Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop infected with unknown malware


  • This topic is locked This topic is locked
26 replies to this topic

#1 millwalker

millwalker

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 25 April 2012 - 05:29 PM

Hi There,

I'm attempting to remove some malware from my friends laptop (again!)and it has got the better of me.

There are numerous infections as far as I can tell. No virus, anti-malware or MS malicious removal tool will run. On the few times I have managed to get these apps to start the laptop will restart itself mid scan. GMER will not run either so I can't post a log although it did give me a root-kit warning upon start up.

I would appreciate any help you can provide me.

Thanks,

Phill

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882
Run by Any Authorised User at 22:47:46 on 2012-04-25
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1790.865 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\ANYAUT~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\dlcdcoms.exe
C:\Windows\System32\svchost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\DrvInst.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
.
============== Pseudo HJT Report ===============
.
uSEARCH PAGE = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://uk.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://uk.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\users\any authorised user\appdata\local\rufysvee\axwldvnu.exe
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\progra~1\bearshare applications\mediabar\toolbar\BearshareMediabarDx.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\progra~1\bearshare applications\mediabar\toolbar\BearshareMediabarDx.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [My Security Shield] "c:\programdata\ea2fa93\MSea2f_284.exe" /s /d
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
uRun: [{A8AC3549-2975-6968-A283-A94FFBE03265}] "c:\users\any authorised user\appdata\roaming\oluzu\vyyv.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [{DDDFFB1A-0792-5A83-38FC-190770EEDC52}] c:\users\any authorised user\appdata\roaming\skype\akele221\chatsync\8e\subst.exe
uRun: [RebateInformer] c:\progra~1\rebateinformer\RebateInf.exe /STARTUP
uRun: [AxwLdvnu] c:\users\any authorised user\appdata\local\rufysvee\axwldvnu.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acer Tour]
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [eRecoveryService]
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
dRun: [AxwLdvnu] c:\users\any authorised user\appdata\local\rufysvee\axwldvnu.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_Plugin.exe -update plugin
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hp digital imaging monitor.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: sch.uk\folders.debenhamhighschool.suffolk
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} - hxxp://musicmix.messenger.msn.com/Medialogic.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BF0F89AA-5D6C-47EF-90DE-517BD2A4E98B} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
AppInit_DLLs:
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
IFEO: image file execution options - svchost.exe
Hosts: 216.45.48.244 google.com
Hosts: 216.45.48.244 google.com.au
Hosts: 216.45.48.244 www.google.com.au
Hosts: 216.45.48.244 google.be
Hosts: 216.45.48.244 www.google.be
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\any authorised user\appdata\roaming\mozilla\firefox\profiles\n8rb0nrv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80506&lng=en
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80506&language=en&qkw=
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.accept-encoding -
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-4-3 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-4-3 35712]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-25 135664]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-25 135664]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-10-21 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-10-21 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-10-21 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-10-21 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-10-21 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-10-21 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-10-21 110120]
.
=============== Created Last 30 ================
.
2012-04-25 21:31:36 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f3486289-9a6d-4191-8914-3b4fc12fe810}\mpengine.dll
2012-04-22 22:01:13 -------- d-----w- c:\program files\CCleaner
2012-04-22 21:54:56 -------- d-----w- C:\Mozilla
2012-04-22 21:15:42 97680 ---ha-w- c:\windows\system32\qcv6R9dHL
2012-04-22 21:10:20 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-04-22 21:10:20 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-04-22 21:10:19 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-04-22 21:10:19 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-04-22 21:10:19 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-04-22 20:49:46 -------- d--h--w- c:\programdata\Common Files
2012-04-22 20:49:00 -------- d-----w- c:\programdata\MFAData
2012-04-22 20:47:50 -------- d-----w- c:\windows\Mozilla
2012-04-21 23:49:34 -------- d-----w- c:\windows\system32\MpEngineStore
2012-04-14 04:27:59 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-04-14 04:27:57 16824 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2012-04-14 04:27:55 818104 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2012-04-14 04:27:54 441272 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2012-04-14 04:27:54 1969080 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2012-04-14 04:27:54 16312 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2012-04-14 04:27:54 101304 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2012-04-14 04:27:53 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2012-04-14 04:27:53 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2012-04-14 04:20:40 -------- d-----w- c:\users\any authorised user\appdata\roaming\PCPowerSpeed
2012-04-13 19:10:43 -------- d-----w- C:\Sun
2012-04-12 21:49:35 97680 ---ha-w- c:\windows\system32\zcb3t23
2012-04-12 18:18:24 97680 ---ha-w- c:\windows\system32\xALBlNR
2012-04-10 20:44:28 97680 ---ha-w- c:\windows\system32\qx7Kd23
2012-04-10 16:19:16 97680 ---ha-w- c:\windows\system32\Ggcst23
2012-04-09 16:10:15 97680 ---ha-w- c:\windows\system32\ZUCywCf1
2012-04-08 00:29:48 97680 ---ha-w- c:\windows\system32\SaTqS23
2012-04-07 10:21:27 97680 ---ha-w- c:\windows\system32\pyKfYa3
2012-04-04 21:07:35 97680 ---ha-w- c:\windows\system32\mmPs923
2012-04-04 11:30:57 97680 ---ha-w- c:\windows\system32\0wlnMH3
2012-04-03 19:45:17 97680 ---ha-w- c:\windows\system32\CgGwJXv
2012-04-03 06:01:44 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-03-28 01:15:15 -------- d-----w- C:\e
2012-03-28 01:15:05 -------- d-----w- C:\Data
.
==================== Find3M ====================
.
2012-04-22 10:20:10 101376 ----a-w- c:\windows\system32\ifxcardm.dll
2012-04-22 10:19:57 79872 ----a-w- c:\windows\system32\axaltocm.dll
2012-04-21 23:47:30 97680 ---ha-w- c:\windows\system32\vhESJd7a
2012-04-13 06:45:36 97680 ---ha-w- c:\windows\system32\Oxh2523
2012-03-15 05:31:04 97680 ---ha-w- c:\windows\system32\Pm3me23
2012-02-23 09:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 22:53:17.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 25 April 2012 - 08:59 PM

Hi

Please do the following:


For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 millwalker

millwalker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 26 April 2012 - 12:05 PM

Hi CatByte

Firstly, thank you for assisting me with this.

I have followed the steps to repair my computer but after I have selected "repair my computer" through the F8 method it takes me to a login screen with the username "other user". I have no idea where this username has come from. When I click on "other user" it brings up a black user avatar and a blank username and password fields. If try to login as "Any Authorised User" which is my friends username set as admin and the only username created (no password) it tells me that the "specified domain either does not exist or could not be contacted".

I'm not sure what to do next as I do not have a vista disk to attempt to enter the repair function from booting from CD. I will try and see if I can borrow one but I'm not sure it will solve this?

look forward to hearing back from you.

Phill

Edited by millwalker, 26 April 2012 - 12:19 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 26 April 2012 - 05:17 PM

when you tap F8 and are taken to the log in screen, try just hitting enter without entering any user name.

If you can borrow an installation disk to access the recovery environment, that would be best

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 millwalker

millwalker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 27 April 2012 - 02:05 AM

Hi,

Managed to borrow a disk and run the scan. FYI the steps were slightly different to those that you posted. When you select repair my computer it automatically runs a scan and repair and when it fails it gives you an option to choose advanced repair options. This is where you find the command line option along with the others.

Anyway, here is the log.

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 22-04-2012
Ran by SYSTEM at 27-04-2012 07:51:13
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1006264 2007-09-03] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [815104 2006-10-23] (Synaptics, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40048 2007-03-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Acer Tour] [x]
HKLM\...\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting [45056 2007-04-25] ( )
HKLM\...\Run: [eRecoveryService] [x]
HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe [813840 2007-04-04] (Dritek System Inc.)
HKLM\...\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe [57344 2006-11-05] (Acer Inc.)
HKLM\...\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" [245810 2001-07-25] (Microsoft Corporation)
HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [x]
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [177440 2009-08-13] (Apple Inc.)
HKLM\...\Run: [DLCDCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16 [69632 2005-06-07] ()
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2010-09-23] (Apple Inc.)
HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1226608 2010-12-09] ()
HKLM\...\Run: [DivX Download Manager] "C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" start [63360 2010-12-08] (DivX, LLC)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM\...\Run: [] [x]
HKU\Any Authorised User\...\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" [188472 2001-07-25] (Microsoft Corporation)
HKU\Any Authorised User\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125440 2006-11-02] (Microsoft Corporation)
HKU\Any Authorised User\...\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
HKU\Any Authorised User\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2008-10-17] (Google Inc.)
HKU\Any Authorised User\...\Run: [My Security Shield] "C:\ProgramData\ea2fa93\MSea2f_284.exe" /s /d [x]
HKU\Any Authorised User\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [201728 2006-11-02] (Microsoft Corporation)
HKU\Any Authorised User\...\Run: [Xvid] C:\Program Files\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKU\Any Authorised User\...\Run: [{A8AC3549-2975-6968-A283-A94FFBE03265}] "C:\Users\Any Authorised User\AppData\Roaming\Oluzu\vyyv.exe" [x]
HKU\Any Authorised User\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [17353352 2011-09-26] (Skype Technologies S.A.)
HKU\Any Authorised User\...\Run: [{DDDFFB1A-0792-5A83-38FC-190770EEDC52}] C:\Users\Any Authorised User\AppData\Roaming\Skype\akele221\chatsync\8e\subst.exe [188416 2006-11-02] ()
HKU\Any Authorised User\...\Run: [RebateInformer] C:\PROGRA~1\RebateInformer\RebateInf.exe /STARTUP [x]
HKU\Any Authorised User\...\Run: [AxwLdvnu] C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe [97680 2012-04-21] ()
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe [97680 2012-04-21] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs:
IMEO: [Debugger] svchost.exe

================================ Services (Whitelisted) ==================

2 Ati External Event Utility; C:\Windows\System32\Ati2evxx.exe [610304 2007-08-11] (ATI Technologies Inc.)
2 BBUpdate; "C:\Program Files\Microsoft\BingBar\SeaPort.EXE" [249648 2011-06-15] (Microsoft Corporation)
3 dlcd_device; C:\Windows\system32\dlcdcoms.exe -service [491520 2005-06-21] ()
2 eRecoveryService; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [53248 2007-07-03] (Acer Inc.)
2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [135664 2009-12-25] (Google Inc.)
3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [135664 2009-12-25] (Google Inc.)
2 Irmon; C:\Windows\System32\irmon.dll [17920 2006-11-02] (Microsoft Corporation)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" [322120 2003-06-19] (Microsoft Corporation)
2 o2flash; "C:\Program Files\O2Micro Oz128 Driver\o2flash.exe" [65536 2007-02-12] (O2Micro International)
2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [167936 2008-01-18] (Microsoft Corporation)
3 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [87840 2006-04-14] (Microsoft Corporation)
2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [365568 2008-01-18] (Microsoft Corporation)
2 CLTNetCnService; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

========================== Drivers (Whitelisted) =============

3 atikmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [2930176 2007-08-11] (ATI Technologies Inc.)
3 BCM43XV; C:\Windows\System32\DRIVERS\bcmwl6.sys [534016 2006-12-19] (Broadcom Corporation)
3 DKbFltr; C:\Windows\System32\DRIVERS\DKbFltr.sys [21264 2006-11-02] (Dritek System Inc.)
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [200704 2006-11-01] (Conexant Systems, Inc.)
3 ialm; C:\Windows\System32\DRIVERS\igdkmd32.sys [1380864 2006-10-18] (Intel Corporation)
2 int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [76584 2006-12-07] ()
2 irda; C:\Windows\System32\DRIVERS\irda.sys [95744 2006-11-02] (Microsoft Corporation)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 NSCIRDA; C:\Windows\System32\DRIVERS\nscirda.sys [30720 2006-11-02] (National Semiconductor Corporation)
3 NTIDrvr; C:\Windows\System32\DRIVERS\NTIDrvr.sys [6144 2007-09-10] (NewTech Infosystems, Inc.)
0 O2MDRDR; C:\Windows\System32\DRIVERS\o2media.sys [39680 2007-04-03] (O2Micro )
0 O2SDRDR; C:\Windows\System32\DRIVERS\o2sd.sys [35712 2007-04-02] (O2Micro )
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh86.sys [44544 2006-11-01] (Realtek Corporation)
3 s3017bus; C:\Windows\System32\DRIVERS\s3017bus.sys [83880 2007-12-10] (MCCI Corporation)
3 s3017mdfl; C:\Windows\System32\DRIVERS\s3017mdfl.sys [15016 2007-12-10] (MCCI Corporation)
3 s3017mdm; C:\Windows\System32\DRIVERS\s3017mdm.sys [110632 2007-12-10] (MCCI Corporation)
3 s3017mgmt; C:\Windows\System32\DRIVERS\s3017mgmt.sys [104616 2007-12-10] (MCCI Corporation)
3 s3017nd5; C:\Windows\System32\DRIVERS\s3017nd5.sys [25512 2007-12-10] (MCCI Corporation)
3 s3017obex; C:\Windows\System32\DRIVERS\s3017obex.sys [100648 2007-12-10] (MCCI Corporation)
3 s3017unic; C:\Windows\System32\DRIVERS\s3017unic.sys [110120 2007-12-10] (MCCI Corporation)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1729152 2007-06-12] ()
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2006-11-02] (Promise Technology, Inc.)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 Micorsoft Windows Service; \??\C:\Users\ANYAUT~1\AppData\Local\Temp\hmxsgsjh.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 RasSstp; C:\Windows\System32\DRIVERS\rassstp.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-27 07:50 - 2012-03-27 17:15 - 0000000 ____D C:\FRST
2012-04-25 13:57 - 2012-04-25 13:53 - 0105562 ____A C:\Users\Any Authorised User\Desktop\attach.txt
2012-04-25 13:57 - 2012-04-25 13:53 - 0019055 ____A C:\Users\Any Authorised User\Desktop\dds.txt
2012-04-25 13:47 - 2012-04-25 13:47 - 0000000 ____A C:\Windows\setuperr.log
2012-04-25 13:47 - 2012-04-12 10:40 - 0607260 ____R (Swearware) C:\Users\Any Authorised User\Desktop\dds.scr
2012-04-25 13:47 - 2010-07-25 03:47 - 0000719 ____A C:\Windows\setupact.log
2012-04-25 13:47 - - 0302592 ____A C:\Users\Any Authorised User\Desktop\57tpi48v.exe
2012-04-22 14:09 - 2012-04-22 10:13 - 0132819 ____A C:\Windows\WindowsUpdate.log
2012-04-22 14:09 - 2009-08-09 10:27 - 1877049344 __ASH C:\hiberfil.sys
2012-04-22 14:01 - 2010-10-02 12:13 - 0000000 ____D C:\Program Files\CCleaner
2012-04-22 14:01 - 2010-03-19 13:08 - 0000764 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-04-22 13:54 - 2012-03-27 17:15 - 0000000 ____D C:\Mozilla
2012-04-22 13:15 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\qcv6R9dHL
2012-04-22 12:49 - 2010-01-08 08:49 - 0000000 ____D C:\Users\All Users\MFAData
2012-04-22 12:49 - 2010-01-08 08:49 - 0000000 ____D C:\ProgramData\MFAData
2012-04-22 12:47 - 2006-11-02 02:23 - 0000000 ____D C:\Windows\Mozilla
2012-04-22 10:14 - 2006-11-02 01:46 - 0000552 ____A C:\Windows\System32\spsys.log
2012-04-22 02:28 - 2009-11-25 11:50 - 0000000 ____D C:\Program Files\MSN
2012-04-21 15:49 - 2007-09-03 00:30 - 0000000 ____D C:\Windows\System32\MpEngineStore
2012-04-21 15:47 - - 0097680 ____S C:\Users\Any Authorised User\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-21 15:47 - - 0097680 ____S C:\Users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-21 15:42 - 2012-03-28 18:02 - 0000217 ____A C:\Windows\System32\MRT.INI
2012-04-13 20:20 - 2011-08-29 10:28 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\PCPowerSpeed
2012-04-13 20:18 - 2012-02-04 16:04 - 1996976 ____A (Inbox.com, Inc. ) C:\Users\Any Authorised User\Downloads\MailNotifierSetupGB.exe
2012-04-13 11:10 - 2012-03-27 17:15 - 0000000 ____D C:\Sun
2012-04-12 13:49 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\zcb3t23
2012-04-12 10:40 - 2011-01-31 15:15 - 0097680 ___AH C:\Users\Any Authorised User\Desktop\CZ0TDiNm
2012-04-12 10:18 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\xALBlNR
2012-04-10 12:44 - 2006-11-02 04:34 - 0097680 ___AH C:\Windows\System32\qx7Kd23
2012-04-10 08:19 - 2006-11-02 04:34 - 0097680 ___AH C:\Windows\System32\Ggcst23
2012-04-09 08:10 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\ZUCywCf1
2012-04-07 16:29 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\SaTqS23
2012-04-07 02:21 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\pyKfYa3
2012-04-04 13:07 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\mmPs923
2012-04-04 03:30 - 2007-09-10 15:34 - 0097680 ___AH C:\Windows\System32\0wlnMH3
2012-04-03 11:45 - 2008-02-16 15:25 - 0097680 ___AH C:\Windows\System32\CgGwJXv
2012-04-03 04:54 - 2012-04-25 13:47 - 0000000 ____A C:\Users\Any Authorised User\AppData\Local\dhlmqxlc.log
2012-04-02 22:01 - - 0000000 __SHD C:\Windows\System32\%APPDATA%

============ 3 Months Modified Files and Folders ===============

2012-04-27 07:50 - 2012-04-27 07:50 - 0000000 ____D C:\FRST
2012-04-26 22:31 - 2012-03-26 14:52 - 0097680 ___AH C:\Windows\System32\2xlFnpAbZ
2012-04-26 22:31 - 2012-03-09 10:50 - 0000024 ____A C:\Users\Any Authorised User\AppData\Local\bcadexsq.log
2012-04-26 22:30 - 2011-10-21 10:24 - 0000868 ____A C:\Windows\Tasks\Google Software Updater.job
2012-04-26 22:30 - 2009-12-25 13:31 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-04-26 22:30 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-26 22:30 - 2006-11-02 04:47 - 0003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-26 22:30 - 2006-11-02 04:47 - 0003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-26 22:26 - 2012-04-22 14:09 - 1877049344 __ASH C:\hiberfil.sys
2012-04-26 22:25 - 2012-04-22 14:09 - 0132819 ____A C:\Windows\WindowsUpdate.log
2012-04-26 09:20 - 2006-11-02 02:33 - 0363874 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-26 09:17 - 2011-06-26 14:18 - 0000450 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{E445F9BF-7DAF-4264-9F96-8659F78AEF80}.job
2012-04-26 09:16 - 2012-03-09 23:45 - 0002747 ____A C:\Users\Any Authorised User\AppData\Local\yqjuhssa.log
2012-04-26 09:16 - 2012-03-09 10:53 - 1234963 ____A C:\Users\Any Authorised User\AppData\Local\dptgxcdh.log
2012-04-26 09:14 - 2009-06-22 08:39 - 0000000 ____D C:\Users\Any Authorised User\Tracing
2012-04-26 01:02 - 2012-03-09 10:51 - 0004048 ____A C:\Users\Any Authorised User\AppData\Local\gluxgqml.log
2012-04-26 01:01 - 2012-03-09 10:55 - 0003315 ____A C:\Users\Any Authorised User\AppData\Local\tyhqpvfi.log
2012-04-26 00:55 - 2009-12-25 13:31 - 0000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-26 00:54 - 2009-12-09 15:41 - 0002756 ____A C:\Users\Public\Documents\DME-SETTINGS.xml
2012-04-26 00:54 - 2009-12-09 15:41 - 0000328 ____A C:\Windows\Tasks\DMEPeriodicTask.job
2012-04-25 23:37 - 2006-11-02 05:01 - 0032574 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-25 13:57 - 2012-04-25 13:57 - 0105562 ____A C:\Users\Any Authorised User\Desktop\attach.txt
2012-04-25 13:57 - 2012-04-25 13:57 - 0019055 ____A C:\Users\Any Authorised User\Desktop\dds.txt
2012-04-25 13:53 - 2012-04-25 13:47 - 0607260 ____R (Swearware) C:\Users\Any Authorised User\Desktop\dds.scr
2012-04-25 13:53 - 2012-04-25 13:47 - 0302592 ____A C:\Users\Any Authorised User\Desktop\57tpi48v.exe
2012-04-25 13:47 - 2012-04-25 13:47 - 0000719 ____A C:\Windows\setupact.log
2012-04-25 13:47 - 2012-04-25 13:47 - 0000000 ____A C:\Windows\setuperr.log
2012-04-25 13:47 - 2007-12-30 12:41 - 0019456 ____A C:\Users\Any Authorised User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-25 13:39 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\rescache
2012-04-25 13:29 - 2012-03-09 10:55 - 0140868 ____A C:\Users\Any Authorised User\AppData\Local\pkrbkmik.log
2012-04-25 13:29 - 2012-03-09 10:55 - 0002639 ____A C:\Users\Any Authorised User\AppData\Local\nrxexneh.log
2012-04-25 13:27 - 2009-12-09 15:01 - 0000000 ___HD C:\Config.Msi
2012-04-25 13:24 - 2008-10-17 10:34 - 0000000 ____D C:\Users\All Users\Google Updater
2012-04-25 13:24 - 2008-10-17 10:34 - 0000000 ____D C:\ProgramData\Google Updater
2012-04-22 14:05 - 2012-04-22 12:49 - 0000000 ____D C:\Users\All Users\MFAData
2012-04-22 14:05 - 2012-04-22 12:49 - 0000000 ____D C:\ProgramData\MFAData
2012-04-22 14:03 - 2006-11-10 23:41 - 0000000 ____D C:\Windows\Panther
2012-04-22 14:01 - 2012-04-22 14:01 - 0000764 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-04-22 14:01 - 2012-04-22 14:01 - 0000000 ____D C:\Program Files\CCleaner
2012-04-22 13:54 - 2012-04-22 13:54 - 0000000 ____D C:\Mozilla
2012-04-22 13:15 - 2012-04-22 13:15 - 0097680 ___AH C:\Windows\System32\qcv6R9dHL
2012-04-22 13:10 - 2008-01-04 05:13 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-04-22 12:47 - 2012-04-22 12:47 - 0000000 ____D C:\Windows\Mozilla
2012-04-22 10:23 - 2012-04-22 10:14 - 0000552 ____A C:\Windows\System32\spsys.log
2012-04-22 10:17 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2012-04-22 10:13 - 2007-09-10 17:48 - 0000749 __RAH C:\Windows\WindowsShell.Manifest
2012-04-22 10:13 - 2006-11-02 04:50 - 0000174 __ASH C:\Users\Public\desktop.ini
2012-04-22 10:13 - 2006-11-02 04:50 - 0000174 __ASH C:\users\desktop.ini
2012-04-22 10:13 - 2006-11-02 04:50 - 0000174 __ASH C:\Users\All Users\Start Menu\Programs\Startup\desktop.ini
2012-04-22 10:13 - 2006-11-02 04:50 - 0000174 __ASH C:\Program Files\desktop.ini
2012-04-22 02:31 - 2006-11-02 04:47 - 0367400 ____A C:\Windows\System32\FNTCACHE.DAT
2012-04-22 02:28 - 2012-04-22 02:28 - 0000000 ____D C:\Program Files\MSN
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Windows\DigitalLocker
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Sidebar
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Photo Gallery
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Journal
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Defender
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Collaboration
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Calendar
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Movie Maker
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\zh-TW
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\zh-CN
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\tr-TR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\sv-SE
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\SLUI
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ru-RU
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ro-RO
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ras
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\pt-PT
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\pt-BR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\pl-PL
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\nl-NL
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\nb-NO
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ko-KR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ja-JP
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\it-IT
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\icsxml
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ias
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\hu-HU
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\he-IL
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\fr-FR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\fi-FI
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\el-GR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\de-DE
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\com
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ar-SA
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\AdvancedInstallers
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\MSAgent
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\L2Schemas
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\IME
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\System
2012-04-22 02:26 - 2007-09-10 15:34 - 0000000 ____D C:\Windows\WindowsMobile
2012-04-22 02:24 - 2007-09-03 01:18 - 0000000 ____D C:\Windows\System32\RTCOM
2012-04-22 02:20 - 2006-11-02 02:32 - 0101376 ____A (Infineon Technologies AG) C:\Windows\System32\ifxcardm.dll
2012-04-22 02:19 - 2006-11-02 02:32 - 0079872 ____A (Axalto, Inc.) C:\Windows\System32\axaltocm.dll
2012-04-21 23:23 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\config\TxR
2012-04-21 16:41 - 2012-04-21 15:49 - 0000000 ____D C:\Windows\System32\MpEngineStore
2012-04-21 15:47 - 2012-04-21 15:47 - 0097680 ____S C:\Users\Any Authorised User\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-21 15:47 - 2012-04-21 15:47 - 0097680 ____S C:\Users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-21 15:47 - 2012-03-25 18:23 - 0097680 ___AH C:\Windows\System32\vhESJd7a
2012-04-21 15:47 - 2012-03-09 10:50 - 0000000 ____D C:\Users\Any Authorised User\AppData\Local\rufysvee
2012-04-21 15:42 - 2012-04-21 15:42 - 0000217 ____A C:\Windows\System32\MRT.INI
2012-04-21 15:42 - 2010-10-02 12:16 - 0000000 ____D C:\Program Files\QuickTime
2012-04-21 15:42 - 2007-09-10 15:07 - 0000000 ____D C:\Program Files\Microsoft Office
2012-04-21 15:29 - 2012-04-12 13:49 - 0097680 ___AH C:\Windows\System32\zcb3t23
2012-04-21 14:13 - 2010-12-08 13:46 - 0000000 ____D C:\Program Files\BearShare Applications
2012-04-21 14:10 - 2011-07-25 17:28 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\.minecraft
2012-04-21 14:10 - 2007-09-03 01:17 - 0000000 ____D C:\Program Files\Common Files\InstallShield
2012-04-21 14:09 - 2011-01-22 16:12 - 0000000 ____D C:\Users\All Users\Yahoo!
2012-04-21 14:09 - 2011-01-22 16:12 - 0000000 ____D C:\ProgramData\Yahoo!
2012-04-21 14:09 - 2008-05-28 08:20 - 0000000 ____D C:\Users\All Users\CyberLink
2012-04-21 14:09 - 2008-05-28 08:20 - 0000000 ____D C:\ProgramData\CyberLink
2012-04-21 14:09 - 2007-12-05 10:13 - 0000000 ____D C:\Program Files\Yahoo!
2012-04-21 14:09 - 2007-11-08 12:18 - 0000000 ____D C:\Program Files\CyberLink
2012-04-21 14:04 - 2011-07-24 15:06 - 0000000 ____D C:\Program Files\Utherverse Digital Inc
2012-04-21 14:04 - 2007-12-05 10:13 - 0000000 ____D C:\Users\Any Authorised User\AppData\LocalLow
2012-04-21 14:03 - 2009-07-17 09:02 - 0000000 ____D C:\Users\All Users\Norton
2012-04-21 14:03 - 2009-07-17 09:02 - 0000000 ____D C:\ProgramData\Norton
2012-04-21 14:02 - 2010-07-24 07:44 - 0000000 ____D C:\Users\All Users\Alwil Software
2012-04-21 14:02 - 2010-07-24 07:44 - 0000000 ____D C:\ProgramData\Alwil Software
2012-04-21 13:32 - 2012-04-12 10:18 - 0097680 ___AH C:\Windows\System32\xALBlNR
2012-04-21 13:18 - 2008-01-03 14:06 - 0000000 ____D C:\Users\Any Authorised User\AppData\Local\Google
2012-04-21 13:18 - 2008-01-03 14:05 - 0000000 ____D C:\Program Files\Google
2012-04-13 21:08 - 2011-10-06 09:44 - 0002377 ____A C:\Users\Public\Desktop\Skype.lnk
2012-04-13 20:28 - 2008-01-04 05:13 - 0000856 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-04-13 20:21 - 2012-04-13 20:20 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\PCPowerSpeed
2012-04-13 20:18 - 2012-04-13 20:18 - 1996976 ____A (Inbox.com, Inc. ) C:\Users\Any Authorised User\Downloads\MailNotifierSetupGB.exe
2012-04-13 20:04 - 2011-03-06 11:01 - 0001977 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-04-13 11:10 - 2012-04-13 11:10 - 0000000 ____D C:\Sun
2012-04-12 22:45 - 2012-03-18 01:21 - 0097680 ___AH C:\Windows\System32\Oxh2523
2012-04-12 14:16 - 2006-11-02 02:23 - 0000275 ____A C:\Windows\win.ini
2012-04-12 10:40 - 2012-04-12 10:40 - 0097680 ___AH C:\Users\Any Authorised User\Desktop\CZ0TDiNm
2012-04-12 10:14 - 2012-03-09 10:50 - 0551408 ____A C:\Users\Any Authorised User\AppData\Local\cseqauaq.log
2012-04-10 12:47 - 2011-04-22 03:33 - 0001160 ____A C:\dlcd.log
2012-04-10 12:44 - 2012-04-10 12:44 - 0097680 ___AH C:\Windows\System32\qx7Kd23
2012-04-10 08:19 - 2012-04-10 08:19 - 0097680 ___AH C:\Windows\System32\Ggcst23
2012-04-09 08:10 - 2012-04-09 08:10 - 0097680 ___AH C:\Windows\System32\ZUCywCf1
2012-04-07 16:29 - 2012-04-07 16:29 - 0097680 ___AH C:\Windows\System32\SaTqS23
2012-04-07 02:21 - 2012-04-07 02:21 - 0097680 ___AH C:\Windows\System32\pyKfYa3
2012-04-05 12:48 - 2007-11-08 12:27 - 0000000 ____D C:\Program Files\Launch Manager
2012-04-04 13:07 - 2012-04-04 13:07 - 0097680 ___AH C:\Windows\System32\mmPs923
2012-04-04 03:30 - 2012-04-04 03:30 - 0097680 ___AH C:\Windows\System32\0wlnMH3
2012-04-03 12:04 - 2012-04-03 11:45 - 0097680 ___AH C:\Windows\System32\CgGwJXv
2012-04-03 11:47 - 2011-05-11 07:16 - 0000680 ____A C:\Users\Any Authorised User\AppData\Local\d3d9caps.dat
2012-04-03 04:54 - 2012-04-03 04:54 - 0000000 ____A C:\Users\Any Authorised User\AppData\Local\dhlmqxlc.log
2012-04-02 22:01 - 2012-04-02 22:01 - 0000000 __SHD C:\Windows\System32\%APPDATA%
2012-03-30 06:39 - 2011-03-06 10:56 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\Skype
2012-03-28 18:02 - 2006-11-02 02:24 - 55154568 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-03-27 17:37 - 2009-10-17 08:53 - 0000000 ____D C:\Program Files\Dl_cats
2012-03-27 17:15 - 2012-03-27 17:15 - 0000380 ____A C:\edu.bmp
2012-03-27 17:15 - 2012-03-27 17:15 - 0000304 ____A C:\dir.bmp
2012-03-27 17:15 - 2012-03-27 17:15 - 0000284 ____A C:\srch_map_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000279 ____A C:\hj_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000277 ____A C:\mov_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000274 ____A C:\trav_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000273 ____A C:\srch_stk_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000268 ____A C:\ab_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000265 ____A C:\srch_ans_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000240 ____A C:\srch_site_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000235 ____A C:\srch_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000138 ____A C:\flk2.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000131 ____A C:\srch_loc_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000123 ____A C:\srch_sh_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000121 ____A C:\srch_nws_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000113 ____A C:\srch_aud_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000112 ____A C:\srch_vid_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000112 ____A C:\srch_img_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000103 ____A C:\del_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000000 ____D C:\e
2012-03-27 17:15 - 2012-03-27 17:15 - 0000000 ____D C:\Data
2012-03-26 13:27 - 2009-12-09 14:58 - 0000000 ____D C:\Users\All Users\HP
2012-03-26 13:27 - 2009-12-09 14:58 - 0000000 ____D C:\ProgramData\HP
2012-03-25 10:01 - 2011-01-02 18:43 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\IMVUClient
2012-03-17 18:48 - 2009-06-16 08:53 - 0000000 ____D C:\Program Files\SystemRequirementsLab
2012-03-17 18:47 - 2007-12-12 11:55 - 0000000 ____D C:\Program Files\Microsoft Works
2012-03-17 18:45 - 2007-12-18 13:46 - 0000000 ____D C:\Program Files\HP
2012-03-17 18:44 - 2007-11-08 12:02 - 0000000 ____D C:\Program Files\Common Files\snp2uvc
2012-03-17 18:44 - 2007-09-10 14:53 - 0000000 ____D C:\Program Files\Common Files\LightScribe
2012-03-17 18:43 - 2011-01-31 15:15 - 0000000 ____D C:\Program Files\Blinkx
2012-03-17 18:43 - 2008-11-22 07:14 - 0000000 ____D C:\Program Files\Avanquest update
2012-03-17 18:43 - 2007-12-12 11:30 - 0000000 ____D C:\Program Files\Common Files\Designer
2012-03-17 18:42 - 2007-11-08 12:27 - 0000000 ____D C:\Program Files\ACER Crystal Eye webcam
2012-03-14 21:31 - 2012-03-12 09:07 - 0097680 ___AH C:\Windows\System32\Pm3me23
2012-03-09 10:51 - 2012-03-09 10:51 - 0000000 ____A C:\Users\Any Authorised User\AppData\Local\wcdcsucn.log
2012-02-26 16:57 - 2008-03-20 10:28 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-02-23 01:18 - 2009-10-02 10:08 - 0237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-04 16:04 - 2012-02-04 16:02 - 15795464 ____A (Mozilla) C:\Users\Any Authorised User\Downloads\Firefox Setup 10.0.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys
[2006-11-02 02:25] - [2006-11-02 01:51] - 0208488 ____A (Microsoft Corporation) 11EF6C1CAEF76B685233450A126125D6


========================= Memory info ======================

Percentage of memory in use: 24%
Total physical RAM: 1789.5 MB
Available physical RAM: 1358.92 MB
Total Pagefile: 1608.23 MB
Available Pagefile: 1424.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:51.01 GB) (Free:2.81 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (DATA) (Fixed) (Total:51.01 GB) (Free:47.52 GB) NTFS
3 Drive e: (VISTA_32_PREMIUM) (CDROM) (Total:2.84 GB) (Free:0 GB) CDFS
4 Drive f: (PQSERVICE) (Fixed) (Total:9.76 GB) (Free:1.5 GB) FAT32 ==>[System with boot components (obtained from reading drive)]
5 Drive g: (PATRIOT) (Removable) (Total:7.45 GB) (Free:3.4 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 1465 KB
Disk 1 Online 7644 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 1024 KB
Partition 2 Primary 51 GB 10 GB
Partition 3 Primary 51 GB 61 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F PQSERVICE FAT32 Partition 10 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C ACER NTFS Partition 51 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D DATA NTFS Partition 51 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7640 MB 4032 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G PATRIOT FAT32 Removable 7640 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-26 09:19

======================= End Of Log ==========================

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 27 April 2012 - 07:43 AM

Hi,

Please do the following:

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [Acer Tour] [x]
HKLM\...\Run: [] [x]
HKU\Any Authorised User\...\Run: [My Security Shield] "C:\ProgramData\ea2fa93\MSea2f_284.exe" /s /d [x]
HKU\Any Authorised User\...\Run: [{A8AC3549-2975-6968-A283-A94FFBE03265}] "C:\Users\Any Authorised User\AppData\Roaming\Oluzu\vyyv.exe" [x]
HKU\Any Authorised User\...\Run: [AxwLdvnu] C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe [97680 2012-04-21] ()
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe [97680 2012-04-21] ()
3 Micorsoft Windows Service; \??\C:\Users\ANYAUT~1\AppData\Local\Temp\hmxsgsjh.sys [x]
C:\Users\ANYAUT~1\AppData\Local\Temp\hmxsgsjh.sys 
2012-04-22 13:15 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\qcv6R9dHL
2012-04-21 15:47 - - 0097680 ____S C:\Users\Any Authorised User\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-21 15:47 - - 0097680 ____S C:\Users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-12 13:49 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\zcb3t23
2012-04-12 10:40 - 2011-01-31 15:15 - 0097680 ___AH C:\Users\Any Authorised User\Desktop\CZ0TDiNm
2012-04-12 10:18 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\xALBlNR
2012-04-10 12:44 - 2006-11-02 04:34 - 0097680 ___AH C:\Windows\System32\qx7Kd23
2012-04-10 08:19 - 2006-11-02 04:34 - 0097680 ___AH C:\Windows\System32\Ggcst23
2012-04-09 08:10 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\ZUCywCf1
2012-04-07 16:29 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\SaTqS23
2012-04-07 02:21 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\pyKfYa3
2012-04-04 13:07 - 2006-11-02 01:46 - 0097680 ___AH C:\Windows\System32\mmPs923
2012-04-04 03:30 - 2007-09-10 15:34 - 0097680 ___AH C:\Windows\System32\0wlnMH3
2012-04-03 11:45 - 2008-02-16 15:25 - 0097680 ___AH C:\Windows\System32\CgGwJXv
2012-04-03 04:54 - 2012-04-25 13:47 - 0000000 ____A C:\Users\Any Authorised User\AppData\Local\dhlmqxlc.log
2012-04-26 22:31 - 2012-03-26 14:52 - 0097680 ___AH C:\Windows\System32\2xlFnpAbZ
2012-04-26 22:31 - 2012-03-09 10:50 - 0000024 ____A C:\Users\Any Authorised User\AppData\Local\bcadexsq.log
2012-04-26 09:16 - 2012-03-09 23:45 - 0002747 ____A C:\Users\Any Authorised User\AppData\Local\yqjuhssa.log
2012-04-26 09:16 - 2012-03-09 10:53 - 1234963 ____A C:\Users\Any Authorised User\AppData\Local\dptgxcdh.log
2012-04-26 01:02 - 2012-03-09 10:51 - 0004048 ____A C:\Users\Any Authorised User\AppData\Local\gluxgqml.log
2012-04-26 01:01 - 2012-03-09 10:55 - 0003315 ____A C:\Users\Any Authorised User\AppData\Local\tyhqpvfi.log
2012-04-25 13:29 - 2012-03-09 10:55 - 0140868 ____A C:\Users\Any Authorised User\AppData\Local\pkrbkmik.log
2012-04-25 13:29 - 2012-03-09 10:55 - 0002639 ____A C:\Users\Any Authorised User\AppData\Local\nrxexneh.log
2012-04-22 13:15 - 2012-04-22 13:15 - 0097680 ___AH C:\Windows\System32\qcv6R9dHL
2012-04-21 15:47 - 2012-03-25 18:23 - 0097680 ___AH C:\Windows\System32\vhESJd7a
2012-04-21 15:47 - 2012-03-09 10:50 - 0000000 ____D C:\Users\Any Authorised User\AppData\Local\rufysvee
2012-04-21 15:29 - 2012-04-12 13:49 - 0097680 ___AH C:\Windows\System32\zcb3t23
2012-04-21 13:32 - 2012-04-12 10:18 - 0097680 ___AH C:\Windows\System32\xALBlNR
2012-04-12 22:45 - 2012-03-18 01:21 - 0097680 ___AH C:\Windows\System32\Oxh2523
2012-04-12 10:40 - 2012-04-12 10:40 - 0097680 ___AH C:\Users\Any Authorised User\Desktop\CZ0TDiNm
2012-04-12 10:14 - 2012-03-09 10:50 - 0551408 ____A C:\Users\Any Authorised User\AppData\Local\cseqauaq.log
2012-04-10 12:47 - 2011-04-22 03:33 - 0001160 ____A C:\dlcd.log
2012-04-10 12:44 - 2012-04-10 12:44 - 0097680 ___AH C:\Windows\System32\qx7Kd23
2012-04-10 08:19 - 2012-04-10 08:19 - 0097680 ___AH C:\Windows\System32\Ggcst23
2012-04-09 08:10 - 2012-04-09 08:10 - 0097680 ___AH C:\Windows\System32\ZUCywCf1
2012-04-07 16:29 - 2012-04-07 16:29 - 0097680 ___AH C:\Windows\System32\SaTqS23
2012-04-07 02:21 - 2012-04-07 02:21 - 0097680 ___AH C:\Windows\System32\pyKfYa3
2012-04-04 13:07 - 2012-04-04 13:07 - 0097680 ___AH C:\Windows\System32\mmPs923
2012-04-04 03:30 - 2012-04-04 03:30 - 0097680 ___AH C:\Windows\System32\0wlnMH3
2012-04-03 12:04 - 2012-04-03 11:45 - 0097680 ___AH C:\Windows\System32\CgGwJXv
2012-04-03 04:54 - 2012-04-03 04:54 - 0000000 ____A C:\Users\Any Authorised User\AppData\Local\dhlmqxlc.log
2012-03-14 21:31 - 2012-03-12 09:07 - 0097680 ___AH C:\Windows\System32\Pm3me23
2012-03-09 10:51 - 2012-03-09 10:51 - 0000000 ____A C:\Users\Any Authorised User\AppData\Local\wcdcsucn.log
Reg: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit /t REG_SZ /d "C:\\WINDOWS\\system32\\userinit.exe," 
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options as you did before.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


NEXT


Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------
Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 millwalker

millwalker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 27 April 2012 - 03:21 PM

Hi,

The FRST fix has been running for about 4 hours. Happy to leave it going but wondered if this is normal!?!

thanks,

Phill

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 27 April 2012 - 04:43 PM

hmmm, no that's not usual, it may be experiencing trouble removing one or two items,

exit from it and move on to ComboFix

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 millwalker

millwalker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 27 April 2012 - 07:10 PM

Hi,

I ran combofix. It took an age even for the command line window to open and took around 25 minutes to run.

The end result is that the laptop restarted itself during the scan and now crashes and restarts upon each boot attempt. In safe mode it only gets so far and not to desktop and again restarts. This is one of the original symptoms I was experiencing.

As a result I haven't got a ombofix log for you. Here is the FRST log from the scan that did not seem to complete.

Any suggestions!?


Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 22-04-2012
Ran by SYSTEM at 2012-04-27 17:06:32 R:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Acer Tour Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HKLM\...\Run: [] [x] Value not found.
HKEY_USERS\Any Authorised User\Software\Microsoft\Windows\CurrentVersion\Run\\My Security Shield Value deleted successfully.
HKEY_USERS\Any Authorised User\Software\Microsoft\Windows\CurrentVersion\Run\\{A8AC3549-2975-6968-A283-A94FFBE03265} Value deleted successfully.
HKEY_USERS\Any Authorised User\Software\Microsoft\Windows\CurrentVersion\Run\\AxwLdvnu Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value was restored.
Micorsoft Windows Service service deleted successfully.
C:\Users\ANYAUT~1\AppData\Local\Temp\hmxsgsjh.sys not found.
C:\Windows\System32\qcv6R9dHL moved successfully.
C:\Users\Any Authorised User\Start Menu\Programs\Startup\axwldvnu.exe moved successfully.
C:\Users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axwldvnu.exe not found.
C:\Windows\System32\zcb3t23 moved successfully.
C:\Users\Any Authorised User\Desktop\CZ0TDiNm moved successfully.
C:\Windows\System32\xALBlNR moved successfully.
C:\Windows\System32\qx7Kd23 moved successfully.
C:\Windows\System32\Ggcst23 moved successfully.
C:\Windows\System32\ZUCywCf1 moved successfully.
C:\Windows\System32\SaTqS23 moved successfully.
C:\Windows\System32\pyKfYa3 moved successfully.
C:\Windows\System32\mmPs923 moved successfully.
C:\Windows\System32\0wlnMH3 moved successfully.
C:\Windows\System32\CgGwJXv moved successfully.
C:\Users\Any Authorised User\AppData\Local\dhlmqxlc.log moved successfully.
C:\Windows\System32\2xlFnpAbZ moved successfully.
C:\Users\Any Authorised User\AppData\Local\bcadexsq.log moved successfully.
C:\Users\Any Authorised User\AppData\Local\yqjuhssa.log moved successfully.
C:\Users\Any Authorised User\AppData\Local\dptgxcdh.log moved successfully.
C:\Users\Any Authorised User\AppData\Local\gluxgqml.log moved successfully.
C:\Users\Any Authorised User\AppData\Local\tyhqpvfi.log moved successfully.
C:\Users\Any Authorised User\AppData\Local\pkrbkmik.log moved successfully.
C:\Users\Any Authorised User\AppData\Local\nrxexneh.log moved successfully.
C:\Windows\System32\qcv6R9dHL not found.
C:\Windows\System32\vhESJd7a moved successfully.
C:\Users\Any Authorised User\AppData\Local\rufysvee moved successfully.
C:\Windows\System32\zcb3t23 not found.
C:\Windows\System32\xALBlNR not found.
C:\Windows\System32\Oxh2523 moved successfully.
C:\Users\Any Authorised User\Desktop\CZ0TDiNm not found.
C:\Users\Any Authorised User\AppData\Local\cseqauaq.log moved successfully.
C:\dlcd.log moved successfully.
C:\Windows\System32\qx7Kd23 not found.
C:\Windows\System32\Ggcst23 not found.
C:\Windows\System32\ZUCywCf1 not found.
C:\Windows\System32\SaTqS23 not found.
C:\Windows\System32\pyKfYa3 not found.
C:\Windows\System32\mmPs923 not found.
C:\Windows\System32\0wlnMH3 not found.
C:\Windows\System32\CgGwJXv not found.
C:\Users\Any Authorised User\AppData\Local\dhlmqxlc.log not found.
C:\Windows\System32\Pm3me23 moved successfully.
C:\Users\Any Authorised User\AppData\Local\wcdcsucn.log moved successfully.

========= REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit /t REG_SZ /d "C:\\WINDOWS\\system32\\userinit.exe," =========

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 27 April 2012 - 09:44 PM

OK

the FRST fix looks as though it did work properly.

Please run a fresh FRST scan as you did originally and post the new log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 millwalker

millwalker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 30 April 2012 - 04:50 PM

Hi,

It ran in less than a minute rather thn 4 hours this time. Here is the log. The laptop is still unstable though.

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 22-04-2012
Ran by SYSTEM at 30-04-2012 22:20:38
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1006264 2007-09-03] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [815104 2006-10-23] (Synaptics, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40048 2007-03-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Acer Tour] [x]
HKLM\...\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting [45056 2007-04-25] ( )
HKLM\...\Run: [eRecoveryService] [x]
HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe [813840 2007-04-04] (Dritek System Inc.)
HKLM\...\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe [57344 2006-11-05] (Acer Inc.)
HKLM\...\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" [245810 2001-07-25] (Microsoft Corporation)
HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [x]
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [177440 2009-08-13] (Apple Inc.)
HKLM\...\Run: [DLCDCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16 [69632 2005-06-07] ()
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2010-09-23] (Apple Inc.)
HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1226608 2010-12-09] ()
HKLM\...\Run: [DivX Download Manager] "C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" start [63360 2010-12-08] (DivX, LLC)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM\...\Run: [] [x]
HKU\Any Authorised User\...\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" [188472 2001-07-25] (Microsoft Corporation)
HKU\Any Authorised User\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125440 2006-11-02] (Microsoft Corporation)
HKU\Any Authorised User\...\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
HKU\Any Authorised User\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2008-10-17] (Google Inc.)
HKU\Any Authorised User\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [201728 2006-11-02] (Microsoft Corporation)
HKU\Any Authorised User\...\Run: [Xvid] C:\Program Files\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKU\Any Authorised User\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [17353352 2011-09-26] (Skype Technologies S.A.)
HKU\Any Authorised User\...\Run: [{DDDFFB1A-0792-5A83-38FC-190770EEDC52}] C:\Users\Any Authorised User\AppData\Roaming\Skype\akele221\chatsync\8e\subst.exe [188416 2006-11-02] ()
HKU\Any Authorised User\...\Run: [RebateInformer] C:\PROGRA~1\RebateInformer\RebateInf.exe /STARTUP [x]
HKU\Any Authorised User\...\Run: [AxwLdvnu] C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe [97680 2012-04-30] ()
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe [97680 2012-04-30] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
IMEO: [Debugger] svchost.exe

================================ Services (Whitelisted) ==================

2 Ati External Event Utility; C:\Windows\System32\Ati2evxx.exe [610304 2007-08-11] (ATI Technologies Inc.)
2 BBUpdate; "C:\Program Files\Microsoft\BingBar\SeaPort.EXE" [249648 2011-06-15] (Microsoft Corporation)
3 dlcd_device; C:\Windows\system32\dlcdcoms.exe -service [491520 2005-06-21] ()
2 eRecoveryService; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [53248 2007-07-03] (Acer Inc.)
2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [135664 2009-12-25] (Google Inc.)
3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [135664 2009-12-25] (Google Inc.)
2 Irmon; C:\Windows\System32\irmon.dll [17920 2006-11-02] (Microsoft Corporation)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" [322120 2003-06-19] (Microsoft Corporation)
2 o2flash; "C:\Program Files\O2Micro Oz128 Driver\o2flash.exe" [65536 2007-02-12] (O2Micro International)
2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [167936 2008-01-18] (Microsoft Corporation)
3 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [87840 2006-04-14] (Microsoft Corporation)
2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [365568 2008-01-18] (Microsoft Corporation)
2 CLTNetCnService; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

========================== Drivers (Whitelisted) =============

3 atikmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [2930176 2007-08-11] (ATI Technologies Inc.)
3 BCM43XV; C:\Windows\System32\DRIVERS\bcmwl6.sys [534016 2006-12-19] (Broadcom Corporation)
3 DKbFltr; C:\Windows\System32\DRIVERS\DKbFltr.sys [21264 2006-11-02] (Dritek System Inc.)
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [200704 2006-11-01] (Conexant Systems, Inc.)
3 ialm; C:\Windows\System32\DRIVERS\igdkmd32.sys [1380864 2006-10-18] (Intel Corporation)
2 int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [76584 2006-12-07] ()
2 irda; C:\Windows\System32\DRIVERS\irda.sys [95744 2006-11-02] (Microsoft Corporation)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 NSCIRDA; C:\Windows\System32\DRIVERS\nscirda.sys [30720 2006-11-02] (National Semiconductor Corporation)
3 NTIDrvr; C:\Windows\System32\DRIVERS\NTIDrvr.sys [6144 2007-09-10] (NewTech Infosystems, Inc.)
0 O2MDRDR; C:\Windows\System32\DRIVERS\o2media.sys [39680 2007-04-03] (O2Micro )
0 O2SDRDR; C:\Windows\System32\DRIVERS\o2sd.sys [35712 2007-04-02] (O2Micro )
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh86.sys [44544 2006-11-01] (Realtek Corporation)
3 s3017bus; C:\Windows\System32\DRIVERS\s3017bus.sys [83880 2007-12-10] (MCCI Corporation)
3 s3017mdfl; C:\Windows\System32\DRIVERS\s3017mdfl.sys [15016 2007-12-10] (MCCI Corporation)
3 s3017mdm; C:\Windows\System32\DRIVERS\s3017mdm.sys [110632 2007-12-10] (MCCI Corporation)
3 s3017mgmt; C:\Windows\System32\DRIVERS\s3017mgmt.sys [104616 2007-12-10] (MCCI Corporation)
3 s3017nd5; C:\Windows\System32\DRIVERS\s3017nd5.sys [25512 2007-12-10] (MCCI Corporation)
3 s3017obex; C:\Windows\System32\DRIVERS\s3017obex.sys [100648 2007-12-10] (MCCI Corporation)
3 s3017unic; C:\Windows\System32\DRIVERS\s3017unic.sys [110120 2007-12-10] (MCCI Corporation)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1729152 2007-06-12] ()
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2006-11-02] (Promise Technology, Inc.)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\Users\ANYAUT~1\AppData\Local\Temp\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 Micorsoft Windows Service; \??\C:\Users\ANYAUT~1\AppData\Local\Temp\hmxsgsjh.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 RasSstp; C:\Windows\System32\DRIVERS\rassstp.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-27 15:50 - 2012-03-27 17:15 - 0000000 __SHD C:\found.000
2012-04-27 15:41 - 2012-04-27 15:38 - 0000000 ____A C:\WindowsLiveMessenger-uccapi-0.uccapilog
2012-04-27 15:38 - 2011-06-25 22:45 - 0001092 ____A C:\Windows\PFRO.log
2012-04-27 15:13 - 2012-04-14 17:19 - 0208896 ____A C:\Windows\MBR.exe
2012-04-27 15:13 - 2007-11-08 12:03 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-04-27 15:13 - 2006-11-02 04:37 - 0256000 ____A C:\Windows\PEV.exe
2012-04-27 15:13 - 2006-11-02 04:35 - 0068096 ____A C:\Windows\zip.exe
2012-04-27 15:13 - 2006-11-02 03:18 - 0098816 ____A C:\Windows\sed.exe
2012-04-27 15:13 - 2006-11-02 03:18 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-04-27 15:13 - 2006-11-02 02:22 - 0080412 ____A C:\Windows\grep.exe
2012-04-27 15:13 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-04-27 15:13 - 2000-08-30 16:00 - 0212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2012-04-27 15:12 - 2011-08-02 07:53 - 0000000 ____D C:\Windows\ERDNT
2012-04-27 15:12 - 2006-11-10 23:41 - 0000000 ___SD C:\ComboFix
2012-04-27 15:10 - 2012-04-22 12:49 - 0000000 ____D C:\Qoobox
2012-04-27 15:09 - 2011-01-31 15:15 - 4478092 ____R (Swearware) C:\Users\Any Authorised User\Desktop\ComboFix.exe
2012-04-27 15:09 - 2009-12-09 15:36 - 0004048 ____A C:\Users\Any Authorised User\AppData\Local\gluxgqml.log
2012-04-27 15:07 - 2010-12-08 14:02 - 0000000 ____A C:\Users\Any Authorised User\AppData\Local\cseqauaq.log
2012-04-27 15:07 - 2007-12-12 11:26 - 0000024 ____A C:\Users\Any Authorised User\AppData\Local\bcadexsq.log
2012-04-27 15:07 - - 0097680 ____S C:\Users\Any Authorised User\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-27 15:07 - - 0097680 ____S C:\Users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-27 15:06 - 2012-03-27 17:15 - 0000078 ____A C:\dlcd.log
2012-04-27 15:06 - 2010-12-08 13:44 - 0000000 ____D C:\Users\Any Authorised User\AppData\Local\rufysvee
2012-04-27 15:06 - 2006-09-18 13:28 - 0097680 ___AH C:\Windows\System32\2xlFnpAbZ
2012-04-27 15:05 - 2006-11-02 00:53 - 0097680 ___AH C:\Windows\System32\vhESJd7a
2012-04-27 07:50 - 2012-04-27 15:50 - 0000000 ____D C:\FRST
2012-04-25 13:57 - 2012-04-25 13:53 - 0105562 ____A C:\Users\Any Authorised User\Desktop\attach.txt
2012-04-25 13:57 - 2012-04-25 13:53 - 0019055 ____A C:\Users\Any Authorised User\Desktop\dds.txt
2012-04-25 13:47 - 2012-04-27 08:10 - 0607260 ____R (Swearware) C:\Users\Any Authorised User\Desktop\dds.scr
2012-04-25 13:47 - 2012-04-25 13:47 - 0000000 ____A C:\Windows\setuperr.log
2012-04-25 13:47 - 2010-07-25 03:47 - 0000719 ____A C:\Windows\setupact.log
2012-04-25 13:47 - - 0302592 ____A C:\Users\Any Authorised User\Desktop\57tpi48v.exe
2012-04-22 14:09 - 2012-04-22 10:13 - 0209680 ____A C:\Windows\WindowsUpdate.log
2012-04-22 14:09 - 2009-08-09 10:27 - 1877049344 __ASH C:\hiberfil.sys
2012-04-22 14:01 - 2010-10-02 12:13 - 0000000 ____D C:\Program Files\CCleaner
2012-04-22 14:01 - 2010-03-19 13:08 - 0000764 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-04-22 13:54 - 2012-03-27 17:15 - 0000000 ____D C:\Mozilla
2012-04-22 12:49 - 2010-01-08 08:49 - 0000000 ____D C:\Users\All Users\MFAData
2012-04-22 12:49 - 2010-01-08 08:49 - 0000000 ____D C:\ProgramData\MFAData
2012-04-22 12:47 - 2006-11-02 02:23 - 0000000 ____D C:\Windows\Mozilla
2012-04-22 10:14 - 2006-11-02 01:46 - 0000552 ____A C:\Windows\System32\spsys.log
2012-04-22 02:28 - 2009-11-25 11:50 - 0000000 ____D C:\Program Files\MSN
2012-04-21 15:49 - 2007-09-03 00:30 - 0000000 ____D C:\Windows\System32\MpEngineStore
2012-04-21 15:42 - 2012-03-28 18:02 - 0000217 ____A C:\Windows\System32\MRT.INI
2012-04-13 20:20 - 2011-08-29 10:28 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\PCPowerSpeed
2012-04-13 20:18 - 2012-02-04 16:04 - 1996976 ____A (Inbox.com, Inc. ) C:\Users\Any Authorised User\Downloads\MailNotifierSetupGB.exe
2012-04-13 11:10 - 2012-03-27 17:15 - 0000000 ____D C:\Sun
2012-04-02 22:01 - - 0000000 __SHD C:\Windows\System32\%APPDATA%

============ 3 Months Modified Files and Folders ===============

2012-04-30 13:14 - 2012-04-27 15:07 - 0000024 ____A C:\Users\Any Authorised User\AppData\Local\bcadexsq.log
2012-04-30 13:14 - 2012-04-27 15:06 - 0097680 ___AH C:\Windows\System32\2xlFnpAbZ
2012-04-30 13:14 - 2006-11-02 05:01 - 0032574 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-30 13:14 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-30 13:13 - 2012-04-22 14:09 - 1877049344 __ASH C:\hiberfil.sys
2012-04-30 13:13 - 2011-10-21 10:24 - 0000868 ____A C:\Windows\Tasks\Google Software Updater.job
2012-04-30 13:13 - 2009-12-25 13:31 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-04-30 13:13 - 2006-11-02 04:47 - 0003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-30 13:13 - 2006-11-02 04:47 - 0003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-30 13:11 - 2012-04-22 14:09 - 0209680 ____A C:\Windows\WindowsUpdate.log
2012-04-30 13:07 - 2006-11-02 02:33 - 0363874 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-30 13:00 - 2011-06-26 14:18 - 0000450 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{E445F9BF-7DAF-4264-9F96-8659F78AEF80}.job
2012-04-30 13:00 - 2009-06-22 08:39 - 0000000 ____D C:\Users\Any Authorised User\Tracing
2012-04-30 13:00 - 2008-10-17 10:34 - 0000000 ____D C:\Users\All Users\Google Updater
2012-04-30 13:00 - 2008-10-17 10:34 - 0000000 ____D C:\ProgramData\Google Updater
2012-04-27 15:55 - 2012-04-27 15:07 - 0097680 ____S C:\Users\Any Authorised User\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-27 15:55 - 2012-04-27 15:07 - 0097680 ____S C:\Users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-27 15:50 - 2012-04-27 15:50 - 0000000 __SHD C:\found.000
2012-04-27 15:41 - 2012-04-27 15:41 - 0000000 ____A C:\WindowsLiveMessenger-uccapi-0.uccapilog
2012-04-27 15:39 - 2012-04-27 15:38 - 0001092 ____A C:\Windows\PFRO.log
2012-04-27 15:37 - 2012-04-27 15:12 - 0000000 ___SD C:\ComboFix
2012-04-27 15:12 - 2012-04-27 15:12 - 0000000 ____D C:\Windows\ERDNT
2012-04-27 15:12 - 2012-04-27 15:10 - 0000000 ____D C:\Qoobox
2012-04-27 15:09 - 2012-04-27 15:09 - 0004048 ____A C:\Users\Any Authorised User\AppData\Local\gluxgqml.log
2012-04-27 15:07 - 2012-04-27 15:07 - 0000000 ____A C:\Users\Any Authorised User\AppData\Local\cseqauaq.log
2012-04-27 15:06 - 2012-04-27 15:06 - 0000078 ____A C:\dlcd.log
2012-04-27 15:06 - 2012-04-27 15:06 - 0000000 ____D C:\Users\Any Authorised User\AppData\Local\rufysvee
2012-04-27 15:06 - 2012-04-27 15:05 - 0097680 ___AH C:\Windows\System32\vhESJd7a
2012-04-27 08:10 - 2012-04-27 15:09 - 4478092 ____R (Swearware) C:\Users\Any Authorised User\Desktop\ComboFix.exe
2012-04-27 07:52 - 2012-04-27 07:50 - 0000000 ____D C:\FRST
2012-04-26 22:58 - 2009-10-17 08:53 - 0000000 ____D C:\Program Files\Dl_cats
2012-04-26 00:55 - 2009-12-25 13:31 - 0000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-26 00:54 - 2009-12-09 15:41 - 0002756 ____A C:\Users\Public\Documents\DME-SETTINGS.xml
2012-04-26 00:54 - 2009-12-09 15:41 - 0000328 ____A C:\Windows\Tasks\DMEPeriodicTask.job
2012-04-25 13:57 - 2012-04-25 13:57 - 0105562 ____A C:\Users\Any Authorised User\Desktop\attach.txt
2012-04-25 13:57 - 2012-04-25 13:57 - 0019055 ____A C:\Users\Any Authorised User\Desktop\dds.txt
2012-04-25 13:53 - 2012-04-25 13:47 - 0607260 ____R (Swearware) C:\Users\Any Authorised User\Desktop\dds.scr
2012-04-25 13:53 - 2012-04-25 13:47 - 0302592 ____A C:\Users\Any Authorised User\Desktop\57tpi48v.exe
2012-04-25 13:47 - 2012-04-25 13:47 - 0000719 ____A C:\Windows\setupact.log
2012-04-25 13:47 - 2012-04-25 13:47 - 0000000 ____A C:\Windows\setuperr.log
2012-04-25 13:47 - 2007-12-30 12:41 - 0019456 ____A C:\Users\Any Authorised User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-25 13:39 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\rescache
2012-04-25 13:27 - 2009-12-09 15:01 - 0000000 ___HD C:\Config.Msi
2012-04-22 14:05 - 2012-04-22 12:49 - 0000000 ____D C:\Users\All Users\MFAData
2012-04-22 14:05 - 2012-04-22 12:49 - 0000000 ____D C:\ProgramData\MFAData
2012-04-22 14:03 - 2006-11-10 23:41 - 0000000 ____D C:\Windows\Panther
2012-04-22 14:01 - 2012-04-22 14:01 - 0000764 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-04-22 14:01 - 2012-04-22 14:01 - 0000000 ____D C:\Program Files\CCleaner
2012-04-22 13:54 - 2012-04-22 13:54 - 0000000 ____D C:\Mozilla
2012-04-22 13:10 - 2008-01-04 05:13 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-04-22 12:47 - 2012-04-22 12:47 - 0000000 ____D C:\Windows\Mozilla
2012-04-22 10:23 - 2012-04-22 10:14 - 0000552 ____A C:\Windows\System32\spsys.log
2012-04-22 10:17 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2012-04-22 10:13 - 2007-09-10 17:48 - 0000749 __RAH C:\Windows\WindowsShell.Manifest
2012-04-22 10:13 - 2006-11-02 04:50 - 0000174 __ASH C:\Users\Public\desktop.ini
2012-04-22 10:13 - 2006-11-02 04:50 - 0000174 __ASH C:\users\desktop.ini
2012-04-22 10:13 - 2006-11-02 04:50 - 0000174 __ASH C:\Users\All Users\Start Menu\Programs\Startup\desktop.ini
2012-04-22 10:13 - 2006-11-02 04:50 - 0000174 __ASH C:\Program Files\desktop.ini
2012-04-22 02:31 - 2006-11-02 04:47 - 0367400 ____A C:\Windows\System32\FNTCACHE.DAT
2012-04-22 02:28 - 2012-04-22 02:28 - 0000000 ____D C:\Program Files\MSN
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Windows\DigitalLocker
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Sidebar
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Photo Gallery
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Journal
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Defender
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Collaboration
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Calendar
2012-04-22 02:28 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Movie Maker
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\zh-TW
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\zh-CN
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\tr-TR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\sv-SE
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\SLUI
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ru-RU
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ro-RO
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ras
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\pt-PT
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\pt-BR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\pl-PL
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\nl-NL
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\nb-NO
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ko-KR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ja-JP
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\it-IT
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\icsxml
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ias
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\hu-HU
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\he-IL
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\fr-FR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\fi-FI
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\el-GR
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\de-DE
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\com
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\ar-SA
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\AdvancedInstallers
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\MSAgent
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\L2Schemas
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\IME
2012-04-22 02:28 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\System
2012-04-22 02:26 - 2007-09-10 15:34 - 0000000 ____D C:\Windows\WindowsMobile
2012-04-22 02:24 - 2007-09-03 01:18 - 0000000 ____D C:\Windows\System32\RTCOM
2012-04-22 02:20 - 2006-11-02 02:32 - 0101376 ____A (Infineon Technologies AG) C:\Windows\System32\ifxcardm.dll
2012-04-22 02:19 - 2006-11-02 02:32 - 0079872 ____A (Axalto, Inc.) C:\Windows\System32\axaltocm.dll
2012-04-21 23:23 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\config\TxR
2012-04-21 16:41 - 2012-04-21 15:49 - 0000000 ____D C:\Windows\System32\MpEngineStore
2012-04-21 15:42 - 2012-04-21 15:42 - 0000217 ____A C:\Windows\System32\MRT.INI
2012-04-21 15:42 - 2010-10-02 12:16 - 0000000 ____D C:\Program Files\QuickTime
2012-04-21 15:42 - 2007-09-10 15:07 - 0000000 ____D C:\Program Files\Microsoft Office
2012-04-21 14:13 - 2010-12-08 13:46 - 0000000 ____D C:\Program Files\BearShare Applications
2012-04-21 14:10 - 2011-07-25 17:28 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\.minecraft
2012-04-21 14:10 - 2007-09-03 01:17 - 0000000 ____D C:\Program Files\Common Files\InstallShield
2012-04-21 14:09 - 2011-01-22 16:12 - 0000000 ____D C:\Users\All Users\Yahoo!
2012-04-21 14:09 - 2011-01-22 16:12 - 0000000 ____D C:\ProgramData\Yahoo!
2012-04-21 14:09 - 2008-05-28 08:20 - 0000000 ____D C:\Users\All Users\CyberLink
2012-04-21 14:09 - 2008-05-28 08:20 - 0000000 ____D C:\ProgramData\CyberLink
2012-04-21 14:09 - 2007-12-05 10:13 - 0000000 ____D C:\Program Files\Yahoo!
2012-04-21 14:09 - 2007-11-08 12:18 - 0000000 ____D C:\Program Files\CyberLink
2012-04-21 14:04 - 2011-07-24 15:06 - 0000000 ____D C:\Program Files\Utherverse Digital Inc
2012-04-21 14:04 - 2007-12-05 10:13 - 0000000 ____D C:\Users\Any Authorised User\AppData\LocalLow
2012-04-21 14:03 - 2009-07-17 09:02 - 0000000 ____D C:\Users\All Users\Norton
2012-04-21 14:03 - 2009-07-17 09:02 - 0000000 ____D C:\ProgramData\Norton
2012-04-21 14:02 - 2010-07-24 07:44 - 0000000 ____D C:\Users\All Users\Alwil Software
2012-04-21 14:02 - 2010-07-24 07:44 - 0000000 ____D C:\ProgramData\Alwil Software
2012-04-21 13:18 - 2008-01-03 14:06 - 0000000 ____D C:\Users\Any Authorised User\AppData\Local\Google
2012-04-21 13:18 - 2008-01-03 14:05 - 0000000 ____D C:\Program Files\Google
2012-04-13 21:08 - 2011-10-06 09:44 - 0002377 ____A C:\Users\Public\Desktop\Skype.lnk
2012-04-13 20:28 - 2008-01-04 05:13 - 0000856 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-04-13 20:21 - 2012-04-13 20:20 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\PCPowerSpeed
2012-04-13 20:18 - 2012-04-13 20:18 - 1996976 ____A (Inbox.com, Inc. ) C:\Users\Any Authorised User\Downloads\MailNotifierSetupGB.exe
2012-04-13 20:04 - 2011-03-06 11:01 - 0001977 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-04-13 11:10 - 2012-04-13 11:10 - 0000000 ____D C:\Sun
2012-04-12 14:16 - 2006-11-02 02:23 - 0000275 ____A C:\Windows\win.ini
2012-04-05 12:48 - 2007-11-08 12:27 - 0000000 ____D C:\Program Files\Launch Manager
2012-04-03 11:47 - 2011-05-11 07:16 - 0000680 ____A C:\Users\Any Authorised User\AppData\Local\d3d9caps.dat
2012-04-02 22:01 - 2012-04-02 22:01 - 0000000 __SHD C:\Windows\System32\%APPDATA%
2012-03-30 06:39 - 2011-03-06 10:56 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\Skype
2012-03-28 18:02 - 2006-11-02 02:24 - 55154568 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-03-27 17:15 - 2012-03-27 17:15 - 0000380 ____A C:\edu.bmp
2012-03-27 17:15 - 2012-03-27 17:15 - 0000304 ____A C:\dir.bmp
2012-03-27 17:15 - 2012-03-27 17:15 - 0000284 ____A C:\srch_map_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000279 ____A C:\hj_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000277 ____A C:\mov_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000274 ____A C:\trav_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000273 ____A C:\srch_stk_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000268 ____A C:\ab_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000265 ____A C:\srch_ans_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000240 ____A C:\srch_site_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000235 ____A C:\srch_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000138 ____A C:\flk2.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000131 ____A C:\srch_loc_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000123 ____A C:\srch_sh_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000121 ____A C:\srch_nws_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000113 ____A C:\srch_aud_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000112 ____A C:\srch_vid_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000112 ____A C:\srch_img_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000103 ____A C:\del_1.gif
2012-03-27 17:15 - 2012-03-27 17:15 - 0000000 ____D C:\e
2012-03-27 17:15 - 2012-03-27 17:15 - 0000000 ____D C:\Data
2012-03-26 13:27 - 2009-12-09 14:58 - 0000000 ____D C:\Users\All Users\HP
2012-03-26 13:27 - 2009-12-09 14:58 - 0000000 ____D C:\ProgramData\HP
2012-03-25 10:01 - 2011-01-02 18:43 - 0000000 ____D C:\Users\Any Authorised User\AppData\Roaming\IMVUClient
2012-03-17 18:48 - 2009-06-16 08:53 - 0000000 ____D C:\Program Files\SystemRequirementsLab
2012-03-17 18:47 - 2007-12-12 11:55 - 0000000 ____D C:\Program Files\Microsoft Works
2012-03-17 18:45 - 2007-12-18 13:46 - 0000000 ____D C:\Program Files\HP
2012-03-17 18:44 - 2007-11-08 12:02 - 0000000 ____D C:\Program Files\Common Files\snp2uvc
2012-03-17 18:44 - 2007-09-10 14:53 - 0000000 ____D C:\Program Files\Common Files\LightScribe
2012-03-17 18:43 - 2011-01-31 15:15 - 0000000 ____D C:\Program Files\Blinkx
2012-03-17 18:43 - 2008-11-22 07:14 - 0000000 ____D C:\Program Files\Avanquest update
2012-03-17 18:43 - 2007-12-12 11:30 - 0000000 ____D C:\Program Files\Common Files\Designer
2012-03-17 18:42 - 2007-11-08 12:27 - 0000000 ____D C:\Program Files\ACER Crystal Eye webcam
2012-02-26 16:57 - 2008-03-20 10:28 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-02-23 01:18 - 2009-10-02 10:08 - 0237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-04 16:04 - 2012-02-04 16:02 - 15795464 ____A (Mozilla) C:\Users\Any Authorised User\Downloads\Firefox Setup 10.0.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys
[2006-11-02 02:25] - [2006-11-02 01:51] - 0208488 ____A (Microsoft Corporation) 11EF6C1CAEF76B685233450A126125D6


========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 1789.5 MB
Available physical RAM: 1417.49 MB
Total Pagefile: 1608.23 MB
Available Pagefile: 1474.49 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.36 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:51.01 GB) (Free:3.57 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (DATA) (Fixed) (Total:51.01 GB) (Free:47.52 GB) NTFS
3 Drive e: (VISTA_32_PREMIUM) (CDROM) (Total:2.84 GB) (Free:0 GB) CDFS
4 Drive f: (PQSERVICE) (Fixed) (Total:9.76 GB) (Free:1.5 GB) FAT32 ==>[System with boot components (obtained from reading drive)]
5 Drive g: (PATRIOT) (Removable) (Total:7.45 GB) (Free:3.4 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 1465 KB
Disk 1 Online 7644 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 1024 KB
Partition 2 Primary 51 GB 10 GB
Partition 3 Primary 51 GB 61 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F PQSERVICE FAT32 Partition 10 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C ACER NTFS Partition 51 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 51 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7640 MB 4032 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G PATRIOT FAT32 Removable 7640 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-30 13:05

======================= End Of Log ==========================

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 30 April 2012 - 05:07 PM

Hi,

Please delete the copy of FRST from your desktop and download a fresh copy

http://download.bleepingcomputer.com/farbar/FRST.exe

then please run the following:



Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [] [x]
HKU\Any Authorised User\...\Run: [AxwLdvnu] C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe [97680 2012-04-30] ()
C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe 
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe [97680 2012-04-30] ()
3 Micorsoft Windows Service; \??\C:\Users\ANYAUT~1\AppData\Local\Temp\hmxsgsjh.sys [x]
C:\Users\ANYAUT~1\AppData\Local\Temp\hmxsgsjh.sys 
2012-04-27 15:09 - 2009-12-09 15:36 - 0004048 ____A C:\Users\Any Authorised User\AppData\Local\gluxgqml.log
2012-04-27 15:07 - 2010-12-08 14:02 - 0000000 ____A C:\Users\Any Authorised User\AppData\Local\cseqauaq.log
2012-04-27 15:07 - 2007-12-12 11:26 - 0000024 ____A C:\Users\Any Authorised User\AppData\Local\bcadexsq.log
2012-04-27 15:07 - - 0097680 ____S C:\Users\Any Authorised User\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-27 15:07 - - 0097680 ____S C:\Users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-27 15:06 - 2012-03-27 17:15 - 0000078 ____A C:\dlcd.log
2012-04-27 15:06 - 2010-12-08 13:44 - 0000000 ____D C:\Users\Any Authorised User\AppData\Local\rufysvee
2012-04-27 15:06 - 2006-09-18 13:28 - 0097680 ___AH C:\Windows\System32\2xlFnpAbZ
2012-04-27 15:05 - 2006-11-02 00:53 - 0097680 ___AH C:\Windows\System32\vhESJd7a
2012-04-25 13:47 - - 0302592 ____A C:\Users\Any Authorised User\Desktop\57tpi48v.exe
2012-04-30 13:14 - 2012-04-27 15:07 - 0000024 ____A C:\Users\Any Authorised User\AppData\Local\bcadexsq.log
2012-04-30 13:14 - 2012-04-27 15:06 - 0097680 ___AH C:\Windows\System32\2xlFnpAbZ
2012-04-27 15:06 - 2012-04-27 15:05 - 0097680 ___AH C:\Windows\System32\vhESJd7a
2012-04-25 13:53 - 2012-04-25 13:47 - 0302592 ____A C:\Users\Any Authorised User\Desktop\57tpi48v.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT



please see if you can now run ComboFix

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 millwalker

millwalker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 30 April 2012 - 05:41 PM

FRST64? I don't have that as the links you provided were for FRSTexe?

So I ran the fix using FRST.exe and here is the log. Combofix gives me an error saying it is only compatible with windows 2000 or xp 32 bit. Which odd because VIsta is telling me through My Computer>properties that it is 32 bit....

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 30-04-2012 02
Ran by SYSTEM at 2012-04-30 23:16:26 R:2
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_USERS\Any Authorised User\Software\Microsoft\Windows\CurrentVersion\Run\\AxwLdvnu Value deleted successfully.
C:\Users\Any Authorised User\AppData\Local\rufysvee\axwldvnu.exe moved successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value was restored.
Micorsoft Windows Service service deleted successfully.
C:\Users\ANYAUT~1\AppData\Local\Temp\hmxsgsjh.sys not found.
C:\Users\Any Authorised User\AppData\Local\gluxgqml.log moved successfully.
C:\Users\Any Authorised User\AppData\Local\cseqauaq.log moved successfully.
C:\Users\Any Authorised User\AppData\Local\bcadexsq.log moved successfully.
C:\Users\Any Authorised User\Start Menu\Programs\Startup\axwldvnu.exe moved successfully.
C:\Users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axwldvnu.exe not found.
C:\dlcd.log moved successfully.
C:\Users\Any Authorised User\AppData\Local\rufysvee moved successfully.
C:\Windows\System32\2xlFnpAbZ moved successfully.
C:\Windows\System32\vhESJd7a moved successfully.
C:\Users\Any Authorised User\Desktop\57tpi48v.exe moved successfully.
C:\Users\Any Authorised User\AppData\Local\bcadexsq.log not found.
C:\Windows\System32\2xlFnpAbZ not found.
C:\Windows\System32\vhESJd7a not found.
C:\Users\Any Authorised User\Desktop\57tpi48v.exe not found.

==== End of Fixlog ====

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:37 PM

Posted 30 April 2012 - 05:46 PM

my apologies, I meant FRST, sorry

Please delete the copy of ComboFix that you have on your desktop and download a fresh copy

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

now boot into safe mode and try running it in safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 millwalker

millwalker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 01 May 2012 - 01:24 AM

Here is the combofix log:

ComboFix 12-04-31.02 - SYSTEM 30/04/2012 23:46:36.2.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1790.1309 [GMT 1:00]
Running from: c:\windows\system32\config\systemprofile\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\cm10jjb4@1j8dj4hd4j^2ec_o\uk_sres.data
c:\program files\Blinkx
c:\program files\Blinkx\blinkx.ico
c:\program files\Blinkx\blinkxss.exe
c:\program files\Blinkx\blinkxstop.exe
c:\program files\Blinkx\lang.dll
c:\program files\Blinkx\templates\beat.ico
c:\program files\Blinkx\templates\index.html
c:\program files\Blinkx\templates\noflash.html
c:\program files\Blinkx\templates\offline.html
c:\program files\Blinkx\templates\offline.swf
c:\program files\Blinkx\templates\uninstall.exe
c:\program files\FREEzeFrog
c:\program files\FREEzeFrog\bin\1.0.670.0\FREEzeFrogSAHook.dll
c:\program files\FREEzeFrog\bin\1.0.670.0\LaunchHelp.dll
c:\users\Any Authorised User\AppData\Local\.#
c:\users\Any Authorised User\AppData\Local\bcadexsq.log
c:\users\Any Authorised User\AppData\Roaming\.#
c:\users\Any Authorised User\AppData\Roaming\FREEzeFrog
c:\users\Any Authorised User\AppData\Roaming\Local
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\1.ddi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\2.ddi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\3.ddi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\4.ddi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\5.ddi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\6.ddi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\d77boz64mbzfv.avi.ddr
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\lhyaygqipagd.avi.ddr
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\mwkkjlytwipo.avi.ddr
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\pkfychpicocn.avi.ddr
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\rzdamdfwmmqj.avi.ddr
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\snxlpycfzfrs.avi.ddr
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\d77boz64mbzfv.avi.ddp
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\lhyaygqipagd.avi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\mwkkjlytwipo.avi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\pkfychpicocn.avi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\rzdamdfwmmqj.avi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\snxlpycfzfrs.avi
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\ys2eafvv0n7mq.avi.ddp
c:\users\Any Authorised User\AppData\Roaming\Local\Temp\DDM\Settings\ys2eafvv0n7mq.avi.ddr
c:\users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\My Security Shield.lnk
c:\users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\.lnk
c:\users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\My Security Shield.lnk
c:\users\Any Authorised User\AppData\Roaming\My Security Shield
c:\users\Any Authorised User\AppData\Roaming\My Security Shield\Instructions.ini
c:\users\Any Authorised User\Desktop\My Security Shield.lnk
c:\windows\system32\config\systemprofile\AppData\Local\bcadexsq.log
c:\windows\system32\config\systemprofile\AppData\Local\cseqauaq.log
c:\windows\system32\config\systemprofile\AppData\Local\dptgxcdh.log
c:\windows\system32\config\systemprofile\AppData\Local\gluxgqml.log
c:\windows\system32\config\systemprofile\AppData\Local\nrxexneh.log
c:\windows\system32\config\systemprofile\AppData\Local\pkrbkmik.log
c:\windows\system32\config\systemprofile\AppData\Local\rufysvee\axwldvnu.exe
c:\windows\system32\config\systemprofile\AppData\Local\tyhqpvfi.log
c:\windows\system32\spsys.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-30 )))))))))))))))))))))))))))))))
.
.
2012-04-30 23:02 . 2012-04-30 23:07 -------- d-----w- c:\users\Any Authorised User\AppData\Local\temp
2012-04-30 23:02 . 2012-04-30 23:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-30 23:02 . 2012-04-30 23:02 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-04-30 22:20 . 2012-04-30 22:20 97680 --s---w- c:\users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axwldvnu.exe
2012-04-30 22:19 . 2012-04-30 23:06 97680 ---ha-w- c:\windows\system32\vhESJd7a
2012-04-27 23:50 . 2012-04-27 23:50 -------- d-----w- C:\found.000
2012-04-27 15:50 . 2012-05-01 06:21 -------- d-----w- C:\FRST
2012-04-22 22:01 . 2012-04-22 22:01 -------- d-----w- c:\program files\CCleaner
2012-04-22 21:54 . 2012-04-22 21:54 -------- d-----w- C:\Mozilla
2012-04-22 21:10 . 2012-04-22 21:10 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-04-14 04:20 . 2012-04-14 04:21 -------- d-----w- c:\users\Any Authorised User\AppData\Roaming\PCPowerSpeed
2012-04-13 19:10 . 2012-04-13 19:10 -------- d-----w- C:\Sun
2012-04-03 06:01 . 2012-04-03 06:01 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-22 10:20 . 2006-11-02 10:32 101376 ----a-w- c:\windows\system32\ifxcardm.dll
2012-04-22 10:19 . 2006-11-02 10:32 79872 ----a-w- c:\windows\system32\axaltocm.dll
2012-04-13 07:36 . 2012-04-27 07:04 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9CFC18A7-492B-4E23-B7E7-FDB811663206}\mpengine.dll
2012-03-09 18:50 . 2012-03-09 18:50 143360 ----a-w- c:\programdata\Microsoft\Windows\DRM\3427.tmp
2012-02-23 09:18 . 2009-10-02 18:08 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-04-22 21:10 . 2012-04-14 04:27 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 188472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-17 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-04-04 813840]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 245810]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"DLCDCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AxwLdvnu"="c:\windows\system32\config\systemprofile\AppData\Local\rufysvee\axwldvnu.exe" [2012-04-30 97680]
.
c:\users\Any Authorised User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
axwldvnu.exe [2012-4-30 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\windows\system32\config\systemprofile\AppData\Local\rufysvee\axwldvnu.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-26 c:\windows\Tasks\DMEPeriodicTask.job
- c:\program files\HP\Digital Imaging\bin\warrantyextension\HPPromo.exe [2009-06-16 08:17]
.
2012-04-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-03 18:01]
.
2012-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-25 21:31]
.
2012-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-25 21:31]
.
2012-04-30 c:\windows\Tasks\User_Feed_Synchronization-{E445F9BF-7DAF-4264-9F96-8659F78AEF80}.job
- c:\windows\system32\msfeedssync.exe [2011-01-23 04:56]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://uk.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: sch.uk\folders.debenhamhighschool.suffolk
TCP: DhcpNameServer = 192.168.1.1
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
FF - ProfilePath - c:\windows\System32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\2ocsb9cf.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
BHO-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-{DDDFFB1A-0792-5A83-38FC-190770EEDC52} - c:\users\Any Authorised User\AppData\Roaming\Skype\akele221\chatsync\8e\subst.exe
HKCU-Run-RebateInformer - c:\progra~1\RebateInformer\RebateInf.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-Norton PC Checkup - c:\program files\Norton PC Checkup\uninstall.exe
AddRemove-blinkx beat - c:\program files\Blinkx\templates\uninstall.exe
AddRemove-iTunes Agent 1.3.3 - c:\program files\iTunes Agent\Uninstall.exe
AddRemove-iTunes Agent 1.3.4 - c:\program files\iTunes Agent\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-01 00:07
Windows 6.0.6000 NTFS
.
detected NTDLL code modification:
ZwEnumerateValueKey, ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dlcdcoms.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-05-01 00:28:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-30 23:28
.
Pre-Run: 5,836,214,272 bytes free
Post-Run: 5,253,550,080 bytes free
.
- - End Of File - - 823BB60BCEC4F92E3C10416E9DD2C9C9




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users