Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Green Dot virus


  • This topic is locked This topic is locked
33 replies to this topic

#1 gunner550

gunner550

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 23 July 2012 - 08:29 PM

Infected in the middle of the morning with the Green Dot FBI virus. I have been reading others postings but they all seem contingent on being able to log on in Safe Mode. I can not. It still comes up. I am on a network with three other employees and it comes up when I log in under their profiles as well. I tried booting with a USB drive but my computer would not recognize the device. I am downloading the prescribed anti malware programs (ex Emsisoft Emergency Kit) and putting them on a disk and see if I could do that in the morning. Any suggestios about the Safe Mode issue?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,989 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:53 AM

Posted 23 July 2012 - 11:49 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 gunner550

gunner550
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 24 July 2012 - 08:40 AM

So I tried booting from a CD with the virus scans reccommended this morning and still in Safe Mode the FBI warning pops up. Everythying so far is contigent on me accessing my profile in Safe Mode which I can not do currently...

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,989 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:53 AM

Posted 24 July 2012 - 09:44 AM

I saw in your first post that you couldn't get into Safe Mode. You don't explicitly say anything about Normal Mode. Are you able to boot into Normal Mode?

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 gunner550

gunner550
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 24 July 2012 - 09:58 AM

No. Both modes it goes directly to the Green Dot page and is locked. Can not bring up Task manager either.

#6 gunner550

gunner550
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 24 July 2012 - 03:28 PM

After some tinkering I was able to log on using an older profile. The screen is blank, except for the stock Dell wallpaper but I was able to access the Task Manager. The profile does of course not have admin authority so a cple programs I downloaded to a thumbdrive would not open. I think I was told Combo FIX is not a "system 32" program so it would not work. There was a version of Malwarebytes Anti-Malware on the desktop I could access through the Task Manager and am running it now although it has scanned 75,000 files with nothing yet. I am going to try and upload a cple more scan programs and see if I can get them to run

#7 gunner550

gunner550
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 25 July 2012 - 09:33 AM

Log I got. I deleted and tried to access the network under my profile and the FBI screen still came up. Logged back under the accessible profile and both items still came up. I was also able to run RogueKiller and the only two objects that came up were under the files tab and named windows/installer/etc (it won't let me copy and paste). It says to delete items with buttons and these two files do not have "buttons" nrxt to them so not sure if I should delete.


alwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Sedmands :: CENTERADMIN [limited]

7/25/2012 9:59:24 AM
mbam-log-2012-07-25 (09-59-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179550
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell.Gen.A) -> Bad: (C:\Documents and Settings\AComputer\Application Data\VZGYMYZh.exe) Good: (Explorer.exe) -> Delete on reboot.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#8 gunner550

gunner550
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 27 July 2012 - 12:06 PM

Still at an impass. The major stubling block is that EVERY solution predicates me logging under my user profile in Safe Mode which I can not and the one profile I can log under is not a computer administrator. I think i am going to have to just wipe the system. Pretty useless at this point but was able to run another scan (which then wants me to pay to delete the items, just another rip off) but here it is.

Trojan Killer v.2.1.2.3
Report file date: 7/27/2012 12:35:48 PM

Scanning for 290337 virus strains and unwanted programs.

Licensed: UNREGISTERED
Windows version: Microsoft Windows XP (version 5.1)

Starting the file scan:

Startup collected
BHO plugins collected
Service collected
ActiveX collected
Files collected
Scanning process...
----- HKLM\System\CurrentControlSet\Services\mssql$microsoftsmlbiz ---- Registry
Rootkit.Win32p.zero


----- C:\WINDOWS\ST6UNST.EXE ---- General
Mal/Fraud!se782
ProdVer: 6.00.8450
FileVer: 6.00.8450
Name : Microsoft® Visual Basic for Windows
Company: Microsoft Corporation
NAC: 1F2C42FC4B87AA48C173F7DA3465D5F6:56
MD5: D422839C99927DB561F5C019643EACEC:73216
RIC: FD29074917E6F232F021ADEA06B492AF:1040
EP: 55 8B EC 6A FF 68 F8 C7 40 00 68 18 A1 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 C4 A8 53 56 57 89 65 E8 FF 15 A4 C0 40 00 33 D2 8A D4 89 15 70 21 41 00 8B C8 81 E1 FF 00 00 00 89 0D 6C
SEC:
.text:60000020:7994FE066C159AC6C56898A5A789E7D2:43520
.rdata:40000040:85B026904F73D9E9DB99E41738E2DA59:7168
.data:C0000040:81A2FC7C611E1401759F683FE400DAAF:11776
.rsrc:40000040:B214649CA58241481CD73BAC3D950D5B:9728


----- C:\Program Files\FinePixViewer\FPVCwin.exe ---- General
Mal/Heur.3.103.10.4
ProdVer: 1, 1, 0
FileVer: 1, 1, 0, 5
Name : FinePixViewer
Company: FUJI PHOTO FILM CO.,LTD.
NAC: 54E3C21219BC3C174E21E5E72181418B:37
MD5: 157572031F815D04ECB85CA37DC0C46C:1441792
RIC: 94E506897C1823B36E28F520AC01166F:2216
EP: 55 8B EC 6A FF 68 F0 CC 41 00 68 78 5B 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 08 C1 41 00 33 D2 8A D4 89 15 70 76 46 00 8B C8 81 E1 FF 00 00 00 89 0D 6C
SEC:
.text:60000020:CBF6D6CB8378AFE3C86F653388C5DFEA:106496
.sdata:D0000040:4F8A1A92FBD099F51B4A77AE5D613525:4096
.rdata:40000040:1E09676314F3E9812CC8E2ACCBAE2E33:12288
.data:C0000040:A21009830D0CAE2CB23AEB9A8115FE1F:16384
.rsrc:40000040:2DD5F3C445B8EC48D466588286CE38FA:1298432


Scan completed

Scan result: 3 detected items
Scan completed in: Scan completed in 15 minute(s) 55 sec.
Files were scanned: 9096

#9 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 29 July 2012 - 02:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462167 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,244 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:53 PM

Posted 30 July 2012 - 04:33 AM

Hello and sorry for the delay. Please log in in Safe mode using the Administrator profile and do the following (very important; click the All Users button!).

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 gunner550

gunner550
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 31 July 2012 - 10:14 AM

Part of the problem or the real problem is I can only access the computer through an old profile of a former employee who did not have administartive authority. Second problem is the computer was set up in 2005 and they never recorded the acutual computer password log on. So these two issues make me think I may just have to start from scratch.

OTL
OTL logfile created on: 7/31/2012 10:51:57 AM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Documents and Settings\SEdmands\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.33 Gb Available Physical Memory | 26.54% Memory free
2.57 Gb Paging File | 1.74 Gb Available in Paging File | 67.64% Paging File free
Paging file location(s): C:\pagefile.sys 1512 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 6.04 Gb Free Space | 8.12% Space Free | Partition Type: NTFS

Computer Name: CENTERADMIN | User Name: SEdmands | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/31 10:51:46 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SEdmands\Desktop\OTL.exe
PRC - [2012/07/31 09:12:24 | 000,131,072 | ---- | M] () -- C:\Documents and Settings\SEdmands\Local Settings\Temp\kecmkjekfxzuskwkhgqhrcr.exe
PRC - [2012/05/23 15:15:04 | 003,029,344 | ---- | M] (Piriform Ltd) -- C:\Program Files\CCleaner\CCleaner.exe
PRC - [2012/04/04 15:56:38 | 000,981,680 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2008/04/14 06:42:32 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/31 09:12:24 | 000,131,072 | ---- | M] () -- C:\Documents and Settings\SEdmands\Local Settings\Temp\kecmkjekfxzuskwkhgqhrcr.exe
MOD - [2012/04/05 16:31:55 | 000,104,224 | ---- | M] () -- C:\Program Files\Java\jre6\bin\jp2iexp.dll
MOD - [2012/04/05 16:31:55 | 000,008,192 | ---- | M] () -- C:\Program Files\Java\jre6\bin\jp2native.dll
MOD - [2003/05/15 01:03:46 | 000,147,456 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Unknown] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTSMLBIZ)
SRV - File not found [On_Demand | Unknown] -- C:\DOCUME~1\MHANSB~1\LOCALS~1\Temp\PONOJJZWLSH.exe -- (PONOJJZWLSH)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\system32\otervn.exe -- (otervn)
SRV - File not found [On_Demand | Unknown] -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - File not found [Disabled | Unknown] -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3)
SRV - File not found [Auto | Unknown] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe -- (MSSQL$MICROSOFTSMLBIZ)
SRV - [2012/04/05 16:19:58 | 000,253,600 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Unknown] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Unknown] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/02/29 08:50:48 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Unknown] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2008/05/09 19:17:40 | 000,984,360 | ---- | M] (Trend Micro Inc.) [Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe -- (tmlisten)
SRV - [2008/05/09 19:16:46 | 000,906,536 | ---- | M] (Trend Micro Inc.) [Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe -- (ntrtscan)
SRV - [2008/04/17 21:45:58 | 000,488,768 | ---- | M] (Trend Micro Inc.) [On_Demand | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe -- (TmPfw)
SRV - [2008/04/17 21:45:18 | 000,652,552 | ---- | M] (Trend Micro Inc.) [On_Demand | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe -- (TmProxy)
SRV - [2008/04/14 06:42:10 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
SRV - [2008/04/09 12:25:00 | 000,333,064 | ---- | M] () [On_Demand | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\..\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Unknown] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Unknown] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Unknown] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Unknown] -- system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - File not found [Kernel | System | Unknown] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Unknown] -- -- (Changer)
DRV - [2012/05/29 12:52:51 | 000,205,072 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/09/07 11:18:26 | 000,059,776 | ---- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\SCR3XX2K.sys -- (SCR3XX2K)
DRV - [2010/10/20 19:45:16 | 000,249,424 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmxpflt.sys -- (TmFilter)
DRV - [2010/10/20 19:45:06 | 000,036,432 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys -- (TmPreFilter)
DRV - [2010/10/20 19:30:02 | 001,331,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\VsapiNT.sys -- (VSApiNt)
DRV - [2009/04/02 16:00:12 | 000,052,752 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2009/04/02 16:00:08 | 000,052,624 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2008/04/30 21:17:44 | 000,335,888 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2008/04/14 06:42:10 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
DRV - [2008/03/05 16:54:16 | 000,072,072 | ---- | M] (Trend Micro Inc.) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2005/04/01 16:52:46 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2001/11/24 22:11:54 | 000,081,924 | ---- | M] (FUJI PHOTO FILM CO.,LTD.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\V4CB0115.SYS -- (FINEPIX_PCC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.maxiwe.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.maxiwe.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3121397550-3220209057-3607687807-1165\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-21-3121397550-3220209057-3607687807-1165\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-3121397550-3220209057-3607687807-1165\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-3121397550-3220209057-3607687807-1165\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\S-1-5-21-3121397550-3220209057-3607687807-1165\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [H9ut6mA6albdFU7] C:\Documents and Settings\AComputer\Application Data\VZGYMYZh.exe File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OE] C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-3121397550-3220209057-3607687807-1165..\Run: [govShell] C:\Documents and Settings\SEdmands\govpxin.exe File not found
O4 - HKU\S-1-5-21-3121397550-3220209057-3607687807-1165..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dplaysvr.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3121397550-3220209057-3607687807-1165\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291917911369 (WUWebControl Class)
O16 - DPF: {80B5FCA6-66CB-4342-9B62-F838A47ED7F6} https://vbec.trendmicro.co.jp/cs/common/ocx/PCInfo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ghk.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F0CD03D9-5A5B-4D2D-9A43-598B5B89D967}: Domain = knox.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F0CD03D9-5A5B-4D2D-9A43-598B5B89D967}: NameServer = 10.0.0.3,192.168.1.2
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (C:\Documents and Settings\AComputer\Application Data\VZGYMYZh.exe) - File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/31 10:51:33 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\SEdmands\Desktop\OTL.exe
[2012/07/31 10:50:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\SEdmands\Recent
[2012/07/30 17:25:49 | 000,234,351 | ---- | C] (polmop) -- C:\Documents and Settings\SEdmands\Application Data\0PXnnEUH.exe
[2012/07/30 17:25:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Roaming
[2012/07/30 17:25:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\Temp
[2012/07/30 17:25:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\Adobe
[2012/07/27 12:34:44 | 028,285,912 | ---- | C] (GridinSoft LLC) -- C:\Documents and Settings\SEdmands\Desktop\gtk2125-setup.exe
[2012/07/27 12:21:58 | 016,373,192 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\SEdmands\Desktop\Windows-KB890830-V4.10.exe
[2012/07/27 10:55:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop\Run
[2012/07/27 10:55:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop\Languages
[2012/07/26 15:46:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2012/07/26 15:36:53 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\SEdmands\Desktop\aswMBR.exe
[2012/07/26 15:36:37 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\SEdmands\Desktop\tdsskiller.exe
[2012/07/26 15:35:40 | 003,879,800 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\SEdmands\Desktop\avg_free_stb_all_2012_2197_cnet.exe
[2012/07/26 15:34:27 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/07/26 15:34:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/07/26 15:29:16 | 002,841,104 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\SEdmands\Desktop\NPE.exe
[2012/07/26 15:28:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\NPE
[2012/07/26 15:28:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2012/07/26 15:02:44 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\SEdmands\Desktop\esetsmartinstaller_enu.exe
[2012/07/26 14:22:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop\GridinSoft Trojan Killer
[2012/07/26 14:22:11 | 027,354,608 | ---- | C] (GridinSoft LLC) -- C:\Documents and Settings\SEdmands\Desktop\gtk2123setup.exe
[2012/07/25 12:23:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\Downloaded Installations
[2012/07/25 12:17:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Ad-Aware Antivirus
[2012/07/25 11:43:32 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\SEdmands\My Documents\dds.scr
[2012/07/25 11:05:06 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\SEdmands\My Documents\tdsskiller.exe
[2012/07/25 11:03:20 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\SEdmands\My Documents\aswMBR.exe
[2012/07/25 10:59:53 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\SEdmands\My Documents\esetsmartinstaller_enu.exe
[2012/07/25 10:47:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\EurekaLog
[2012/07/25 10:45:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\My Documents\EmsisoftEmergencyKit
[2012/07/25 10:00:35 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\SEdmands\PrivacIE
[2012/07/25 09:59:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop\RK_Quarantine
[2012/07/24 16:10:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Malwarebytes
[2012/07/24 16:05:06 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\SEdmands\IETldCache
[2012/07/24 15:34:51 | 000,000,000 | --SD | C] -- C:\Documents and Settings\SEdmands\Application Data\Microsoft
[2012/07/24 15:34:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\SEdmands\SendTo
[2012/07/24 15:34:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\SEdmands\Application Data
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Startup
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\Start Menu
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\My Documents\My Pictures
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\My Documents\My Music
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\My Documents
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\Favorites
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Accessories
[2012/07/24 15:34:51 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\SEdmands\Cookies
[2012/07/24 15:34:51 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\SEdmands\Templates
[2012/07/24 15:34:51 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\SEdmands\PrintHood
[2012/07/24 15:34:51 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\SEdmands\NetHood
[2012/07/24 15:34:51 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\SEdmands\Local Settings
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Sun
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\Microsoft
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Macromedia
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Identities
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Dell Accessories
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Dell
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\ApplicationHistory
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Adobe
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
[2012/07/24 02:54:30 | 001,587,624 | ---- | C] (Emsi Software GmbH) -- C:\Documents and Settings\SEdmands\Desktop\start.exe
[2012/07/16 13:19:24 | 000,039,424 | ---- | C] (StraightUsers Co) -- C:\Documents and Settings\All Users\Application Data\UblayvAjhiyy.dll
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/31 10:51:46 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SEdmands\Desktop\OTL.exe
[2012/07/31 08:55:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/31 08:55:22 | 1331,834,880 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/30 17:25:45 | 000,234,351 | ---- | M] (polmop) -- C:\Documents and Settings\SEdmands\Application Data\0PXnnEUH.exe
[2012/07/30 08:59:51 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/27 12:35:23 | 028,285,912 | ---- | M] (GridinSoft LLC) -- C:\Documents and Settings\SEdmands\Desktop\gtk2125-setup.exe
[2012/07/27 12:22:09 | 016,373,192 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\SEdmands\Desktop\Windows-KB890830-V4.10.exe
[2012/07/26 15:35:49 | 003,879,800 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\SEdmands\Desktop\avg_free_stb_all_2012_2197_cnet.exe
[2012/07/26 15:29:20 | 002,841,104 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\SEdmands\Desktop\NPE.exe
[2012/07/26 14:22:35 | 027,354,608 | ---- | M] (GridinSoft LLC) -- C:\Documents and Settings\SEdmands\Desktop\gtk2123setup.exe
[2012/07/25 11:43:45 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\SEdmands\My Documents\dds.scr
[2012/07/25 11:05:10 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\SEdmands\My Documents\tdsskiller.exe
[2012/07/25 11:05:10 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\SEdmands\Desktop\tdsskiller.exe
[2012/07/25 11:03:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\SEdmands\My Documents\aswMBR.exe
[2012/07/25 11:03:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\SEdmands\Desktop\aswMBR.exe
[2012/07/25 10:59:58 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\SEdmands\My Documents\esetsmartinstaller_enu.exe
[2012/07/25 10:59:58 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\SEdmands\Desktop\esetsmartinstaller_enu.exe
[2012/07/25 10:43:53 | 144,693,130 | ---- | M] () -- C:\Documents and Settings\SEdmands\My Documents\EmsisoftEmergencyKit.zip
[2012/07/24 02:54:32 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\SEdmands\Desktop\autorun.inf
[2012/07/24 02:54:30 | 001,587,624 | ---- | M] (Emsi Software GmbH) -- C:\Documents and Settings\SEdmands\Desktop\start.exe
[2012/07/24 02:54:20 | 000,000,060 | ---- | M] () -- C:\Documents and Settings\SEdmands\Desktop\CommandlineScanner.bat
[2012/07/24 02:54:20 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\SEdmands\Desktop\EmergencyKitScanner.bat
[2012/07/17 11:09:41 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd642e310354ac.job
[2012/07/17 06:09:06 | 000,524,690 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/07/17 06:09:06 | 000,105,998 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/07/16 13:19:24 | 000,039,424 | ---- | M] (StraightUsers Co) -- C:\Documents and Settings\All Users\Application Data\UblayvAjhiyy.dll
[2012/07/11 03:49:17 | 000,270,984 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/27 11:58:36 | 1331,834,880 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/25 10:43:26 | 144,693,130 | ---- | C] () -- C:\Documents and Settings\SEdmands\My Documents\EmsisoftEmergencyKit.zip
[2012/07/24 15:34:53 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\SEdmands\Desktop\Help and Support.lnk
[2012/07/24 15:34:53 | 000,000,683 | ---- | C] () -- C:\Documents and Settings\SEdmands\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/07/24 15:34:53 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\fusioncache.dat
[2012/07/24 15:34:53 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\SEdmands\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/07/24 15:34:52 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Internet Explorer.lnk
[2012/07/24 15:34:52 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Outlook Express.lnk
[2012/07/24 15:34:51 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Remote Assistance.lnk
[2012/07/24 02:54:32 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\SEdmands\Desktop\autorun.inf
[2012/07/24 02:54:20 | 000,000,060 | ---- | C] () -- C:\Documents and Settings\SEdmands\Desktop\CommandlineScanner.bat
[2012/07/24 02:54:20 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\SEdmands\Desktop\EmergencyKitScanner.bat
[2012/07/17 11:09:41 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd642e310354ac.job
[2012/05/30 06:32:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/14 23:57:27 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/10/04 08:56:14 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\default_user_class.dat
[2006/04/26 10:49:12 | 000,014,438 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB17093$] -> Error: Cannot create file handle -> Unknown point type

< End of report >


xtras:
OTL Extras logfile created on: 7/31/2012 10:51:57 AM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Documents and Settings\SEdmands\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.33 Gb Available Physical Memory | 26.54% Memory free
2.57 Gb Paging File | 1.74 Gb Available in Paging File | 67.64% Paging File free
Paging file location(s): C:\pagefile.sys 1512 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 6.04 Gb Free Space | 8.12% Space Free | Partition Type: NTFS

Computer Name: CENTERADMIN | User Name: SEdmands | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 4

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:Offer Remote Assistance - Port" = 135:TCP:*:Enabled:Offer Remote Assistance - Port

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{137FA082-CF47-488B-A6BF-CED8C8D1EE40}" = PastPerfect Museum Software Version 4.0
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.3.1
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{492F8345-095D-467F-926C-278870D93ECF}" = Windows Small Business Server 2008 ClientAgent
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{838257FC-952A-467B-86BF-21DB6B137A3F}" = Windows Small Business Server 2008 WMI Provider
"{870842F7-18BB-479D-A7B1-FE17E81AFF1A}" = Palm Desktop
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{BA68600E-96D9-4E92-80F2-26B9681B5A63}" = Microsoft Office Outlook 2003 with Business Contact Manager Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Photoshop Elements 2.0" = Adobe Photoshop Elements 2.0
"CCleaner" = CCleaner
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"FTP Commander" = FTP Commander
"InstallShield_{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.3.1
"LabelCreator Pro" = LabelCreator Pro
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"OfficeScanNT" = Trend Micro Client/Server Security Agent
"Silent Package Run-Time Sample" = EPSON CX 4200 4800 Guide
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >

#12 gunner550

gunner550
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 31 July 2012 - 10:25 AM

Looking at this report I am not seeing any of my profile info just the logged in profile so it may not contain all the needed information. Again probably systemic of not being able to log in as a administrator.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,244 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:53 PM

Posted 31 July 2012 - 10:48 AM

The profile information is showing up just fine! :)

OTL FIX
------------
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :otl
    O4 - HKLM..\Run: [H9ut6mA6albdFU7] C:\Documents and Settings\AComputer\Application Data\VZGYMYZh.exe File not found
    O4 - HKU\S-1-5-21-3121397550-3220209057-3607687807-1165..\Run: [govShell] C:\Documents and Settings\SEdmands\govpxin.exe File not found
    O20 - HKLM Winlogon: Shell - (C:\Documents and Settings\AComputer\Application Data\VZGYMYZh.exe) - File not found
    [2012/07/30 17:25:49 | 000,234,351 | ---- | C] (polmop) -- C:\Documents and Settings\SEdmands\Application Data\0PXnnEUH.exe
    
    :commands
    [emptytemp]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

Let the machine reboot in normal mode and let me know if you still get the winlock screen.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 gunner550

gunner550
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 31 July 2012 - 11:38 AM

Steps showed up as instructed. When I clicked OK to reboot computer did its normal routine (small box stating saving your settings etc). The it went to a blue screen with the cursor still operable. Waited for 15mins or so (should I have waited longer?) and then rebooted manually. When I rebooted I logged onto my own profile and it comes up with the Dell standard wallpaper and thats it. No start button, no icons etc. When I control+alt+del I can access every button but the Task manager. I logged back off and logged back under the other profile. I get the same desktop (or lack there of) but I can access Task manager, which I can then access my desktop through. I ran a scan again.

OTL logfile created on: 7/31/2012 12:27:15 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Documents and Settings\SEdmands\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.81 Gb Available Physical Memory | 65.13% Memory free
2.57 Gb Paging File | 2.31 Gb Available in Paging File | 89.75% Paging File free
Paging file location(s): C:\pagefile.sys 1512 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 6.08 Gb Free Space | 8.16% Space Free | Partition Type: NTFS

Computer Name: CENTERADMIN | User Name: Sedmands | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/31 10:51:46 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SEdmands\Desktop\OTL.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Unknown] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTSMLBIZ)
SRV - File not found [On_Demand | Unknown] -- C:\DOCUME~1\MHANSB~1\LOCALS~1\Temp\PONOJJZWLSH.exe -- (PONOJJZWLSH)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\system32\otervn.exe -- (otervn)
SRV - File not found [On_Demand | Unknown] -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - File not found [Disabled | Unknown] -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3)
SRV - File not found [Auto | Unknown] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe -- (MSSQL$MICROSOFTSMLBIZ)
SRV - [2012/04/05 16:19:58 | 000,253,600 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Unknown] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Unknown] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/02/29 08:50:48 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Unknown] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2008/05/09 19:17:40 | 000,984,360 | ---- | M] (Trend Micro Inc.) [Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe -- (tmlisten)
SRV - [2008/05/09 19:16:46 | 000,906,536 | ---- | M] (Trend Micro Inc.) [Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe -- (ntrtscan)
SRV - [2008/04/17 21:45:58 | 000,488,768 | ---- | M] (Trend Micro Inc.) [On_Demand | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe -- (TmPfw)
SRV - [2008/04/17 21:45:18 | 000,652,552 | ---- | M] (Trend Micro Inc.) [On_Demand | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe -- (TmProxy)
SRV - [2008/04/14 06:42:10 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
SRV - [2008/04/09 12:25:00 | 000,333,064 | ---- | M] () [On_Demand | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\..\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Unknown] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Unknown] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Unknown] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Unknown] -- system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - File not found [Kernel | System | Unknown] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Unknown] -- -- (Changer)
DRV - [2012/05/29 12:52:51 | 000,205,072 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/09/07 11:18:26 | 000,059,776 | ---- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\SCR3XX2K.sys -- (SCR3XX2K)
DRV - [2010/10/20 19:45:16 | 000,249,424 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmxpflt.sys -- (TmFilter)
DRV - [2010/10/20 19:45:06 | 000,036,432 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys -- (TmPreFilter)
DRV - [2010/10/20 19:30:02 | 001,331,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\Program Files\Trend Micro\Client Server Security Agent\VsapiNT.sys -- (VSApiNt)
DRV - [2009/04/02 16:00:12 | 000,052,752 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2009/04/02 16:00:08 | 000,052,624 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2008/04/30 21:17:44 | 000,335,888 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2008/04/14 06:42:10 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
DRV - [2008/03/05 16:54:16 | 000,072,072 | ---- | M] (Trend Micro Inc.) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2005/04/01 16:52:46 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2001/11/24 22:11:54 | 000,081,924 | ---- | M] (FUJI PHOTO FILM CO.,LTD.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\V4CB0115.SYS -- (FINEPIX_PCC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.maxiwe.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.maxiwe.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [H9ut6mA6albdFU7] C:\Documents and Settings\mhansbury\Application Data\VZGYMYZh.exe File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OE] C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - HKCU..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dplaysvr.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291917911369 (WUWebControl Class)
O16 - DPF: {80B5FCA6-66CB-4342-9B62-F838A47ED7F6} https://vbec.trendmicro.co.jp/cs/common/ocx/PCInfo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ghk.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F0CD03D9-5A5B-4D2D-9A43-598B5B89D967}: Domain = knox.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F0CD03D9-5A5B-4D2D-9A43-598B5B89D967}: NameServer = 10.0.0.3,192.168.1.2
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (C:\Documents and Settings\mhansbury\Application Data\VZGYMYZh.exe) - File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/31 12:07:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/31 10:51:33 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\SEdmands\Desktop\OTL.exe
[2012/07/31 10:50:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\SEdmands\Recent
[2012/07/30 17:25:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Roaming
[2012/07/30 17:25:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\Temp
[2012/07/30 17:25:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\Adobe
[2012/07/27 12:34:44 | 028,285,912 | ---- | C] (GridinSoft LLC) -- C:\Documents and Settings\SEdmands\Desktop\gtk2125-setup.exe
[2012/07/27 12:21:58 | 016,373,192 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\SEdmands\Desktop\Windows-KB890830-V4.10.exe
[2012/07/27 10:55:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop\Run
[2012/07/27 10:55:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop\Languages
[2012/07/26 15:46:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2012/07/26 15:36:53 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\SEdmands\Desktop\aswMBR.exe
[2012/07/26 15:36:37 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\SEdmands\Desktop\tdsskiller.exe
[2012/07/26 15:35:40 | 003,879,800 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\SEdmands\Desktop\avg_free_stb_all_2012_2197_cnet.exe
[2012/07/26 15:34:27 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/07/26 15:34:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/07/26 15:29:16 | 002,841,104 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\SEdmands\Desktop\NPE.exe
[2012/07/26 15:28:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\NPE
[2012/07/26 15:28:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2012/07/26 15:02:44 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\SEdmands\Desktop\esetsmartinstaller_enu.exe
[2012/07/26 14:22:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop\GridinSoft Trojan Killer
[2012/07/26 14:22:11 | 027,354,608 | ---- | C] (GridinSoft LLC) -- C:\Documents and Settings\SEdmands\Desktop\gtk2123setup.exe
[2012/07/25 12:23:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\Downloaded Installations
[2012/07/25 12:17:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Ad-Aware Antivirus
[2012/07/25 11:43:32 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\SEdmands\My Documents\dds.scr
[2012/07/25 11:05:06 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\SEdmands\My Documents\tdsskiller.exe
[2012/07/25 11:03:20 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\SEdmands\My Documents\aswMBR.exe
[2012/07/25 10:59:53 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\SEdmands\My Documents\esetsmartinstaller_enu.exe
[2012/07/25 10:47:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\EurekaLog
[2012/07/25 10:45:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\My Documents\EmsisoftEmergencyKit
[2012/07/25 10:00:35 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\SEdmands\PrivacIE
[2012/07/25 09:59:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop\RK_Quarantine
[2012/07/24 16:10:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Malwarebytes
[2012/07/24 16:05:06 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\SEdmands\IETldCache
[2012/07/24 15:34:51 | 000,000,000 | --SD | C] -- C:\Documents and Settings\SEdmands\Application Data\Microsoft
[2012/07/24 15:34:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\SEdmands\SendTo
[2012/07/24 15:34:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\SEdmands\Application Data
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Startup
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\Start Menu
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\My Documents\My Pictures
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\My Documents\My Music
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\My Documents
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\Favorites
[2012/07/24 15:34:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Accessories
[2012/07/24 15:34:51 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\SEdmands\Cookies
[2012/07/24 15:34:51 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\SEdmands\Templates
[2012/07/24 15:34:51 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\SEdmands\PrintHood
[2012/07/24 15:34:51 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\SEdmands\NetHood
[2012/07/24 15:34:51 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\SEdmands\Local Settings
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Sun
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\Microsoft
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Macromedia
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Identities
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Desktop
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Dell Accessories
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Dell
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\ApplicationHistory
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Application Data\Adobe
[2012/07/24 15:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
[2012/07/24 02:54:30 | 001,587,624 | ---- | C] (Emsi Software GmbH) -- C:\Documents and Settings\SEdmands\Desktop\start.exe
[2012/07/16 13:19:24 | 000,039,424 | ---- | C] (StraightUsers Co) -- C:\Documents and Settings\All Users\Application Data\UblayvAjhiyy.dll
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/31 12:23:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/31 12:22:52 | 1331,834,880 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/31 12:17:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/31 10:51:46 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SEdmands\Desktop\OTL.exe
[2012/07/31 09:12:24 | 000,131,072 | ---- | M] () -- C:\Documents and Settings\SEdmands\govpxin.exe
[2012/07/27 12:35:23 | 028,285,912 | ---- | M] (GridinSoft LLC) -- C:\Documents and Settings\SEdmands\Desktop\gtk2125-setup.exe
[2012/07/27 12:22:09 | 016,373,192 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\SEdmands\Desktop\Windows-KB890830-V4.10.exe
[2012/07/26 15:35:49 | 003,879,800 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\SEdmands\Desktop\avg_free_stb_all_2012_2197_cnet.exe
[2012/07/26 15:29:20 | 002,841,104 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\SEdmands\Desktop\NPE.exe
[2012/07/26 14:22:35 | 027,354,608 | ---- | M] (GridinSoft LLC) -- C:\Documents and Settings\SEdmands\Desktop\gtk2123setup.exe
[2012/07/25 11:43:45 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\SEdmands\My Documents\dds.scr
[2012/07/25 11:05:10 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\SEdmands\My Documents\tdsskiller.exe
[2012/07/25 11:05:10 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\SEdmands\Desktop\tdsskiller.exe
[2012/07/25 11:03:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\SEdmands\My Documents\aswMBR.exe
[2012/07/25 11:03:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\SEdmands\Desktop\aswMBR.exe
[2012/07/25 10:59:58 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\SEdmands\My Documents\esetsmartinstaller_enu.exe
[2012/07/25 10:59:58 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\SEdmands\Desktop\esetsmartinstaller_enu.exe
[2012/07/25 10:43:53 | 144,693,130 | ---- | M] () -- C:\Documents and Settings\SEdmands\My Documents\EmsisoftEmergencyKit.zip
[2012/07/24 02:54:32 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\SEdmands\Desktop\autorun.inf
[2012/07/24 02:54:30 | 001,587,624 | ---- | M] (Emsi Software GmbH) -- C:\Documents and Settings\SEdmands\Desktop\start.exe
[2012/07/24 02:54:20 | 000,000,060 | ---- | M] () -- C:\Documents and Settings\SEdmands\Desktop\CommandlineScanner.bat
[2012/07/24 02:54:20 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\SEdmands\Desktop\EmergencyKitScanner.bat
[2012/07/17 11:09:41 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd642e310354ac.job
[2012/07/17 06:09:06 | 000,524,690 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/07/17 06:09:06 | 000,105,998 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/07/16 13:19:24 | 000,039,424 | ---- | M] (StraightUsers Co) -- C:\Documents and Settings\All Users\Application Data\UblayvAjhiyy.dll
[2012/07/11 03:49:17 | 000,270,984 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/31 09:12:24 | 000,131,072 | ---- | C] () -- C:\Documents and Settings\SEdmands\govpxin.exe
[2012/07/27 11:58:36 | 1331,834,880 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/25 10:43:26 | 144,693,130 | ---- | C] () -- C:\Documents and Settings\SEdmands\My Documents\EmsisoftEmergencyKit.zip
[2012/07/24 15:34:53 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\SEdmands\Desktop\Help and Support.lnk
[2012/07/24 15:34:53 | 000,000,683 | ---- | C] () -- C:\Documents and Settings\SEdmands\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/07/24 15:34:53 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\SEdmands\Local Settings\Application Data\fusioncache.dat
[2012/07/24 15:34:53 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\SEdmands\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/07/24 15:34:52 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Internet Explorer.lnk
[2012/07/24 15:34:52 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Outlook Express.lnk
[2012/07/24 15:34:51 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\SEdmands\Start Menu\Programs\Remote Assistance.lnk
[2012/07/24 02:54:32 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\SEdmands\Desktop\autorun.inf
[2012/07/24 02:54:20 | 000,000,060 | ---- | C] () -- C:\Documents and Settings\SEdmands\Desktop\CommandlineScanner.bat
[2012/07/24 02:54:20 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\SEdmands\Desktop\EmergencyKitScanner.bat
[2012/07/17 11:09:41 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd642e310354ac.job
[2012/05/30 06:32:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/14 23:57:27 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/10/04 08:56:14 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\default_user_class.dat
[2006/04/26 10:49:12 | 000,014,438 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB17093$] -> Error: Cannot create file handle -> Unknown point type

< End of report >



OTL by OldTimer - Version 3.2.55.0 Folder = C:\Documents and Settings\SEdmands\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.81 Gb Available Physical Memory | 65.13% Memory free
2.57 Gb Paging File | 2.31 Gb Available in Paging File | 89.75% Paging File free
Paging file location(s): C:\pagefile.sys 1512 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 6.08 Gb Free Space | 8.16% Space Free | Partition Type: NTFS

Computer Name: CENTERADMIN | User Name: Sedmands | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 4

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:Offer Remote Assistance - Port" = 135:TCP:*:Enabled:Offer Remote Assistance - Port

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{137FA082-CF47-488B-A6BF-CED8C8D1EE40}" = PastPerfect Museum Software Version 4.0
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.3.1
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{492F8345-095D-467F-926C-278870D93ECF}" = Windows Small Business Server 2008 ClientAgent
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{838257FC-952A-467B-86BF-21DB6B137A3F}" = Windows Small Business Server 2008 WMI Provider
"{870842F7-18BB-479D-A7B1-FE17E81AFF1A}" = Palm Desktop
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{BA68600E-96D9-4E92-80F2-26B9681B5A63}" = Microsoft Office Outlook 2003 with Business Contact Manager Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Photoshop Elements 2.0" = Adobe Photoshop Elements 2.0
"CCleaner" = CCleaner
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"FTP Commander" = FTP Commander
"InstallShield_{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.3.1
"LabelCreator Pro" = LabelCreator Pro
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"OfficeScanNT" = Trend Micro Client/Server Security Agent
"Silent Package Run-Time Sample" = EPSON CX 4200 4800 Guide
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,244 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:53 PM

Posted 31 July 2012 - 12:37 PM

Please run the following as fix from your own userprofile (you can press Windows key + R for the run box from which you can launch any program, for example your browser). Copy the text in the codebox into OTL and click Run Fix.
:otl
SRV - File not found [On_Demand | Unknown] -- C:\DOCUME~1\MHANSB~1\LOCALS~1\Temp\PONOJJZWLSH.exe -- (PONOJJZWLSH)
SRV - File not found [Auto | Unknown] -- C:\WINDOWS\system32\otervn.exe -- (otervn)
O4 - HKLM..\Run: [H9ut6mA6albdFU7] C:\Documents and Settings\mhansbury\Application Data\VZGYMYZh.exe File not found
O20 - HKLM Winlogon: Shell - (C:\Documents and Settings\mhansbury\Application Data\VZGYMYZh.exe) - File not found

:commands
[emptytemp]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users