TechSpot

Google redirect, AV & IE damage

Solved
By tatterjack
Oct 13, 2011
  1. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OTLPE Quick Scan

    OTL logfile created on: 10/18/2011 10:07:04 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 148.92 Gb Total Space | 113.35 Gb Free Space | 76.12% Space Free | Partition Type: NTFS
    Drive D: | 1003.27 Mb Total Space | 1003.21 Mb Free Space | 99.99% Space Free | Partition Type: FAT32
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2010/10/13 17:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
    SRV - [2010/10/13 17:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe -- (McShield)
    SRV - [2010/10/13 17:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Auto] -- C:\WINDOWS\System32\mfevtps.exe -- (mfevtp)
    SRV - [2010/10/07 15:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
    SRV - [2009/11/17 07:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2009/01/23 05:46:14 | 000,203,280 | ---- | M] () [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
    SRV - [2004/03/29 11:08:16 | 000,049,152 | ---- | M] () [Auto] -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe -- (Belkin Wireless USB Network Adapter Service)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (mfeavfk01)
    DRV - File not found [Kernel | On_Demand] -- -- (MBAMSwissArmy)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (csmbrqkp)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2010/10/13 17:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2010/10/13 17:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
    DRV - [2010/10/13 17:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2010/10/13 17:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
    DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
    DRV - [2010/10/13 17:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
    DRV - [2010/10/13 17:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
    DRV - [2010/10/13 17:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
    DRV - [2010/10/13 17:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2009/11/17 07:07:06 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2009/10/07 08:01:04 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2008/11/16 13:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005/12/13 10:10:00 | 000,007,040 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Gonzales.sys -- (Gonzales)
    DRV - [2005/11/28 16:55:46 | 000,012,160 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Bonifay.sys -- (Bonifay)
    DRV - [2005/09/20 06:22:37 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
    DRV - [2005/08/02 18:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
    DRV - [2005/03/17 11:30:10 | 000,132,608 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2004/09/17 04:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?rd=1
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 74 E1 15 8A 27 CC 01 [binary data]
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/10/07 08:30:31 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/09/13 09:27:04 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110402175609.dll (McAfee, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKU\Russell_Dobash_ON_C\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
    O4 - HKU\.DEFAULT..\Run: [LmlLhkfv] C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O4 - HKU\Russell_Dobash_ON_C..\Run: [{059917AA-2371-A9CF-E2EB-599F7AF29392}] File not found
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico ()
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe (Freecom)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Russell_Dobash_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1243236794562 (MUWebControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) - C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/07/10 07:30:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/10/18 00:07:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\LocalService\Recent
    [2011/10/17 20:22:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/10/17 20:22:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi
    [2011/10/16 14:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Desktop\Graham
    [2011/10/15 11:50:26 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
    [2011/10/14 16:44:40 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/10/13 16:35:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\My Documents\My Videos
    [2011/10/13 16:35:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Administrative Tools
    [2011/10/13 13:11:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/10/13 13:11:28 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/10/13 13:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/10/10 07:12:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2011/10/08 11:26:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\PCHealth
    [2011/10/03 08:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
    [2011/09/28 08:41:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore

    ========== Files - Modified Within 30 Days ==========

    [2011/10/17 20:34:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/10/17 20:23:20 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2011/10/17 20:23:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/10/17 20:22:57 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/10/17 20:22:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/10/17 20:22:31 | 000,114,035 | --S- | M] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    [2011/10/17 17:02:00 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    [2011/10/17 16:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/10/17 12:08:04 | 000,002,311 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
    [2011/10/17 12:07:47 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/17 06:02:00 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    [2011/10/15 05:41:56 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/10/14 05:56:03 | 000,383,254 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/10/14 05:56:03 | 000,053,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/10/13 13:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/10/13 13:09:53 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 05:53:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/03 08:39:20 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/10/03 08:06:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
    [2011/09/28 09:45:42 | 003,052,387 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 08:41:43 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
    [2011/09/28 08:35:19 | 000,327,348 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/28 08:27:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/09/27 10:13:48 | 000,077,521 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf

    ========== Files Created - No Company Name ==========

    [2011/10/17 20:22:32 | 000,114,035 | --S- | C] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    [2011/10/17 12:07:47 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/13 13:09:51 | 000,001,475 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 05:53:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/03 08:36:43 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\R2D2- LIBRARY- ALL REFS 29Aug2011 Copy Copy Copy.enl
    [2011/09/29 08:27:14 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\R2D2- all.refs Note7, aug29.enl
    [2011/09/29 05:48:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/09/28 09:45:42 | 003,052,387 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 08:41:43 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
    [2011/09/28 08:35:19 | 000,327,348 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/27 10:13:48 | 000,077,521 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf
    [2011/07/17 14:48:30 | 000,001,052 | R--- | C] () -- \reatogoMenu.ini
    [2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP.SP2
    [2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP
    [2010/03/09 09:26:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2009/11/17 07:08:34 | 000,197,424 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
    [2009/11/17 07:07:44 | 000,193,328 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
    [2007/09/05 09:54:59 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\fusioncache.dat
    [2007/06/25 09:23:50 | 000,000,462 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
    [2007/06/25 09:23:39 | 000,001,359 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
    [2007/06/25 09:19:34 | 000,093,585 | ---- | C] () -- C:\WINDOWS\hppins03.dat
    [2007/06/25 09:19:34 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat
    [2007/06/25 06:08:57 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DLL
    [2007/06/25 06:08:57 | 000,000,526 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DAT
    [2007/06/23 06:15:56 | 000,000,074 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
    [2007/06/23 06:10:16 | 000,093,474 | ---- | C] () -- C:\WINDOWS\hppins03.dat.temp
    [2007/06/23 06:10:16 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat.temp
    [2007/03/16 10:33:58 | 000,000,072 | ---- | C] () -- C:\WINDOWS\hdkctnts.ini
    [2006/12/02 06:52:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
    [2006/09/20 08:38:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\B11gUSB.dll
    [2006/09/20 08:38:44 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
    [2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
    [2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
    [2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
    [2006/08/28 09:04:31 | 000,000,473 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
    [2006/08/28 09:04:31 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
    [2006/08/24 07:15:21 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2006/07/10 08:11:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006/07/10 08:10:48 | 000,307,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2006/07/10 07:42:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/07/10 07:32:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2006/07/10 07:27:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2006/03/24 07:06:41 | 000,000,053 | R--- | C] () -- \AUTORUN.INF
    [2005/07/16 17:36:50 | 000,240,128 | R--- | C] () -- \reatogoMenu.exe
    [2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 08:00:00 | 000,383,254 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 08:00:00 | 000,053,608 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 10:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001/07/06 11:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

    ========== LOP Check ==========

    [2011/10/05 12:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
    [2011/10/03 08:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\EndNote
    [2007/11/28 13:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Leadertech
    [2010/09/20 08:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\MSNInstaller
    [2009/12/21 13:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Tatara Systems
    [2009/12/21 12:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
    [2010/03/09 09:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
    [2010/03/09 09:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SPSS

    ========== Purity Check ==========


    < End of report >
  2. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    DRV - File not found [Kernel | System] -- -- (csmbrqkp)
    O4 - HKU\.DEFAULT..\Run: [LmlLhkfv] C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O4 - HKU\Russell_Dobash_ON_C..\Run: [{059917AA-2371-A9CF-E2EB-599F7AF29392}] File not found
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) - C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    [2011/10/17 20:22:31 | 000,114,035 | --S- | M] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    
    
    :Services
    
    :Reg
    
    :Files
    C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi
    C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
    
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into Windows.
  3. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OTLPE Fix Log

    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\csmbrqkp deleted successfully.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\LmlLhkfv deleted successfully.
    C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe moved successfully.
    Registry value HKEY_USERS\Russell_Dobash_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\{059917AA-2371-A9CF-E2EB-599F7AF29392} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{059917AA-2371-A9CF-E2EB-599F7AF29392}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe deleted successfully.
    File C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe not found.
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi folder moved successfully.
    File\Folder C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe not found.
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 10182011_214908
  4. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Post new OTL log.
  5. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Once rebooted normally I took a look at the Winlogon registry key. It once again has the lmllhkfv.exe tagged on.

    Can I check I have carried out the process correctly?

    a) run the fix on OLTPE
    b) reboot normally

    or was I meant to reboot into OLTPE first?

    I'm out now for a couple of hours but should be able to follow instructions later tonight, thanks.
  6. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OTLPE Quick Scan Log?
  7. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Yes. You did fine.
  8. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OTPE Quick Scan log

    OTL logfile created on: 10/19/2011 2:02:30 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 148.92 Gb Total Space | 113.34 Gb Free Space | 76.11% Space Free | Partition Type: NTFS
    Drive D: | 1003.27 Mb Total Space | 1003.26 Mb Free Space | 100.00% Space Free | Partition Type: FAT32
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2010/10/13 17:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
    SRV - [2010/10/13 17:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe -- (McShield)
    SRV - [2010/10/13 17:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Auto] -- C:\WINDOWS\System32\mfevtps.exe -- (mfevtp)
    SRV - [2010/10/07 15:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
    SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
    SRV - [2009/11/17 07:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2009/01/23 05:46:14 | 000,203,280 | ---- | M] () [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
    SRV - [2004/03/29 11:08:16 | 000,049,152 | ---- | M] () [Auto] -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe -- (Belkin Wireless USB Network Adapter Service)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (mfeavfk01)
    DRV - File not found [Kernel | On_Demand] -- -- (MBAMSwissArmy)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2010/10/13 17:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2010/10/13 17:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
    DRV - [2010/10/13 17:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2010/10/13 17:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
    DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
    DRV - [2010/10/13 17:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
    DRV - [2010/10/13 17:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
    DRV - [2010/10/13 17:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
    DRV - [2010/10/13 17:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2009/11/17 07:07:06 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2009/10/07 08:01:04 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2008/11/16 13:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005/12/13 10:10:00 | 000,007,040 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Gonzales.sys -- (Gonzales)
    DRV - [2005/11/28 16:55:46 | 000,012,160 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Bonifay.sys -- (Bonifay)
    DRV - [2005/09/20 06:22:37 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
    DRV - [2005/08/02 18:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
    DRV - [2005/03/17 11:30:10 | 000,132,608 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2004/09/17 04:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?rd=1
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 74 E1 15 8A 27 CC 01 [binary data]
    IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/10/07 08:30:31 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/09/13 09:27:04 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110402175609.dll (McAfee, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKU\Russell_Dobash_ON_C\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
    O4 - HKU\.DEFAULT..\Run: [LmlLhkfv] C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico ()
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe (Freecom)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Russell_Dobash_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1243236794562 (MUWebControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) - C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/07/10 07:30:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/10/18 16:59:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/10/18 16:59:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi
    [2011/10/18 00:07:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\LocalService\Recent
    [2011/10/16 14:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Desktop\Graham
    [2011/10/15 11:50:26 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
    [2011/10/14 16:44:40 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/10/13 16:35:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\My Documents\My Videos
    [2011/10/13 16:35:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Administrative Tools
    [2011/10/13 13:11:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/10/13 13:11:28 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/10/13 13:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/10/10 07:12:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2011/10/08 11:26:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\PCHealth
    [2011/10/03 08:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
    [2011/09/28 08:41:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore

    ========== Files - Modified Within 30 Days ==========

    [2011/10/18 17:10:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/10/18 17:02:00 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    [2011/10/18 17:00:18 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2011/10/18 17:00:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/10/18 17:00:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/10/18 16:59:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/10/18 16:59:32 | 000,114,035 | --S- | M] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    [2011/10/17 16:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/10/17 12:08:04 | 000,002,311 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
    [2011/10/17 12:07:47 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/17 06:02:00 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    [2011/10/15 05:41:56 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/10/14 05:56:03 | 000,383,254 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/10/14 05:56:03 | 000,053,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/10/13 13:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/10/13 13:09:53 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 05:53:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/03 08:39:20 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/10/03 08:06:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
    [2011/09/28 09:45:42 | 003,052,387 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 08:41:43 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
    [2011/09/28 08:35:19 | 000,327,348 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/28 08:27:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/09/27 10:13:48 | 000,077,521 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf

    ========== Files Created - No Company Name ==========

    [2011/10/18 16:59:33 | 000,114,035 | --S- | C] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    [2011/10/17 12:07:47 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/13 13:09:51 | 000,001,475 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 05:53:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/03 08:36:43 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\R2D2- LIBRARY- ALL REFS 29Aug2011 Copy Copy Copy.enl
    [2011/09/29 08:27:14 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\R2D2- all.refs Note7, aug29.enl
    [2011/09/29 05:48:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/09/28 09:45:42 | 003,052,387 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 08:41:43 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
    [2011/09/28 08:35:19 | 000,327,348 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/27 10:13:48 | 000,077,521 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf
    [2011/07/17 14:48:30 | 000,001,052 | R--- | C] () -- \reatogoMenu.ini
    [2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP.SP2
    [2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP
    [2010/03/09 09:26:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2009/11/17 07:08:34 | 000,197,424 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
    [2009/11/17 07:07:44 | 000,193,328 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
    [2007/09/05 09:54:59 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\fusioncache.dat
    [2007/06/25 09:23:50 | 000,000,462 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
    [2007/06/25 09:23:39 | 000,001,359 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
    [2007/06/25 09:19:34 | 000,093,585 | ---- | C] () -- C:\WINDOWS\hppins03.dat
    [2007/06/25 09:19:34 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat
    [2007/06/25 06:08:57 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DLL
    [2007/06/25 06:08:57 | 000,000,526 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DAT
    [2007/06/23 06:15:56 | 000,000,074 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
    [2007/06/23 06:10:16 | 000,093,474 | ---- | C] () -- C:\WINDOWS\hppins03.dat.temp
    [2007/06/23 06:10:16 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat.temp
    [2007/03/16 10:33:58 | 000,000,072 | ---- | C] () -- C:\WINDOWS\hdkctnts.ini
    [2006/12/02 06:52:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
    [2006/09/20 08:38:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\B11gUSB.dll
    [2006/09/20 08:38:44 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
    [2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
    [2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
    [2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
    [2006/08/28 09:04:31 | 000,000,473 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
    [2006/08/28 09:04:31 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
    [2006/08/24 07:15:21 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2006/07/10 08:11:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006/07/10 08:10:48 | 000,307,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2006/07/10 07:42:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/07/10 07:32:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2006/07/10 07:27:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2006/03/24 07:06:41 | 000,000,053 | R--- | C] () -- \AUTORUN.INF
    [2005/07/16 17:36:50 | 000,240,128 | R--- | C] () -- \reatogoMenu.exe
    [2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 08:00:00 | 000,383,254 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 08:00:00 | 000,053,608 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 10:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001/07/06 11:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

    ========== LOP Check ==========

    [2011/10/05 12:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
    [2011/10/03 08:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\EndNote
    [2007/11/28 13:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Leadertech
    [2010/09/20 08:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\MSNInstaller
    [2009/12/21 13:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Tatara Systems
    [2009/12/21 12:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
    [2010/03/09 09:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
    [2010/03/09 09:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SPSS

    ========== Purity Check ==========


    < End of report >
  9. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Boot back to OTLPE CD.
    Plugin USB stick where you have Combofix file saved.

    While on REATOGO-X-PE desktop, using "My Computer" copy Combofix file to some known location like root directory C:\

    Restart computer normally and see if you access and run Combofix.
  10. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    ComboFix

    It has started running, displaying a blue command prompt window now, latest line reads:
    "Attempting to create new System Restore Point"

    On top of this has appeared windows Message:
    "Windows cannot find Nirkmd."
    Should I click OK to this?

    There has been no change for several minutes
  11. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    You can OK that message.
     
  12. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    ComboFix log

    ComboFix 11-10-18.04 - Russell Dobash 10/19/2011 4:04.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1679 [GMT 1:00]
    Running from: C:\ComboFix.exe
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\LocalService\Local Settings\Application Data\bvdbobao.log
    c:\documents and settings\LocalService\Local Settings\Application Data\fkvqtkwm.log
    c:\documents and settings\LocalService\Local Settings\Application Data\nesqejrr.log
    c:\documents and settings\LocalService\Local Settings\Application Data\obigcqqa.log
    c:\documents and settings\LocalService\Local Settings\Application Data\rwgxkfbp.log
    c:\documents and settings\LocalService\Local Settings\Application Data\ydmeccsi.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\bvdbobao.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\fkvqtkwm.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\mnldimku.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\nesqejrr.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\obigcqqa.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\rwgxkfbp.log
    c:\documents and settings\Russell Dobash\Local Settings\Application Data\ydmeccsi.log
    c:\documents and settings\Russell Dobash\WINDOWS
    c:\program files\Common Files\Uninstall
    c:\program files\PAV
    c:\windows\system32\d3d9caps.dat
    c:\windows\system32\lsprst7.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    -------\Service_Micorsoft Windows Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-18 20:59 . 2011-10-19 03:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
    2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
    2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
    2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
    2011-09-28 12:41 . 2011-09-28 12:41 -------- d-----w- c:\windows\system32\MpEngineStore
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
    .
    c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
    Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe"
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
    R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.2.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKU-Default-Run-LmlLhkfv - c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
    AddRemove-EndNote - c:\progra~1\ENDNOT~2\UNWISE.EXE
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-19 04:15
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2520)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-19 04:27:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-19 03:26
    .
    Pre-Run: 121,508,352,000 bytes free
    Post-Run: 121,815,048,192 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 8D47F9A2204DF8A2D05E4C26F5FF0D93
  13. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Good job :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  14. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Left combofix.exe on C:\ and dragged cfscript.txt to it from USB drive.
    Windows message: "Windows cannot access the specified device, path, file"

    Tried putting cfscript.txt on C:\ and dragging to combofix. Same result.

    I still have no access to McAfee. If it is this that is causing the problem I am very happy to get rid of it and use one of the free ones.
  15. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Lets run the following tool. This will help determine which files need permissions restored.

    Please download and save Junction.zip

    Unzip it and place Junction.exe in the Windows directory (C:\Windows).
    Go to Start>Run (Vista and Windows 7 users use "Start search" box).
    Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system.
    Wait until a log file opens.
    Copy and paste the log in your next reply.
  16. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    JUnction Output

    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com


    Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    .
    Failed to open \\?\c:\\Qoobox\BackEnv\AppData.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Cache.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Cookies.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Desktop.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Favorites.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\History.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\LocalAppData.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\LocalSettings.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Music.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\NetHood.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Personal.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Pictures.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\PrintHood.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Profiles.Folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Programs.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Recent.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\SendTo.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\SetPath.bat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\StartMenu.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\StartUp.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\SysPath.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\Templates.folder.dat: Access is denied.



    Failed to open \\?\c:\\Qoobox\BackEnv\VikPev00: Access is denied.



    Failed to open \\?\c:\\System Volume Information\1590912drv.isw: Access is denied.



    Failed to open \\?\c:\\System Volume Information\7234949drv.isw: Access is denied.



    Failed to open \\?\c:\\System Volume Information\mdllog.dat: Access is denied.


    ..

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    No reparse points found.
  17. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Please download GrantPerms.zip and save it to your desktop.
    Unzip the file and depending on the system run GrantPerms.exe (32-bit system) or GrantPerms64.exe (64-bit system)
    Copy and paste the following in the edit box:

    Code:
    c:\\System Volume Information\mdllog.dat
    c:\\System Volume Information\7234949drv.isw
    c:\\System Volume Information\1590912drv.isw
    c:\\Qoobox\BackEnv\VikPev00
    c:\\Qoobox\BackEnv\Templates.folder.dat
    c:\\Qoobox\BackEnv\SysPath.dat
    c:\\Qoobox\BackEnv\StartUp.folder.dat
    c:\\Qoobox\BackEnv\StartMenu.folder.dat
    c:\\Qoobox\BackEnv\SetPath.bat
    c:\\Qoobox\BackEnv\SendTo.folder.dat
    c:\\Qoobox\BackEnv\Recent.folder.dat
    c:\\Qoobox\BackEnv\Programs.folder.dat
    c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat
    c:\\Qoobox\BackEnv\Profiles.Folder.dat
    c:\\Qoobox\BackEnv\PrintHood.folder.dat
    c:\\Qoobox\BackEnv\Pictures.folder.dat
    c:\\Qoobox\BackEnv\Personal.folder.dat
    c:\\Qoobox\BackEnv\NetHood.folder.dat
    c:\\Qoobox\BackEnv\Music.folder.dat
    c:\\Qoobox\BackEnv\LocalSettings.folder.dat
    c:\\Qoobox\BackEnv\LocalAppData.folder.dat
    c:\\Qoobox\BackEnv\History.folder.dat
    c:\\Qoobox\BackEnv\Favorites.folder.dat
    c:\\Qoobox\BackEnv\Desktop.folder.dat
    c:\\Qoobox\BackEnv\Cookies.folder.dat
    c:\\Qoobox\BackEnv\Cache.folder.dat
    c:\\Qoobox\BackEnv\AppData.folder.dat
    
    Click Unlock. When it is done click "OK".
    Click List Permissions and post the result of Perms.txt file that pops up.
    A copy of Perms.txt will be saved in the same directory the tool is run.

    You should be able to run Combofix fix now.
  18. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Grant Perms Ouput

    GrantPerms by Farbar
    Ran by Russell Dobash at 2011-10-20 02:58:00

    ===============================================
    \\?\c:\\System Volume Information\mdllog.dat

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


    \\?\c:\\System Volume Information\7234949drv.isw

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


    \\?\c:\\System Volume Information\1590912drv.isw

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


    \\?\c:\\Qoobox\BackEnv\VikPev00

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Templates.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\SysPath.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\StartUp.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\StartMenu.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\SetPath.bat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\SendTo.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Recent.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Programs.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Profiles.Folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\PrintHood.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Pictures.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Personal.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\NetHood.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Music.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\LocalSettings.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\LocalAppData.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\History.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Favorites.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Desktop.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Cookies.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\Cache.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv\AppData.folder.dat

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    Everyone FULL DENY (CI)(OI)(I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)
  19. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    See if Combofix fix will run now.
  20. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    ComboFix

    This time I could drag ComboFix to the desktop and when I dragged cfscript.txt onto it, it ran. It's now showing the blue command and coming up with the Nirkmd messages to which I'm replying OK. There were about 50 of them las time
  21. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Curiously I got a message saying Windows update needed to restart the computer despite not being connected to the Internet. I clicked Restart Later
  22. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Update me on Combofix situation in a while.
  23. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Combofix Output

    ComboFix 11-10-18.04 - Russell Dobash 10/20/2011 3:08.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1384 [GMT 1:00]
    Running from: c:\documents and settings\Russell Dobash\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Russell Dobash\Desktop\cfscript.txt
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\LocalService\Local Settings\Application Data\bvdbobao.log
    c:\documents and settings\LocalService\Local Settings\Application Data\fkvqtkwm.log
    c:\documents and settings\LocalService\Local Settings\Application Data\mnldimku.log
    c:\documents and settings\LocalService\Local Settings\Application Data\nesqejrr.log
    c:\documents and settings\LocalService\Local Settings\Application Data\obigcqqa.log
    c:\documents and settings\LocalService\Local Settings\Application Data\rwgxkfbp.log
    c:\documents and settings\LocalService\Local Settings\Application Data\ydmeccsi.log
    c:\windows\system32\_000005_.tmp.dll
    c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    -------\Service_Micorsoft Windows Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-18 20:59 . 2011-10-20 02:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
    2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
    2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
    2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-10-19_03.15.21 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-10-20 02:24 . 2011-10-20 02:24 56200 c:\windows\Temp\offreg.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\mshtmled.dll
    - 2006-11-07 21:03 . 2011-06-23 18:36 55296 c:\windows\system32\msfeedsbs.dll
    + 2006-11-07 21:03 . 2011-08-22 23:48 55296 c:\windows\system32\msfeedsbs.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\jsproxy.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll
    - 2009-07-17 08:48 . 2011-06-23 18:36 12800 c:\windows\system32\dllcache\xpshims.dll
    + 2009-07-17 08:48 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2007-05-09 07:50 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    - 2007-05-09 07:50 . 2011-06-23 18:36 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 43520 c:\windows\system32\dllcache\licmgr10.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\dllcache\jsproxy.dll
    - 2010-09-23 14:55 . 2010-09-23 14:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
    + 2011-07-08 13:00 . 2011-07-08 13:00 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
    + 2011-07-07 11:04 . 2011-07-07 11:04 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
    - 2010-09-23 01:26 . 2010-09-23 01:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
    + 2011-07-07 11:04 . 2011-07-07 11:04 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
    - 2010-09-23 01:26 . 2010-09-23 01:26 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
    + 2011-07-07 11:03 . 2011-07-07 11:03 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
    - 2010-09-23 01:26 . 2010-09-23 01:26 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
    - 2010-09-23 02:17 . 2010-09-23 02:17 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    + 2011-07-07 12:09 . 2011-07-07 12:09 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    - 2010-09-23 02:17 . 2010-09-23 02:17 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
    + 2011-07-07 12:09 . 2011-07-07 12:09 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 43520 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll
    + 2011-10-20 02:01 . 2011-10-20 02:01 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_a11d3fd6\System.Drawing.Design.dll
    + 2011-10-20 02:01 . 2011-10-20 02:01 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_fa26395a\CustomMarshalers.dll
    - 2010-10-06 17:13 . 2010-10-06 17:13 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
    + 2011-10-20 02:00 . 2011-10-20 02:00 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
    + 2011-10-20 02:22 . 2011-10-20 02:22 114035 c:\windows\Temp\drggmmefohcljxih.exe
    - 2011-10-19 03:14 . 2011-10-19 03:14 114035 c:\windows\Temp\drggmmefohcljxih.exe
    - 2004-08-04 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\url.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\url.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 206848 c:\windows\system32\occache.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\occache.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\mstime.dll
    - 2006-11-07 21:03 . 2011-06-23 18:36 602112 c:\windows\system32\msfeeds.dll
    + 2006-11-07 21:03 . 2011-08-22 23:48 602112 c:\windows\system32\msfeeds.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\iepeers.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\iepeers.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\iedkcs32.dll
    + 2004-08-04 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe
    + 2006-07-10 12:10 . 2011-10-20 02:22 307600 c:\windows\system32\FNTCACHE.DAT
    - 2006-07-10 12:10 . 2011-07-14 09:01 307600 c:\windows\system32\FNTCACHE.DAT
    - 2004-08-04 12:00 . 2011-06-23 18:36 916480 c:\windows\system32\dllcache\wininet.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 916480 c:\windows\system32\dllcache\wininet.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\dllcache\url.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 206848 c:\windows\system32\dllcache\occache.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\dllcache\mstime.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll
    - 2007-05-09 07:50 . 2011-06-23 18:36 602112 c:\windows\system32\dllcache\msfeeds.dll
    + 2007-05-09 07:50 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll
    + 2009-07-17 08:48 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll
    - 2009-07-17 08:48 . 2011-06-23 18:36 247808 c:\windows\system32\dllcache\ieproxy.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\dllcache\iepeers.dll
    + 2010-06-13 14:58 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll
    - 2010-06-13 14:58 . 2011-06-23 18:36 743424 c:\windows\system32\dllcache\iedvtool.dll
    - 2004-08-04 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\dllcache\iedkcs32.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll
    + 2004-08-04 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe
    - 2008-06-20 11:40 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys
    + 2008-06-20 11:40 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
    + 2011-10-18 20:59 . 2011-10-20 02:22 114035 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    - 2010-09-23 01:26 . 2010-09-23 01:26 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
    + 2011-07-07 11:04 . 2011-07-07 11:04 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
    - 2010-09-23 01:25 . 2010-09-23 01:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
    + 2011-07-07 11:01 . 2011-07-07 11:01 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
    - 2010-09-23 02:17 . 2010-09-23 02:17 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    + 2011-07-07 12:09 . 2011-07-07 12:09 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    + 2011-10-20 02:03 . 2011-06-23 18:36 130043 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 916480 c:\windows\ie8updates\KB2586448-IE8\wininet.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 105984 c:\windows\ie8updates\KB2586448-IE8\url.dll
    + 2011-10-20 02:03 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2586448-IE8\spuninst\updspapi.dll
    + 2011-10-20 02:03 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2586448-IE8\spuninst\spuninst.exe
    + 2011-10-20 02:02 . 2011-06-23 18:36 206848 c:\windows\ie8updates\KB2586448-IE8\occache.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 611840 c:\windows\ie8updates\KB2586448-IE8\mstime.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 602112 c:\windows\ie8updates\KB2586448-IE8\msfeeds.dll
    + 2011-10-20 02:03 . 2011-06-23 18:36 364892 c:\windows\ie8updates\KB2586448-IE8\ieproxy.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 184320 c:\windows\ie8updates\KB2586448-IE8\iepeers.dll
    + 2011-10-20 02:03 . 2011-06-23 18:36 860696 c:\windows\ie8updates\KB2586448-IE8\iedvtool.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 387584 c:\windows\ie8updates\KB2586448-IE8\iedkcs32.dll
    + 2011-10-20 02:03 . 2011-06-23 12:05 173568 c:\windows\ie8updates\KB2586448-IE8\ie4uinit.exe
    + 2011-10-20 02:01 . 2011-10-20 02:01 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_8685ae70\System.Drawing.dll
    + 2011-10-20 02:23 . 2011-10-20 02:24 7269712 c:\windows\Temp\MPENGINE.DLL
    - 2004-08-04 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\urlmon.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon.dll
    + 2004-08-04 12:00 . 2011-10-03 08:35 5971456 c:\windows\system32\mshtml.dll
    + 2006-10-17 11:57 . 2011-08-22 23:48 2000384 c:\windows\system32\iertutil.dll
    - 2008-10-16 11:53 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
    + 2008-10-16 11:53 . 2011-09-06 13:20 1858944 c:\windows\system32\dllcache\win32k.sys
    - 2004-08-04 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\dllcache\urlmon.dll
    + 2004-08-04 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll
    + 2004-08-04 12:00 . 2011-10-03 08:35 5971456 c:\windows\system32\dllcache\mshtml.dll
    + 2007-05-09 07:50 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll
    + 2011-07-08 12:59 . 2011-07-08 12:59 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
    - 2010-09-23 14:55 . 2010-09-23 14:55 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
    - 2010-09-23 14:55 . 2010-09-23 14:55 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
    + 2011-07-08 12:59 . 2011-07-08 12:59 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
    + 2011-07-07 11:02 . 2011-07-07 11:02 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    - 2010-09-23 01:26 . 2010-09-23 01:26 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    + 2011-07-07 11:02 . 2011-07-07 11:02 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
    - 2010-09-23 14:55 . 2010-09-23 14:55 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
    + 2011-07-08 12:59 . 2011-07-08 12:59 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 1212416 c:\windows\ie8updates\KB2586448-IE8\urlmon.dll
    + 2011-10-20 02:02 . 2011-07-25 15:17 5969920 c:\windows\ie8updates\KB2586448-IE8\mshtml.dll
    + 2011-10-20 02:02 . 2011-06-23 18:36 1991680 c:\windows\ie8updates\KB2586448-IE8\iertutil.dll
    + 2011-10-20 02:01 . 2011-10-20 02:01 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_006ebf2b\System.dll
    + 2011-10-20 02:01 . 2011-10-20 02:01 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_a1e531e9\System.Xml.dll
    + 2011-10-20 02:01 . 2011-10-20 02:01 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_f00b8d1f\System.Windows.Forms.dll
    + 2011-10-20 02:01 . 2011-10-20 02:01 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_316aa935\System.Design.dll
    + 2011-10-20 02:01 . 2011-10-20 02:01 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_df620e42\mscorlib.dll
    - 2010-10-06 17:13 . 2010-10-06 17:13 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
    + 2011-10-20 02:00 . 2011-10-20 02:00 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
    + 2011-10-20 02:00 . 2011-10-20 02:00 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
    - 2010-10-06 17:13 . 2010-10-06 17:13 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
    + 2006-09-21 15:00 . 2011-10-20 02:03 48324552 c:\windows\system32\MRT.exe
    - 2006-11-07 21:03 . 2011-06-23 18:36 11081728 c:\windows\system32\ieframe.dll
    + 2006-11-07 21:03 . 2011-08-23 16:48 11081728 c:\windows\system32\ieframe.dll
    - 2007-05-09 07:50 . 2011-06-23 18:36 11081728 c:\windows\system32\dllcache\ieframe.dll
    + 2007-05-09 07:50 . 2011-08-23 16:48 11081728 c:\windows\system32\dllcache\ieframe.dll
    + 2011-07-12 21:49 . 2011-07-12 21:49 11459584 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2572067\M2572067Uninstall.msp
    + 2011-07-12 14:50 . 2011-07-12 14:50 17555968 c:\windows\Installer\126fa2f.msp
    + 2011-10-20 02:02 . 2011-06-23 18:36 11081728 c:\windows\ie8updates\KB2586448-IE8\ieframe.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "LmlLhkfv"="c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe" [2011-10-20 114035]
    .
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    lmllhkfv.exe [2011-10-20 114035]
    .
    c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
    Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe"
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
    R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-20 03:24
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3216)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
    c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\MRT.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-20 03:30:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-20 02:30
    ComboFix2.txt 2011-10-19 03:27
    .
    Pre-Run: 118,658,908,160 bytes free
    Post-Run: 118,891,155,456 bytes free
    .
    - - End Of File - - D023BFFABFF0FFBBA95A892C9E6983C0
  24. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    The offending entry is still there....

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
  25. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    FixTDSS

    One message:

    Backdor.Tidserv has been found on your computer.


    BTW the USB stick is no longer being corrupted and the McAfee icon has reappeared in the notification area although it has no function.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.