TechSpot

Google redirect, AV & IE damage

Solved
By tatterjack
Oct 13, 2011
  1. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Some good news :)

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  2. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    TDSSKiller Report

    21:35:54.0015 3800 TDSS rootkit removing tool 2.6.11.0 Oct 19 2011 13:50:27
    21:35:54.0046 3800 ============================================================
    21:35:54.0046 3800 Current date / time: 2011/10/20 21:35:54.0046
    21:35:54.0046 3800 SystemInfo:
    21:35:54.0046 3800
    21:35:54.0046 3800 OS Version: 5.1.2600 ServicePack: 3.0
    21:35:54.0046 3800 Product type: Workstation
    21:35:54.0046 3800 ComputerName: UNIVERSI-2DDE3C
    21:35:54.0046 3800 UserName: Russell Dobash
    21:35:54.0046 3800 Windows directory: C:\WINDOWS
    21:35:54.0046 3800 System windows directory: C:\WINDOWS
    21:35:54.0046 3800 Processor architecture: Intel x86
    21:35:54.0046 3800 Number of processors: 2
    21:35:54.0046 3800 Page size: 0x1000
    21:35:54.0046 3800 Boot type: Normal boot
    21:35:54.0046 3800 ============================================================
    21:35:55.0546 3800 Initialize success
    21:36:14.0656 3828 ============================================================
    21:36:14.0656 3828 Scan started
    21:36:14.0656 3828 Mode: Manual;
    21:36:14.0656 3828 ============================================================
    21:36:14.0828 3828 Abiosdsk - ok
    21:36:14.0843 3828 abp480n5 - ok
    21:36:14.0937 3828 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    21:36:14.0953 3828 ACPI - ok
    21:36:15.0000 3828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    21:36:15.0000 3828 ACPIEC - ok
    21:36:15.0015 3828 adpu160m - ok
    21:36:15.0078 3828 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    21:36:15.0078 3828 aec - ok
    21:36:15.0125 3828 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    21:36:15.0125 3828 AegisP - ok
    21:36:15.0171 3828 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    21:36:15.0171 3828 AFD - ok
    21:36:15.0187 3828 Aha154x - ok
    21:36:15.0234 3828 aic78u2 - ok
    21:36:15.0250 3828 aic78xx - ok
    21:36:15.0328 3828 AliIde - ok
    21:36:15.0359 3828 amsint - ok
    21:36:15.0421 3828 asc - ok
    21:36:15.0453 3828 asc3350p - ok
    21:36:15.0484 3828 asc3550 - ok
    21:36:15.0609 3828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    21:36:15.0609 3828 AsyncMac - ok
    21:36:15.0656 3828 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    21:36:15.0671 3828 atapi - ok
    21:36:15.0703 3828 Atdisk - ok
    21:36:15.0796 3828 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    21:36:15.0796 3828 Atmarpc - ok
    21:36:15.0906 3828 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    21:36:15.0906 3828 audstub - ok
    21:36:15.0953 3828 b57w2k (241474d01380e9ed41d4c07f4f5fd401) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    21:36:15.0953 3828 b57w2k - ok
    21:36:16.0062 3828 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    21:36:16.0062 3828 Beep - ok
    21:36:16.0140 3828 Bonifay (c0152e77307de863ebf6c728cf0a771d) C:\WINDOWS\system32\DRIVERS\Bonifay.sys
    21:36:16.0156 3828 Bonifay - ok
    21:36:16.0187 3828 catchme - ok
    21:36:16.0265 3828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    21:36:16.0265 3828 cbidf2k - ok
    21:36:16.0312 3828 cd20xrnt - ok
    21:36:16.0375 3828 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    21:36:16.0375 3828 Cdaudio - ok
    21:36:16.0468 3828 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    21:36:16.0468 3828 Cdfs - ok
    21:36:16.0515 3828 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    21:36:16.0515 3828 Cdrom - ok
    21:36:16.0593 3828 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys
    21:36:16.0593 3828 cfwids - ok
    21:36:16.0656 3828 Changer - ok
    21:36:16.0718 3828 CmdIde - ok
    21:36:16.0828 3828 Cpqarray - ok
    21:36:16.0921 3828 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    21:36:16.0921 3828 CVirtA - ok
    21:36:17.0031 3828 CVPNDRVA (c23025ac5ae45a105d63bd6e2408edd4) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
    21:36:17.0031 3828 CVPNDRVA - ok
    21:36:17.0046 3828 dac2w2k - ok
    21:36:17.0078 3828 dac960nt - ok
    21:36:17.0218 3828 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    21:36:17.0218 3828 Disk - ok
    21:36:17.0343 3828 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    21:36:17.0406 3828 dmboot - ok
    21:36:17.0453 3828 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    21:36:17.0468 3828 dmio - ok
    21:36:17.0500 3828 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    21:36:17.0500 3828 dmload - ok
    21:36:17.0609 3828 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    21:36:17.0609 3828 DMusic - ok
    21:36:17.0687 3828 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
    21:36:17.0687 3828 DNE - ok
    21:36:17.0828 3828 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
    21:36:17.0843 3828 Dot4 - ok
    21:36:17.0890 3828 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    21:36:17.0890 3828 Dot4Print - ok
    21:36:17.0953 3828 dpti2o - ok
    21:36:18.0015 3828 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    21:36:18.0015 3828 drmkaud - ok
    21:36:18.0140 3828 ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
    21:36:18.0140 3828 ElbyCDIO - ok
    21:36:18.0250 3828 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    21:36:18.0250 3828 Fastfat - ok
    21:36:18.0296 3828 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    21:36:18.0312 3828 Fdc - ok
    21:36:18.0343 3828 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    21:36:18.0343 3828 Fips - ok
    21:36:18.0359 3828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    21:36:18.0359 3828 Flpydisk - ok
    21:36:18.0390 3828 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    21:36:18.0406 3828 FltMgr - ok
    21:36:18.0421 3828 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    21:36:18.0421 3828 Fs_Rec - ok
    21:36:18.0453 3828 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    21:36:18.0468 3828 Ftdisk - ok
    21:36:18.0546 3828 Gonzales (673d63add112dce1ea58a4e418eddb86) C:\WINDOWS\system32\DRIVERS\Gonzales.sys
    21:36:18.0546 3828 Gonzales - ok
    21:36:18.0625 3828 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    21:36:18.0625 3828 Gpc - ok
    21:36:18.0687 3828 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    21:36:18.0687 3828 hidusb - ok
    21:36:18.0781 3828 HPFXBULK (e4e0b356a8756066cf89080d9da69f22) C:\WINDOWS\system32\drivers\hpfxbulk.sys
    21:36:18.0781 3828 HPFXBULK - ok
    21:36:18.0812 3828 hpn - ok
    21:36:18.0906 3828 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    21:36:18.0906 3828 HTTP - ok
    21:36:19.0015 3828 hwdatacard (20330198554b7ddb44403af21d6ae179) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
    21:36:19.0015 3828 hwdatacard - ok
    21:36:19.0062 3828 i2omgmt - ok
    21:36:19.0140 3828 i2omp - ok
    21:36:19.0203 3828 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
    21:36:19.0203 3828 i8042prt - ok
    21:36:19.0234 3828 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    21:36:19.0250 3828 Imapi - ok
    21:36:19.0281 3828 ini910u - ok
    21:36:19.0328 3828 IntelIde - ok
    21:36:19.0406 3828 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    21:36:19.0406 3828 intelppm - ok
    21:36:19.0453 3828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    21:36:19.0468 3828 Ip6Fw - ok
    21:36:19.0562 3828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    21:36:19.0562 3828 IpFilterDriver - ok
    21:36:19.0609 3828 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    21:36:19.0609 3828 IpInIp - ok
    21:36:19.0734 3828 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    21:36:19.0734 3828 IpNat - ok
    21:36:19.0796 3828 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    21:36:19.0812 3828 IPSec - ok
    21:36:19.0843 3828 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    21:36:19.0843 3828 IRENUM - ok
    21:36:19.0890 3828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    21:36:19.0890 3828 isapnp - ok
    21:36:19.0906 3828 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    21:36:19.0921 3828 Kbdclass - ok
    21:36:19.0968 3828 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    21:36:19.0968 3828 kbdhid - ok
    21:36:20.0031 3828 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    21:36:20.0031 3828 kmixer - ok
    21:36:20.0062 3828 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    21:36:20.0062 3828 KSecDD - ok
    21:36:20.0109 3828 lbrtfdc - ok
    21:36:20.0171 3828 MBAMSwissArmy - ok
    21:36:20.0375 3828 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys
    21:36:20.0375 3828 mfeapfk - ok
    21:36:20.0453 3828 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys
    21:36:20.0468 3828 mfeavfk - ok
    21:36:20.0468 3828 mfeavfk01 - ok
    21:36:20.0500 3828 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys
    21:36:20.0500 3828 mfebopk - ok
    21:36:20.0546 3828 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys
    21:36:20.0546 3828 mfefirek - ok
    21:36:20.0609 3828 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys
    21:36:20.0625 3828 mfehidk - ok
    21:36:20.0671 3828 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    21:36:20.0671 3828 mfendisk - ok
    21:36:20.0687 3828 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    21:36:20.0687 3828 mfendiskmp - ok
    21:36:20.0750 3828 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys
    21:36:20.0750 3828 mferkdet - ok
    21:36:20.0843 3828 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys
    21:36:20.0843 3828 mfetdi2k - ok
    21:36:20.0890 3828 Micorsoft Windows Service - ok
    21:36:20.0937 3828 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    21:36:20.0937 3828 mnmdd - ok
    21:36:21.0015 3828 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    21:36:21.0015 3828 Modem - ok
    21:36:21.0046 3828 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    21:36:21.0046 3828 Mouclass - ok
    21:36:21.0109 3828 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    21:36:21.0109 3828 mouhid - ok
    21:36:21.0125 3828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    21:36:21.0125 3828 MountMgr - ok
    21:36:21.0140 3828 mraid35x - ok
    21:36:21.0171 3828 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    21:36:21.0187 3828 MRxDAV - ok
    21:36:21.0250 3828 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    21:36:21.0296 3828 MRxSmb - ok
    21:36:21.0343 3828 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    21:36:21.0343 3828 Msfs - ok
    21:36:21.0390 3828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    21:36:21.0406 3828 MSKSSRV - ok
    21:36:21.0468 3828 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    21:36:21.0468 3828 MSPCLOCK - ok
    21:36:21.0546 3828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    21:36:21.0546 3828 MSPQM - ok
    21:36:21.0593 3828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    21:36:21.0593 3828 mssmbios - ok
    21:36:21.0656 3828 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    21:36:21.0656 3828 Mup - ok
    21:36:21.0765 3828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    21:36:21.0765 3828 NDIS - ok
    21:36:21.0843 3828 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    21:36:21.0843 3828 NdisTapi - ok
    21:36:21.0921 3828 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    21:36:21.0921 3828 Ndisuio - ok
    21:36:21.0968 3828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    21:36:21.0968 3828 NdisWan - ok
    21:36:22.0015 3828 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    21:36:22.0015 3828 NDProxy - ok
    21:36:22.0093 3828 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    21:36:22.0093 3828 NetBIOS - ok
    21:36:22.0187 3828 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    21:36:22.0187 3828 NetBT - ok
    21:36:22.0312 3828 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    21:36:22.0312 3828 Npfs - ok
    21:36:22.0359 3828 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    21:36:22.0390 3828 Ntfs - ok
    21:36:22.0437 3828 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    21:36:22.0437 3828 Null - ok
    21:36:22.0500 3828 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    21:36:22.0500 3828 NwlnkFlt - ok
    21:36:22.0500 3828 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    21:36:22.0515 3828 NwlnkFwd - ok
    21:36:22.0593 3828 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    21:36:22.0593 3828 Parport - ok
    21:36:22.0625 3828 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    21:36:22.0625 3828 PartMgr - ok
    21:36:22.0687 3828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    21:36:22.0687 3828 ParVdm - ok
    21:36:22.0703 3828 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    21:36:22.0703 3828 PCI - ok
    21:36:22.0734 3828 PCIDump - ok
    21:36:22.0781 3828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    21:36:22.0796 3828 PCIIde - ok
    21:36:22.0843 3828 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    21:36:22.0843 3828 Pcmcia - ok
    21:36:22.0859 3828 PDCOMP - ok
    21:36:22.0953 3828 PDFRAME - ok
    21:36:22.0984 3828 PDRELI - ok
    21:36:23.0031 3828 PDRFRAME - ok
    21:36:23.0109 3828 perc2 - ok
    21:36:23.0156 3828 perc2hib - ok
    21:36:23.0312 3828 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    21:36:23.0312 3828 PptpMiniport - ok
    21:36:23.0359 3828 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    21:36:23.0359 3828 PSched - ok
    21:36:23.0406 3828 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    21:36:23.0406 3828 Ptilink - ok
    21:36:23.0453 3828 ql1080 - ok
    21:36:23.0500 3828 Ql10wnt - ok
    21:36:23.0531 3828 ql12160 - ok
    21:36:23.0578 3828 ql1240 - ok
    21:36:23.0656 3828 ql1280 - ok
    21:36:23.0703 3828 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    21:36:23.0703 3828 RasAcd - ok
    21:36:23.0765 3828 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    21:36:23.0765 3828 Rasl2tp - ok
    21:36:23.0828 3828 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    21:36:23.0828 3828 RasPppoe - ok
    21:36:23.0906 3828 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    21:36:23.0906 3828 Raspti - ok
    21:36:23.0953 3828 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    21:36:23.0953 3828 Rdbss - ok
    21:36:24.0000 3828 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    21:36:24.0000 3828 RDPCDD - ok
    21:36:24.0062 3828 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    21:36:24.0062 3828 rdpdr - ok
    21:36:24.0125 3828 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    21:36:24.0125 3828 RDPWD - ok
    21:36:24.0187 3828 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    21:36:24.0187 3828 redbook - ok
    21:36:24.0312 3828 RT73 (bf4709c002d632170dc15a282813d6b3) C:\WINDOWS\system32\DRIVERS\rt73.sys
    21:36:24.0328 3828 RT73 - ok
    21:36:24.0453 3828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    21:36:24.0453 3828 Secdrv - ok
    21:36:24.0531 3828 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    21:36:24.0531 3828 senfilt - ok
    21:36:24.0578 3828 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    21:36:24.0578 3828 serenum - ok
    21:36:24.0609 3828 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    21:36:24.0609 3828 Serial - ok
    21:36:24.0687 3828 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    21:36:24.0687 3828 Sfloppy - ok
    21:36:24.0734 3828 Simbad - ok
    21:36:24.0812 3828 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
    21:36:24.0812 3828 smwdm - ok
    21:36:24.0843 3828 Sparrow - ok
    21:36:24.0937 3828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    21:36:24.0937 3828 splitter - ok
    21:36:25.0000 3828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    21:36:25.0000 3828 sr - ok
    21:36:25.0062 3828 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    21:36:25.0078 3828 Srv - ok
    21:36:25.0109 3828 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    21:36:25.0109 3828 swenum - ok
    21:36:25.0171 3828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    21:36:25.0187 3828 swmidi - ok
    21:36:25.0250 3828 symc810 - ok
    21:36:25.0328 3828 symc8xx - ok
    21:36:25.0359 3828 sym_hi - ok
    21:36:25.0390 3828 sym_u3 - ok
    21:36:25.0453 3828 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    21:36:25.0453 3828 sysaudio - ok
    21:36:25.0546 3828 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    21:36:25.0546 3828 Tcpip - ok
    21:36:25.0593 3828 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    21:36:25.0593 3828 TDPIPE - ok
    21:36:25.0640 3828 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    21:36:25.0640 3828 TDTCP - ok
    21:36:25.0687 3828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    21:36:25.0687 3828 TermDD - ok
    21:36:25.0734 3828 TosIde - ok
    21:36:25.0796 3828 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    21:36:25.0796 3828 Udfs - ok
    21:36:25.0812 3828 ultra - ok
    21:36:25.0875 3828 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    21:36:25.0890 3828 Update - ok
    21:36:25.0968 3828 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    21:36:25.0968 3828 usbccgp - ok
    21:36:26.0015 3828 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    21:36:26.0015 3828 usbehci - ok
    21:36:26.0046 3828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    21:36:26.0046 3828 usbhub - ok
    21:36:26.0093 3828 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    21:36:26.0093 3828 usbprint - ok
    21:36:26.0156 3828 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    21:36:26.0156 3828 USBSTOR - ok
    21:36:26.0187 3828 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    21:36:26.0187 3828 usbuhci - ok
    21:36:26.0265 3828 VClone (1cdaa48cb2f7744b8d25650e050766a5) C:\WINDOWS\system32\DRIVERS\VClone.sys
    21:36:26.0265 3828 VClone - ok
    21:36:26.0296 3828 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    21:36:26.0312 3828 VgaSave - ok
    21:36:26.0359 3828 ViaIde - ok
    21:36:26.0421 3828 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    21:36:26.0421 3828 VolSnap - ok
    21:36:26.0500 3828 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    21:36:26.0500 3828 Wanarp - ok
    21:36:26.0531 3828 WDICA - ok
    21:36:26.0625 3828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    21:36:26.0625 3828 wdmaud - ok
    21:36:26.0859 3828 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    21:36:26.0984 3828 \Device\Harddisk0\DR0 - ok
    21:36:27.0000 3828 MBR (0x1B8) (fa5336aed3a1e2e264422e4ab865ae7b) \Device\Harddisk1\DR3
    21:36:30.0234 3828 \Device\Harddisk1\DR3 - ok
    21:36:30.0250 3828 Boot (0x1200) (e6b55c23be86f137bd054ea55b406768) \Device\Harddisk0\DR0\Partition0
    21:36:30.0250 3828 \Device\Harddisk0\DR0\Partition0 - ok
    21:36:30.0250 3828 ============================================================
    21:36:30.0250 3828 Scan finished
    21:36:30.0250 3828 ============================================================
    21:36:30.0296 3820 Detected object count: 0
    21:36:30.0296 3820 Actual detected object count: 0
     
  3. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  4. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Bootkit Remover

    I may have screwed this one up.

    When I did the ctrl+v into notepad I got the output from TDSSKiller again. I went back to the window, selected all again and this time when I did ctrl+c the window closed. I'm afraid I can't remember the contents.
     
  5. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Redo it one more time.
     
  6. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Same thing. This time I took a screenshot. I can type the whole thing if you need it but I imagine the important bit is under MBR status where it says:

    OK (DOS/Win32 Boot code found)
     
  7. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    That's good.

    Give me fresh Combofix log.
     
  8. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Fresh Combofix Log

    ComboFix 11-10-18.04 - Russell Dobash 10/20/2011 22:22:56.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1658 [GMT 1:00]
    Running from: c:\documents and settings\Russell Dobash\Desktop\ComboFix.exe
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    -------\Service_Micorsoft Windows Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-18 20:59 . 2011-10-20 21:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
    2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
    2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
    2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
    2011-09-26 10:41 . 2011-09-26 10:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-26 10:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-10-20_02.23.42 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2004-08-04 12:00 . 2011-09-26 10:41 20480 c:\windows\system32\dllcache\oleaccrc.dll
    + 2011-10-20 21:33 . 2011-10-20 21:33 114035 c:\windows\Temp\drggmmefohcljxih.exe
    - 2011-10-20 02:22 . 2011-10-20 02:22 114035 c:\windows\Temp\drggmmefohcljxih.exe
    + 2004-08-04 12:00 . 2011-09-26 10:41 220160 c:\windows\system32\dllcache\oleacc.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "LmlLhkfv"="c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe" [2011-10-20 114035]
    .
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    lmllhkfv.exe [2011-10-20 114035]
    .
    c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
    Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe"
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
    R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-20 22:35
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3416)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
    c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-20 22:41:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-20 21:40
    ComboFix2.txt 2011-10-20 02:30
    ComboFix3.txt 2011-10-19 03:27
    .
    Pre-Run: 132,850,835,456 bytes free
    Post-Run: 132,845,301,760 bytes free
    .
    - - End Of File - - 05ACD1B4F82672686210454D61E8D2CA
     
  9. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Temp\drggmmefohcljxih.exe
    c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
    
    
    Folder::
    c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
    
    
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "LmlLhkfv"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  10. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    cfscript output

    ComboFix 11-10-18.04 - Russell Dobash 10/20/2011 22:53:11.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1623 [GMT 1:00]
    Running from: c:\documents and settings\Russell Dobash\Desktop\ComboFix.exe
    Command switches used :: F:\cfscript.txt
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    .
    FILE ::
    "c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe"
    "c:\windows\Temp\drggmmefohcljxih.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
    c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
    2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
    2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
    2011-09-26 10:41 . 2011-09-26 10:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-26 10:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-10-20_02.23.42 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2004-08-04 12:00 . 2011-09-26 10:41 20480 c:\windows\system32\dllcache\oleaccrc.dll
    + 2004-08-04 12:00 . 2011-09-26 10:41 220160 c:\windows\system32\dllcache\oleacc.dll
    + 2011-10-20 21:33 . 2011-10-20 21:35 114035 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    - 2011-10-18 20:59 . 2011-10-20 02:22 114035 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
    .
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    lmllhkfv.exe [2011-10-20 114035]
    .
    c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
    Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
    R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-20 23:00
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-10-20 23:01:55
    ComboFix-quarantined-files.txt 2011-10-20 22:01
    ComboFix2.txt 2011-10-20 21:41
    ComboFix3.txt 2011-10-20 02:30
    ComboFix4.txt 2011-10-19 03:27
    .
    Pre-Run: 132,852,523,008 bytes free
    Post-Run: 132,835,389,440 bytes free
    .
    - - End Of File - - 064795802EFC658AF04BD8570B3090F8
     
  11. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Looks much better :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
     
  12. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    combofix.txt

    ComboFix 11-10-18.04 - Russell Dobash 10/20/2011 23:19:20.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1478 [GMT 1:00]
    Running from: c:\documents and settings\Russell Dobash\Desktop\ComboFix.exe
    Command switches used :: F:\cfscript.txt
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    .
    FILE ::
    "c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
    2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
    2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
    2011-09-26 10:41 . 2011-09-26 10:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-26 10:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-10-20_02.23.42 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2004-08-04 12:00 . 2011-09-26 10:41 20480 c:\windows\system32\dllcache\oleaccrc.dll
    + 2004-08-04 12:00 . 2011-09-26 10:41 220160 c:\windows\system32\dllcache\oleacc.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
    .
    c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
    Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
    "c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
    R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
    .
    2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    - c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-20 23:24
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-10-20 23:25:44
    ComboFix-quarantined-files.txt 2011-10-20 22:25
    ComboFix2.txt 2011-10-20 22:01
    ComboFix3.txt 2011-10-20 21:41
    ComboFix4.txt 2011-10-20 02:30
    ComboFix5.txt 2011-10-20 22:17
    .
    Pre-Run: 132,845,654,016 bytes free
    Post-Run: 132,830,543,872 bytes free
    .
    - - End Of File - - FC37B9AC049EC43EC7EF25EDA9EF5580
     
  13. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Excellent!
    It looks like we're out of the woods....

    How is computer doing?

    Post fresh OTL "Quick scan" log.
     
  14. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OTL Quick Scan Output

    OTL logfile created on: 10/20/2011 11:35:32 PM - Run 4
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Russell Dobash\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 1.46 Gb Available Physical Memory | 73.17% Memory free
    3.84 Gb Paging File | 3.42 Gb Available in Paging File | 89.01% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 148.92 Gb Total Space | 123.73 Gb Free Space | 83.09% Space Free | Partition Type: NTFS
    Drive F: | 1001.25 Mb Total Space | 1000.68 Mb Free Space | 99.94% Space Free | Partition Type: FAT32

    Computer Name: UNIVERSI-2DDE3C | User Name: Russell Dobash | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/10/20 18:34:36 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Russell Dobash\Desktop\OTL.exe
    PRC - [2011/01/17 16:15:32 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
    PRC - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    PRC - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
    PRC - [2010/10/07 20:34:28 | 000,257,096 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\McVsShld.exe
    PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    PRC - [2009/11/17 12:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    PRC - [2009/01/23 10:46:14 | 000,203,280 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/02/14 11:53:48 | 003,338,296 | ---- | M] (Freecom) -- C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
    PRC - [2005/11/21 15:55:16 | 000,045,056 | ---- | M] (HP) -- C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
    PRC - [2005/06/13 15:45:54 | 000,827,392 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    PRC - [2004/03/29 16:08:16 | 000,049,152 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/10/20 03:01:46 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_df620e42\mscorlib.dll
    MOD - [2011/10/20 03:01:42 | 000,835,584 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_8685ae70\system.drawing.dll
    MOD - [2011/10/20 03:01:31 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_a1e531e9\system.xml.dll
    MOD - [2011/10/20 03:01:25 | 003,018,752 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_f00b8d1f\system.windows.forms.dll
    MOD - [2011/10/20 03:01:06 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_006ebf2b\system.dll
    MOD - [2011/10/20 03:00:53 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
    MOD - [2011/10/20 03:00:52 | 001,265,664 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
    MOD - [2009/11/17 12:08:34 | 000,197,424 | ---- | M] () -- C:\WINDOWS\system32\vpnapi.dll
    MOD - [2009/01/29 12:27:06 | 000,310,800 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\saset.dll
    MOD - [2009/01/29 12:27:04 | 000,652,304 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sacore.dll
    MOD - [2009/01/29 12:27:02 | 000,071,696 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\mcfrmwk.dll
    MOD - [2009/01/29 12:27:00 | 000,207,376 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\cntscan.dll
    MOD - [2009/01/29 12:26:58 | 000,117,264 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\apengine.dll
    MOD - [2009/01/23 10:46:22 | 000,351,248 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\saupkeep.dll
    MOD - [2009/01/23 10:46:18 | 000,013,840 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll
    MOD - [2009/01/23 10:46:14 | 000,203,280 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    MOD - [2009/01/23 10:46:14 | 000,056,336 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\McSACorePS.dll
    MOD - [2007/12/02 13:22:33 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
    MOD - [2007/12/02 13:22:32 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
    MOD - [2007/12/02 13:22:31 | 000,466,944 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
    MOD - [2007/12/02 13:22:30 | 002,052,096 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
    MOD - [2007/12/02 13:22:30 | 000,131,072 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.serialization.formatters.soap\1.0.5000.0__b03f5f7f11d50a3a\system.runtime.serialization.formatters.soap.dll
    MOD - [2007/05/11 00:50:00 | 000,017,024 | ---- | M] () -- C:\Program Files\Adobe\Reader 8.0\Reader\ViewerPS.dll
    MOD - [2005/08/10 15:36:52 | 000,045,056 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\Security.dll
    MOD - [2005/06/13 15:45:54 | 000,827,392 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    MOD - [2004/03/29 16:08:16 | 000,049,152 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    MOD - [2003/10/08 11:23:36 | 000,040,960 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\RM_DEV_CODE.dll
    MOD - [2003/06/30 15:37:14 | 000,036,864 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\ProcNICs.dll
    MOD - [2002/10/03 11:57:30 | 000,110,592 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\PingDLL.dll
    MOD - [2002/04/09 07:49:22 | 000,110,592 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\GEMWEP.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
    SRV - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
    SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
    SRV - [2010/10/07 20:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
    SRV - [2009/11/17 12:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2009/01/23 10:46:14 | 000,203,280 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
    SRV - [2004/03/29 16:08:16 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe -- (Belkin Wireless USB Network Adapter Service)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | Unknown | Running] -- -- (Micorsoft Windows Service)
    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2010/10/13 22:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
    DRV - [2010/10/13 22:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
    DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
    DRV - [2010/10/13 22:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
    DRV - [2010/10/13 22:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
    DRV - [2010/10/13 22:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
    DRV - [2010/10/13 22:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2009/11/17 12:07:06 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2009/10/07 13:01:04 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2008/11/16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2007/01/18 20:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005/12/13 15:10:00 | 000,007,040 | ---- | M] (Freecom) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Gonzales.sys -- (Gonzales)
    DRV - [2005/11/28 21:55:46 | 000,012,160 | ---- | M] (Freecom) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Bonifay.sys -- (Bonifay)
    DRV - [2005/09/20 11:22:37 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
    DRV - [2005/08/02 23:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
    DRV - [2005/03/17 16:30:10 | 000,132,608 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 74 E1 15 8A 27 CC 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/10/07 13:30:31 | 000,000,000 | ---D | M]


    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\gcswf32.dll
    CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\pdf.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
    CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
    CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin

    O1 HOSTS File: ([2011/10/20 23:24:01 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110402175609.dll (McAfee, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
    O4 - HKCU..\Run: [LmlLhkfv] C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico ()
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe (Freecom)
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\lmllhkfv.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1243236794562 (MUWebControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2C06FEDC-A9E2-4DCB-AAA4-435CE2FF8659}: DhcpNameServer = 192.168.2.1
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) -C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/07/10 12:30:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/10/20 23:35:16 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Russell Dobash\Desktop\OTL.exe
    [2011/10/20 23:31:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi
    [2011/10/20 22:33:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/10/20 21:55:54 | 000,083,968 | ---- | C] (Esage Lab) -- C:\Documents and Settings\Russell Dobash\Desktop\boot_cleaner.exe
    [2011/10/20 21:35:40 | 001,559,856 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Russell Dobash\Desktop\tdsskiller.exe
    [2011/10/20 13:49:02 | 001,932,256 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Russell Dobash\Desktop\FixTDSS.exe
    [2011/10/20 03:04:14 | 004,265,077 | R--- | C] (Swearware) -- C:\Documents and Settings\Russell Dobash\Desktop\ComboFix.exe
    [2011/10/19 08:07:38 | 004,265,077 | R--- | C] (Swearware) -- C:\ComboFix.exe
    [2011/10/19 04:00:49 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/10/19 03:12:14 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/10/19 03:12:14 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/10/19 03:12:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/10/19 03:12:14 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/10/19 03:12:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/10/19 03:11:52 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/10/16 19:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Desktop\Graham
    [2011/10/15 16:50:26 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
    [2011/10/14 21:44:40 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/10/13 21:35:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\My Documents\My Videos
    [2011/10/13 21:35:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Administrative Tools
    [2011/10/13 18:11:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/10/13 18:11:28 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/10/13 18:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/10/10 12:12:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2011/10/08 16:26:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\PCHealth
    [2011/10/03 13:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote

    ========== Files - Modified Within 30 Days ==========

    [2011/10/20 23:31:57 | 000,114,035 | --S- | M] () -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\lmllhkfv.exe
    [2011/10/20 23:24:01 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/10/20 23:02:00 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    [2011/10/20 22:34:51 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2011/10/20 22:34:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/10/20 22:33:56 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/10/20 22:33:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/10/20 22:09:23 | 000,039,478 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\remover.JPG
    [2011/10/20 21:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/10/20 18:34:36 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Russell Dobash\Desktop\OTL.exe
    [2011/10/20 16:32:52 | 001,559,856 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Russell Dobash\Desktop\tdsskiller.exe
    [2011/10/20 08:45:38 | 001,932,256 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Russell Dobash\Desktop\FixTDSS.exe
    [2011/10/20 03:22:04 | 000,307,600 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/10/20 03:06:55 | 000,006,962 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
    [2011/10/20 03:03:41 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/10/19 21:52:58 | 000,450,862 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\GrantPerms.zip
    [2011/10/19 04:00:55 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/10/19 03:04:46 | 004,265,077 | R--- | M] (Swearware) -- C:\Documents and Settings\Russell Dobash\Desktop\ComboFix.exe
    [2011/10/19 03:04:46 | 004,265,077 | R--- | M] (Swearware) -- C:\ComboFix.exe
    [2011/10/17 17:07:47 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/17 11:02:00 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    [2011/10/15 10:41:56 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/10/14 10:56:03 | 000,383,254 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/10/14 10:56:03 | 000,053,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/10/13 18:09:53 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 10:53:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/03 13:39:20 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/09/28 14:45:42 | 003,052,387 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 13:35:19 | 000,327,348 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/27 15:13:48 | 000,077,521 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf
    [2011/09/25 17:04:00 | 000,456,828 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\GrantPerms.exe

    ========== Files Created - No Company Name ==========

    [2011/10/20 23:31:58 | 000,114,035 | --S- | C] () -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\lmllhkfv.exe
    [2011/10/20 22:09:23 | 000,039,478 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\remover.JPG
    [2011/10/20 02:56:22 | 000,456,828 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\GrantPerms.exe
    [2011/10/20 02:56:10 | 000,450,862 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\GrantPerms.zip
    [2011/10/19 04:00:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/10/19 04:00:52 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/10/19 03:12:14 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/10/19 03:12:14 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/10/19 03:12:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/10/19 03:12:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/10/19 03:12:14 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/10/17 17:07:47 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/13 18:09:51 | 000,001,475 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 10:53:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/03 13:36:43 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\R2D2- LIBRARY- ALL REFS 29Aug2011 Copy Copy Copy.enl
    [2011/09/29 13:27:14 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\R2D2- all.refs Note7, aug29.enl
    [2011/09/29 10:48:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/09/28 14:45:42 | 003,052,387 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 13:41:43 | 000,006,962 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
    [2011/09/28 13:35:19 | 000,327,348 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/27 15:13:48 | 000,077,521 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf
    [2009/11/17 12:08:34 | 000,197,424 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
    [2009/11/17 12:07:44 | 000,193,328 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
    [2007/09/05 14:54:59 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\fusioncache.dat
    [2007/06/25 14:23:50 | 000,000,462 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
    [2007/06/25 14:23:39 | 000,001,359 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
    [2007/06/25 14:19:34 | 000,093,585 | ---- | C] () -- C:\WINDOWS\hppins03.dat
    [2007/06/25 14:19:34 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat
    [2007/06/25 11:08:57 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DLL
    [2007/06/25 11:08:57 | 000,000,526 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DAT
    [2007/06/23 11:15:56 | 000,000,074 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
    [2007/06/23 11:10:16 | 000,093,474 | ---- | C] () -- C:\WINDOWS\hppins03.dat.temp
    [2007/06/23 11:10:16 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat.temp
    [2007/03/16 15:33:58 | 000,000,072 | ---- | C] () -- C:\WINDOWS\hdkctnts.ini
    [2006/12/02 11:52:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
    [2006/09/20 13:38:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\B11gUSB.dll
    [2006/09/20 13:38:44 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
    [2006/08/28 14:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
    [2006/08/28 14:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
    [2006/08/28 14:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
    [2006/08/28 14:04:31 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
    [2006/08/24 12:15:21 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2006/07/10 13:11:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006/07/10 13:10:48 | 000,307,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2006/07/10 12:42:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/07/10 12:32:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2006/07/10 12:27:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2004/08/04 13:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 13:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 13:00:00 | 000,383,254 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 13:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 13:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 13:00:00 | 000,053,608 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 13:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 13:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 13:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 13:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 13:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 13:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

    ========== LOP Check ==========

    [2009/12/21 17:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
    [2010/03/09 14:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
    [2010/03/09 14:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SPSS
    [2011/10/03 13:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\EndNote
    [2007/11/28 18:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Leadertech
    [2010/09/20 13:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\MSNInstaller
    [2009/12/21 18:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Tatara Systems

    ========== Purity Check ==========



    < End of report >
     
  15. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    You didn't say:
     
  16. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Sorry Broni. I was just checking things out.

    Google searches on IE: good no hijacking
    McAfee: opens a blank window
    Adobe reader: still gets invalid plugin and more worryingly opens a command prompt titled
    "c:\windows\system32\ntvdm.exe"
     
  17. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Your computer was very seriously infected.
    You may need to reinstall McAfee and Adobe Reader.
    As for McAfee use removal tool: http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html
    Install fresh copy.

    But run this first...

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | Unknown | Running] -- -- (Micorsoft Windows Service)
      O4 - HKCU..\Run: [LmlLhkfv] C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
      O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\lmllhkfv.exe ()
      O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) -C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
      [2011/10/20 23:31:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi
      [2011/10/20 23:31:57 | 000,114,035 | --S- | M] () -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\lmllhkfv.exe
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.
     
  18. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OTL Fix Output

    All processes killed
    ========== OTL ==========
    Error: Unable to stop service Micorsoft Windows Service!
    Service\Driver key Micorsoft Windows Service not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\LmlLhkfv deleted successfully.
    File move failed. C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe scheduled to be moved on reboot.
    File move failed. C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\lmllhkfv.exe scheduled to be moved on reboot.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe deleted successfully.
    File \Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) -C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe not found.
    Folder move failed. C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi scheduled to be moved on reboot.
    File move failed. C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\lmllhkfv.exe scheduled to be moved on reboot.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Russell Dobash
    ->Temp folder emptied: 167283 bytes
    ->Temporary Internet Files folder emptied: 1081909 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 886 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 345 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 1.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: Russell Dobash
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 10212011_000245

    Files\Folders moved on Reboot...
    File move failed. C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe scheduled to be moved on reboot.
    File move failed. C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\lmllhkfv.exe scheduled to be moved on reboot.
    Folder move failed. C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  19. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OTL Quick Scan Output

    OTL logfile created on: 10/21/2011 12:08:15 AM - Run 5
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Russell Dobash\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 1.46 Gb Available Physical Memory | 73.37% Memory free
    3.84 Gb Paging File | 3.44 Gb Available in Paging File | 89.71% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 148.92 Gb Total Space | 123.71 Gb Free Space | 83.07% Space Free | Partition Type: NTFS
    Drive F: | 1001.25 Mb Total Space | 997.86 Mb Free Space | 99.66% Space Free | Partition Type: FAT32

    Computer Name: UNIVERSI-2DDE3C | User Name: Russell Dobash | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/10/20 18:34:36 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Russell Dobash\Desktop\OTL.exe
    PRC - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    PRC - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
    PRC - [2010/10/12 14:56:44 | 000,164,384 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\McVsMap.exe
    PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    PRC - [2009/11/17 12:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    PRC - [2009/01/23 10:46:14 | 000,203,280 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/02/14 11:53:48 | 003,338,296 | ---- | M] (Freecom) -- C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
    PRC - [2005/11/21 15:55:16 | 000,045,056 | ---- | M] (HP) -- C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
    PRC - [2005/06/13 15:45:54 | 000,827,392 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    PRC - [2004/03/29 16:08:16 | 000,049,152 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/10/20 03:01:46 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_df620e42\mscorlib.dll
    MOD - [2011/10/20 03:01:42 | 000,835,584 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_8685ae70\system.drawing.dll
    MOD - [2011/10/20 03:01:31 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_a1e531e9\system.xml.dll
    MOD - [2011/10/20 03:01:25 | 003,018,752 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_f00b8d1f\system.windows.forms.dll
    MOD - [2011/10/20 03:01:06 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_006ebf2b\system.dll
    MOD - [2011/10/20 03:00:53 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
    MOD - [2011/10/20 03:00:52 | 001,265,664 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
    MOD - [2009/11/17 12:08:34 | 000,197,424 | ---- | M] () -- C:\WINDOWS\system32\vpnapi.dll
    MOD - [2009/01/29 12:27:06 | 000,310,800 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\saset.dll
    MOD - [2009/01/29 12:27:04 | 000,652,304 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sacore.dll
    MOD - [2009/01/29 12:27:02 | 000,071,696 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\mcfrmwk.dll
    MOD - [2009/01/29 12:27:00 | 000,207,376 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\cntscan.dll
    MOD - [2009/01/29 12:26:58 | 000,117,264 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\apengine.dll
    MOD - [2009/01/23 10:46:22 | 000,351,248 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\saupkeep.dll
    MOD - [2009/01/23 10:46:18 | 000,013,840 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll
    MOD - [2009/01/23 10:46:14 | 000,203,280 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    MOD - [2009/01/23 10:46:14 | 000,056,336 | ---- | M] () -- c:\Program Files\McAfee\SiteAdvisor\McSACorePS.dll
    MOD - [2007/12/02 13:22:33 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
    MOD - [2007/12/02 13:22:32 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
    MOD - [2007/12/02 13:22:31 | 000,466,944 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
    MOD - [2007/12/02 13:22:30 | 002,052,096 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
    MOD - [2007/12/02 13:22:30 | 000,131,072 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.serialization.formatters.soap\1.0.5000.0__b03f5f7f11d50a3a\system.runtime.serialization.formatters.soap.dll
    MOD - [2005/08/10 15:36:52 | 000,045,056 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\Security.dll
    MOD - [2005/06/13 15:45:54 | 000,827,392 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    MOD - [2004/03/29 16:08:16 | 000,049,152 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    MOD - [2003/10/08 11:23:36 | 000,040,960 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\RM_DEV_CODE.dll
    MOD - [2003/06/30 15:37:14 | 000,036,864 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\ProcNICs.dll
    MOD - [2002/10/03 11:57:30 | 000,110,592 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\PingDLL.dll
    MOD - [2002/04/09 07:49:22 | 000,110,592 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\GEMWEP.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
    SRV - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
    SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
    SRV - [2010/10/07 20:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
    SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
    SRV - [2009/11/17 12:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2009/01/23 10:46:14 | 000,203,280 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
    SRV - [2004/03/29 16:08:16 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe -- (Belkin Wireless USB Network Adapter Service)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | Disabled | Running] -- -- (Micorsoft Windows Service)
    DRV - [2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2010/10/13 22:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
    DRV - [2010/10/13 22:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
    DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
    DRV - [2010/10/13 22:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
    DRV - [2010/10/13 22:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
    DRV - [2010/10/13 22:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
    DRV - [2010/10/13 22:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2009/11/17 12:07:06 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2009/10/07 13:01:04 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2008/11/16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2007/01/18 20:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005/12/13 15:10:00 | 000,007,040 | ---- | M] (Freecom) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Gonzales.sys -- (Gonzales)
    DRV - [2005/11/28 21:55:46 | 000,012,160 | ---- | M] (Freecom) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Bonifay.sys -- (Bonifay)
    DRV - [2005/09/20 11:22:37 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
    DRV - [2005/08/02 23:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
    DRV - [2005/03/17 16:30:10 | 000,132,608 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 74 E1 15 8A 27 CC 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/10/07 13:30:31 | 000,000,000 | ---D | M]


    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\gcswf32.dll
    CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\pdf.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
    CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
    CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin

    O1 HOSTS File: ([2011/10/20 23:24:01 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110402175609.dll (McAfee, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
    O4 - HKCU..\Run: [LmlLhkfv] C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe File not found
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico ()
    O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe (Freecom)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1243236794562 (MUWebControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2C06FEDC-A9E2-4DCB-AAA4-435CE2FF8659}: DhcpNameServer = 192.168.2.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CF6EECDD-5905-4FCB-9358-4CEEAACF8E93}: DhcpNameServer = 192.168.2.1
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) -C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe File not found
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/07/10 12:30:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2011/10/21 00:10:46 | 000,000,000 | RHS- | M] () - F:\autorun.inf -- [ FAT32 ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/10/21 00:06:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/10/21 00:03:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2011/10/20 23:35:16 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Russell Dobash\Desktop\OTL.exe
    [2011/10/20 23:31:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\dgtvwkvi
    [2011/10/20 21:55:54 | 000,083,968 | ---- | C] (Esage Lab) -- C:\Documents and Settings\Russell Dobash\Desktop\boot_cleaner.exe
    [2011/10/20 21:35:40 | 001,559,856 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Russell Dobash\Desktop\tdsskiller.exe
    [2011/10/20 13:49:02 | 001,932,256 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Russell Dobash\Desktop\FixTDSS.exe
    [2011/10/19 04:00:49 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/10/19 03:12:14 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/10/19 03:12:14 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/10/19 03:12:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/10/19 03:12:14 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/10/19 03:12:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/10/19 03:11:52 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/10/16 19:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Desktop\Graham
    [2011/10/15 16:50:26 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
    [2011/10/14 21:44:40 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/10/13 21:35:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\My Documents\My Videos
    [2011/10/13 21:35:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Administrative Tools
    [2011/10/13 18:11:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/10/13 18:11:28 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/10/13 18:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/10/10 12:12:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2011/10/08 16:26:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\PCHealth
    [2011/10/03 13:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote

    ========== Files - Modified Within 30 Days ==========

    [2011/10/21 00:07:16 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2011/10/21 00:07:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/10/21 00:06:59 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/10/21 00:06:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/10/21 00:02:00 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
    [2011/10/20 23:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/10/20 23:24:01 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/10/20 22:09:23 | 000,039,478 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\remover.JPG
    [2011/10/20 18:34:36 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Russell Dobash\Desktop\OTL.exe
    [2011/10/20 16:32:52 | 001,559,856 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Russell Dobash\Desktop\tdsskiller.exe
    [2011/10/20 08:45:38 | 001,932,256 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Russell Dobash\Desktop\FixTDSS.exe
    [2011/10/20 03:22:04 | 000,307,600 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/10/20 03:06:55 | 000,006,962 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
    [2011/10/20 03:03:41 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/10/19 21:52:58 | 000,450,862 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\GrantPerms.zip
    [2011/10/19 04:00:55 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/10/19 03:04:46 | 004,265,077 | R--- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\ComboFix.exe
    [2011/10/19 03:04:46 | 004,265,077 | R--- | M] () -- C:\ComboFix.exe
    [2011/10/17 17:07:47 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/17 11:02:00 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
    [2011/10/15 10:41:56 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/10/14 10:56:03 | 000,383,254 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/10/14 10:56:03 | 000,053,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/10/13 18:09:53 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 10:53:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/03 13:39:20 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/09/28 14:45:42 | 003,052,387 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 13:35:19 | 000,327,348 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/27 15:13:48 | 000,077,521 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf
    [2011/09/25 17:04:00 | 000,456,828 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\GrantPerms.exe

    ========== Files Created - No Company Name ==========

    [2011/10/20 22:09:23 | 000,039,478 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\remover.JPG
    [2011/10/20 03:04:14 | 004,265,077 | R--- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\ComboFix.exe
    [2011/10/20 02:56:22 | 000,456,828 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\GrantPerms.exe
    [2011/10/20 02:56:10 | 000,450,862 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\GrantPerms.zip
    [2011/10/19 08:07:38 | 004,265,077 | R--- | C] () -- C:\ComboFix.exe
    [2011/10/19 04:00:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/10/19 04:00:52 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/10/19 03:12:14 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/10/19 03:12:14 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/10/19 03:12:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/10/19 03:12:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/10/19 03:12:14 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/10/17 17:07:47 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/10/13 18:09:51 | 000,001,475 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
    [2011/10/08 10:53:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
    [2011/10/03 13:36:43 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\R2D2- LIBRARY- ALL REFS 29Aug2011 Copy Copy Copy.enl
    [2011/09/29 13:27:14 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\R2D2- all.refs Note7, aug29.enl
    [2011/09/29 10:48:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
    [2011/09/28 14:45:42 | 003,052,387 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
    [2011/09/28 13:41:43 | 000,006,962 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
    [2011/09/28 13:35:19 | 000,327,348 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
    [2011/09/27 15:13:48 | 000,077,521 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf
    [2009/11/17 12:08:34 | 000,197,424 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
    [2009/11/17 12:07:44 | 000,193,328 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
    [2007/09/05 14:54:59 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\fusioncache.dat
    [2007/06/25 14:23:50 | 000,000,462 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
    [2007/06/25 14:23:39 | 000,001,359 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
    [2007/06/25 14:19:34 | 000,093,585 | ---- | C] () -- C:\WINDOWS\hppins03.dat
    [2007/06/25 14:19:34 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat
    [2007/06/25 11:08:57 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DLL
    [2007/06/25 11:08:57 | 000,000,526 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DAT
    [2007/06/23 11:15:56 | 000,000,074 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
    [2007/06/23 11:10:16 | 000,093,474 | ---- | C] () -- C:\WINDOWS\hppins03.dat.temp
    [2007/06/23 11:10:16 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat.temp
    [2007/03/16 15:33:58 | 000,000,072 | ---- | C] () -- C:\WINDOWS\hdkctnts.ini
    [2006/12/02 11:52:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
    [2006/09/20 13:38:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\B11gUSB.dll
    [2006/09/20 13:38:44 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
    [2006/08/28 14:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
    [2006/08/28 14:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
    [2006/08/28 14:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
    [2006/08/28 14:04:31 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
    [2006/08/24 12:15:21 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2006/07/10 13:11:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006/07/10 13:10:48 | 000,307,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2006/07/10 12:42:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/07/10 12:32:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2006/07/10 12:27:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2004/08/04 13:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 13:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 13:00:00 | 000,383,254 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 13:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 13:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 13:00:00 | 000,053,608 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 13:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 13:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 13:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 13:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 13:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 13:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

    ========== LOP Check ==========

    [2009/12/21 17:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
    [2010/03/09 14:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
    [2010/03/09 14:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SPSS
    [2011/10/03 13:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\EndNote
    [2007/11/28 18:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Leadertech
    [2010/09/20 13:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\MSNInstaller
    [2009/12/21 18:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Tatara Systems

    ========== Purity Check ==========



    < End of report >
     
  20. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    A bit of bad news. The USB stick corruption has reappeared.
     
  21. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    I can see our issue is back.

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
  22. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    I typed the link in the address bar and it just went back to google.co.uk
     
  23. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    I can now get to techspot on the infected computer but clicking the link in the post the address that comes up is go.redirectingat com then I get OOps IE could not connect to www.eset.com
     
  24. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    OK. Do NOT connect any USB sticks anymore.
    That stick may be an issue.

    Post new aswMBR log.

    Delete your Combofix file, download fresh one and post new log.
     
  25. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    We posted at the same time.
    Read my previous reply.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.