 10:50:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2012/02/15 16:13:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Wieland\Start Menu\Programs\Hagelsturm v2
[2012/02/15 16:05:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Wieland\Start Menu\Programs\Cross of Iron Mod Version 1.34 GOLD
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/10 08:50:44 | 000,481,266 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/10 08:50:44 | 000,079,444 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/10 08:49:18 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/03/10 08:47:53 | 000,013,688 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/10 08:47:25 | 000,098,048 | -H-- | M] () -- C:\Documents and Settings\David Wieland\o2ouO23
[2012/03/10 08:46:25 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/10 08:46:20 | 000,098,048 | -H-- | M] () -- C:\WINDOWS\System32\lDQrcf3
[2012/03/10 08:46:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/10 07:47:31 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David Wieland\Desktop\OTL.exe
[2012/03/09 15:39:17 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/09 15:02:04 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/03/09 14:34:06 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\David Wieland\Desktop\tdsskiller(1).exe
[2012/03/09 14:18:40 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\David Wieland\Desktop\Farming Simulator 2011 Demo.lnk
[2012/03/08 18:13:01 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\David Wieland\Desktop\MBR.dat
[2012/03/08 17:33:25 | 000,000,556 | ---- | M] () -- C:\Documents and Settings\David Wieland\Desktop\Shortcut to aswMBR.exe.lnk
[2012/03/08 17:08:53 | 004,831,232 | ---- | M] (AVAST Software) -- C:\Documents and Settings\David Wieland\My Documents\aswMBR.exe
[2012/03/08 17:08:53 | 004,831,232 | ---- | M] (AVAST Software) -- C:\Documents and Settings\All Users\Documents\aswMBR.exe
[2012/03/05 10:44:37 | 000,000,598 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/03/05 09:34:15 | 000,002,463 | ---- | M] () -- C:\Documents and Settings\David Wieland\Desktop\HiJackThis.lnk
[2012/03/05 09:06:34 | 015,125,536 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\David Wieland\Desktop\SUPERAntiSpyware.exe
[2012/03/05 08:31:07 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/03/04 18:55:57 | 004,426,766 | R--- | M] (Swearware) -- C:\Documents and Settings\David Wieland\Desktop\ComboFix.exe
[2012/03/04 18:15:55 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/03/04 14:30:46 | 000,000,335 | ---- | M] () -- C:\Documents and Settings\David Wieland\Desktop\FixExe.reg
[2012/03/04 09:56:48 | 000,024,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/03/04 09:48:35 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/03/03 17:04:54 | 000,000,577 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\internet explorer.lnk
[2012/03/03 15:05:11 | 000,126,160 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\David Wieland\My Documents\jddgsetup-dm.exe
[2012/02/27 17:14:23 | 000,126,160 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\David Wieland\My Documents\OilTycoonSetup-dm.exe
[2012/02/27 11:17:45 | 000,001,478 | ---- | M] () -- C:\Documents and Settings\David Wieland\Desktop\Play PKR Lite.lnk
[2012/02/27 11:13:46 | 000,433,368 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/23 17:17:08 | 000,022,964 | ---- | M] () -- C:\Documents and Settings\David Wieland\My Documents\GrassTech - Static Grass & flock Applicators.mht
[2012/02/21 11:20:02 | 000,079,872 | ---- | M] () -- C:\Documents and Settings\David Wieland\My Documents\Untitled-2.dc
[2012/02/21 11:20:02 | 000,058,368 | ---- | M] () -- C:\Documents and Settings\David Wieland\My Documents\Untitled-1.dc
[2012/02/21 11:16:02 | 000,027,466 | ---- | M] () -- C:\Documents and Settings\David Wieland\My Documents\29da29c9798bf199add63cf92d9555cd-heart-clip-art.jpg
[2012/02/17 14:42:09 | 000,061,952 | ---- | M] () -- C:\Documents and Settings\David Wieland\My Documents\Acrylic Discs.dc
[2012/02/17 14:42:08 | 000,016,275 | ---- | M] () -- C:\Documents and Settings\David Wieland\My Documents\Acrylic Discs.DWG
[2012/02/15 23:02:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/02/12 18:51:17 | 000,000,671 | ---- | M] () -- C:\Documents and Settings\David Wieland\Desktop\Blitzkrieg.lnk
[2012/02/12 15:10:50 | 000,031,011 | ---- | M] () -- C:\Documents and Settings\David Wieland\My Documents\[kat.ph]blitzkrieg.anthology.torrent
[2012/02/12 15:06:40 | 000,012,604 | ---- | M] () -- C:\Documents and Settings\David Wieland\My Documents\Blitzkrieg_Anthology_[4_RTS_games].4899632.TPB.torrent
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/10 08:47:25 | 000,098,048 | -H-- | C] () -- C:\Documents and Settings\David Wieland\o2ouO23
[2012/03/09 14:18:40 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\David Wieland\Desktop\Farming Simulator 2011 Demo.lnk
[2012/03/09 08:22:40 | 000,098,048 | -H-- | C] () -- C:\WINDOWS\System32\lDQrcf3
[2012/03/08 18:13:01 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\David Wieland\Desktop\MBR.dat
[2012/03/08 17:33:25 | 000,000,556 | ---- | C] () -- C:\Documents and Settings\David Wieland\Desktop\Shortcut to aswMBR.exe.lnk
[2012/03/05 11:12:49 | 000,000,335 | ---- | C] () -- C:\Documents and Settings\David Wieland\Desktop\FixExe.reg
[2012/03/05 10:44:37 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/03/05 09:33:56 | 000,002,463 | ---- | C] () -- C:\Documents and Settings\David Wieland\Desktop\HiJackThis.lnk
[2012/03/05 08:31:07 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/03/05 08:31:03 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/05 08:29:07 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/05 08:29:07 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/05 08:29:07 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/05 08:29:07 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/05 08:29:07 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/04 14:13:18 | 000,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/03/04 14:10:13 | 000,000,955 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Defender.lnk
[2012/03/04 09:56:48 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/03/03 17:04:54 | 000,000,577 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\internet explorer.lnk
[2012/03/03 17:04:44 | 000,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2012/02/27 11:17:45 | 000,001,478 | ---- | C] () -- C:\Documents and Settings\David Wieland\Desktop\Play PKR Lite.lnk
[2012/02/26 15:43:33 | 000,000,524 | ---- | C] () -- C:\Documents and Settings\David Wieland\Start Menu\Programs\Oil Tycoon.LNK
[2012/02/26 15:42:42 | 000,190,464 | ---- | C] () -- C:\WINDOWS\System32\landplot.dll
[2012/02/23 17:17:08 | 000,022,964 | ---- | C] () -- C:\Documents and Settings\David Wieland\My Documents\GrassTech - Static Grass & flock Applicators.mht
[2012/02/21 11:20:02 | 000,079,872 | ---- | C] () -- C:\Documents and Settings\David Wieland\My Documents\Untitled-2.dc
[2012/02/21 11:20:00 | 000,058,368 | ---- | C] () -- C:\Documents and Settings\David Wieland\My Documents\Untitled-1.dc
[2012/02/21 11:16:59 | 000,027,466 | ---- | C] () -- C:\Documents and Settings\David Wieland\My Documents\29da29c9798bf199add63cf92d9555cd-heart-clip-art.jpg
[2012/02/17 14:42:08 | 000,016,275 | ---- | C] () -- C:\Documents and Settings\David Wieland\My Documents\Acrylic Discs.DWG
[2012/02/17 14:41:55 | 000,061,952 | ---- | C] () -- C:\Documents and Settings\David Wieland\My Documents\Acrylic Discs.dc
[2012/02/15 22:30:49 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 22:30:49 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/12 18:51:17 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\David Wieland\Desktop\Blitzkrieg.lnk
[2012/02/12 15:10:50 | 000,031,011 | ---- | C] () -- C:\Documents and Settings\David Wieland\My Documents\[kat.ph]blitzkrieg.anthology.torrent
[2012/02/12 15:06:40 | 000,012,604 | ---- | C] () -- C:\Documents and Settings\David Wieland\My Documents\Blitzkrieg_Anthology_[4_RTS_games].4899632.TPB.torrent
[2012/02/03 15:29:32 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\ISP2000.dll
[2012/02/03 15:29:32 | 000,063,488 | ---- | C] () -- C:\WINDOWS\System32\Eztw32.dll
[2011/06/22 13:18:03 | 000,086,304 | ---- | C] () -- C:\WINDOWS\RHVIDEO.DLL
[2011/06/22 12:55:06 | 001,513,984 | ---- | C] () -- C:\WINDOWS\System32\Mgxrdr32.dll
[2011/06/22 12:55:05 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2011/06/22 12:55:05 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2011/06/22 12:54:13 | 000,082,944 | ---- | C] () -- C:\WINDOWS\System32\Ppiv20.dll
[2011/06/22 12:50:12 | 000,000,034 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2011/06/22 12:43:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2011/05/03 16:14:40 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SetOutput60x.dll
[2011/03/26 16:22:54 | 000,000,047 | ---- | C] () -- C:\WINDOWS\System32\Sconverter.ini
[2011/02/25 13:18:40 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2011/01/29 10:56:45 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/01/29 10:56:41 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/01/29 10:56:41 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/01/29 10:56:06 | 002,292,678 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2010/11/12 13:14:46 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL

========== Files - Unicode (All) ==========
[2012/02/14 15:43:33 | 000,047,616 | ---- | M] ()(C:\Documents and Settings\David Wieland\My Documents\YD-010SD20 (?).doc) -- C:\Documents and Settings\David Wieland\My Documents\YD-010SD20 (新).doc
[2012/02/14 15:43:33 | 000,047,616 | ---- | C] ()(C:\Documents and Settings\David Wieland\My Documents\YD-010SD20 (?).doc) -- C:\Documents and Settings\David Wieland\My Documents\YD-010SD20 (新).doc

< End of report >

#10 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:40 PM

Posted 11 March 2012 - 08:54 AM

Hello swamptrack,

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    CODE:OTL
    O4 - HKU\.DEFAULT..\Run: [JfvBcqka] C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found
    O4 - HKU\S-1-5-18..\Run: [JfvBcqka] C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found
    O4 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004..\Run: [JfvBcqka] C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found
    [2012/03/10 08:47:25 | 000,098,048 | -H-- | M] () -- C:\Documents and Settings\David Wieland\o2ouO23
    [2012/03/10 08:46:20 | 000,098,048 | -H-- | M] () -- C:\WINDOWS\System32\lDQrcf3
    
    :commands
    [EMPTYTEMP] 
    [EMPTYJAVA]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.



In your next reply, please copy/paste the contents of the following:
  • OTL Report
How is your machine running now?

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#11 swamptrack

swamptrack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 11 March 2012 - 09:42 AM

Hi ratman,

windows defender has updated, but i can still not boot in safe mode or access avira or avg web sites. i ran malwarebytes which found 8 trojan inject


All processes killed
Error: Unable to interpret <CODE:OTL> in the current context!
Error: Unable to interpret <O4 - HKU\.DEFAULT..\Run: [JfvBcqka] C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found> in the current context!
Error: Unable to interpret <O4 - HKU\S-1-5-18..\Run: [JfvBcqka] C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found> in the current context!
Error: Unable to interpret <O4 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004..\Run: [JfvBcqka] C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe File not found> in the current context!
Error: Unable to interpret <[2012/03/10 08:47:25 | 000,098,048 | -H-- | M] () -- C:\Documents and Settings\David Wieland\o2ouO23> in the current context!
Error: Unable to interpret <[2012/03/10 08:46:20 | 000,098,048 | -H-- | M] () -- C:\WINDOWS\System32\lDQrcf3> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: David Wieland
->Temp folder emptied: 380246 bytes
->Temporary Internet Files folder emptied: 615359 bytes
->Java cache emptied: 19269809 bytes
->Flash cache emptied: 37894 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 4554 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19496667 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 37768 bytes
Windows Temp folder emptied: 4778 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 239939 bytes
RecycleBin emptied: 78076 bytes

Total Files Cleaned = 38.00 mb


[EMPTYJAVA]

User: All Users

User: David Wieland
->Java cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.36.2 log created on 03112012_140929
Files\Folders moved on Reboot... Registry entries deleted on Reboot...

Edited by swamptrack, 11 March 2012 - 10:26 AM.


#12 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:40 PM

Posted 12 March 2012 - 09:10 AM

Hello swamptrack,

We need to run another OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :OTL
    O4 - HKU\.DEFAULT..\Run: [JfvBcqka] C:\Documents and  Settings\LocalService\Local Settings\Application  Data\byhpyhar\jfvbcqka.exe File not found
    O4 - HKU\S-1-5-18..\Run: [JfvBcqka] C:\Documents and  Settings\LocalService\Local Settings\Application  Data\byhpyhar\jfvbcqka.exe File not found
    O4 - HKU\S-1-5-21-1417001333-1383384898-854245398-1004..\Run: [JfvBcqka]  C:\Documents and Settings\LocalService\Local Settings\Application  Data\byhpyhar\jfvbcqka.exe File not found
    [2012/03/10 08:47:25 | 000,098,048 | -H-- | M] () -- C:\Documents and Settings\David Wieland\o2ouO23
    [2012/03/10 08:46:20 | 000,098,048 | -H-- | M] () -- C:\WINDOWS\System32\lDQrcf3
    
    :commands
    [EMPTYTEMP] 
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
===========================================================================

To enable me to keep track of what we are doing (and the order we do things - which can be important), please do not run anti malware or anti virus programs unless I ask for them please.

Can you copy/paste the last log from malwarebytes in your next reply.

============================================================================

In your next reply, please copy/paste the contents of the following:
  • OTL Report
  • MBAM.log
How is your machine running now?

Edited by ratman, 12 March 2012 - 09:17 AM.

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#13 swamptrack

swamptrack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 12 March 2012 - 09:54 AM

Hi ratman,

sorry will not run any more scans


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.11.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
David Wieland :: DAVID-GCET3PMFR [administrator]

Protection: Disabled

11/03/2012 16:05:47
mbam-log-2012-03-11 (16-05-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 173644
Time elapsed: 15 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|JfvBcqka (Trojan.Inject) -> Data: C:\Documents and Settings\LocalService\Local Settings\Application Data\byhpyhar\jfvbcqka.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
c:\documents and settings\localservice\local settings\application data\byhpyhar\jfvbcqka.exe (Trojan.Inject) -> Delete on reboot.
c:\windows\system32\config\systemprofile\start menu\programs\startup\jfvbcqka.exe (Trojan.Inject) -> Delete on reboot.
C:\WINDOWS\system32\lDQrcf3 (Trojan.Inject) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\bktapunmkapcgmyq.exe (Trojan.Inject) -> Quarantined and deleted successfully.

(end)


All processes killed
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\JfvBcqka deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\JfvBcqka not found.
Registry value HKEY_USERS\S-1-5-21-1417001333-1383384898-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Run\\JfvBcqka not found.
File C:\Documents and Settings\David Wieland\o2ouO23 not found.
C:\WINDOWS\system32\lDQrcf3 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: David Wieland
->Temp folder emptied: 3364 bytes
->Temporary Internet Files folder emptied: 622681 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 470 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 2688 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7530 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1.00 mb


OTL by OldTimer - Version 3.2.36.2 log created on 03122012_144706

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#14 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:40 PM

Posted 12 March 2012 - 04:06 PM

Thanks swamptrack,

How's your machine running now? What issues are you seeing?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#15 swamptrack

swamptrack
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 13 March 2012 - 02:20 AM

Good morning ratman,

I have the same problems as before safe mode will not load (black screen lots of numbers then re-boots) If i try to access any antivirus web pages including this site i just get the page "internet explorer cannot display the page" but any other non virus related pages load.
Windows defender will also not up date




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users