TechSpot

I believe that its Win32:Bamital-X

Inactive
By d3m0nc1aw
Sep 10, 2010
  1. When I run Avast it say that its Win32:Bamital-X and that it is a read only file and it can not be removed by Avast. So I did some reading and saw that other people had this same problem and so I tried some of the things that they did but my problem is that I can not open gain access to my desktop if I am not booted in safe mode and the programs will not run. I can open the task manager so I opened that and tried to run

    Explorer.exe

    but that didn't work it said that the program I am trying to access is unavalible.

    So any suggestions?
     
  2. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Welcome aboard [​IMG]

    Following programs can be run from Safe Mode/Safe Mode with Networking.....

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    Thanks for the relpy.
    Heres the Log for Combofix.

    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Katy Lutz\Adorable.scr
    c:\documents and settings\Katy Lutz\Application Data\020000000dc00c7d909C.manifest
    c:\documents and settings\Katy Lutz\Application Data\020000000dc00c7d909O.manifest
    c:\documents and settings\Katy Lutz\Application Data\020000000dc00c7d909P.manifest
    c:\documents and settings\Katy Lutz\Application Data\020000000dc00c7d909S.manifest
    c:\documents and settings\Katy Lutz\uninstall Adorable.exe
    c:\documents and settings\Michael Bryant\Application Data\020000000dc00c7d909C.manifest
    c:\documents and settings\Michael Bryant\Application Data\020000000dc00c7d909O.manifest
    c:\documents and settings\Michael Bryant\Application Data\020000000dc00c7d909P.manifest
    c:\documents and settings\Michael Bryant\Application Data\020000000dc00c7d909S.manifest
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}\chrome.manifest
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}\chrome\content\_cfg.js
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}\chrome\content\overlay.xul
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}\install.rdf
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\Windows Server
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\Windows Server\admin.txt
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\Windows Server\server.dat
    c:\documents and settings\Natalie Lutz\Application Data\DataSafeDotNet.exe
    c:\program files\AskSearch\bin\DefaultSearch.dll
    c:\windows\system32\611151665
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\unrar.exe
    c:\windows\system32\WanPacket.dll
    c:\windows\system32\wpcap.dll

    c:\windows\system32\winlogon.exe . . . is infected!!

    c:\windows\explorer.exe . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_NPF
    -------\Service_npf


    ((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
    .

    2010-09-08 22:07 . 2010-09-08 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
    2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
    2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\program files\CCleaner
    2010-09-01 19:49 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-08-31 14:09 . 2010-08-31 14:09 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-08-31 01:30 . 2010-08-31 01:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
    2010-08-26 23:35 . 2010-09-11 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-08-26 23:35 . 2010-08-26 23:35 -------- d-----w- c:\program files\Alwil Software
    2010-08-26 23:29 . 2010-08-26 23:29 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2010-08-26 22:03 . 2010-08-26 22:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-26 22:01 . 2010-08-26 22:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-08-26 20:04 . 2010-08-27 12:24 2838 ----a-w- c:\windows\Iceqahaqevemite.dat
    2010-08-26 20:04 . 2010-08-27 04:57 0 ----a-w- c:\windows\Mratumejabive.bin
    2010-08-26 20:04 . 2010-08-26 20:04 -------- d-----w- c:\documents and settings\Michael Bryant\Local Settings\Application Data\vtkaog
    2010-08-26 20:01 . 2010-08-26 20:01 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923
    2010-08-26 19:44 . 2010-08-26 19:44 45116 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-08-15 12:46 . 2010-08-15 12:46 -------- d-----w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\Conduit
    2010-08-15 12:46 . 2010-08-15 12:46 -------- d-----w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\XfireXO
    2010-08-14 21:48 . 2010-08-14 21:48 -------- d-----w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\Conduit
    2010-08-14 21:48 . 2010-08-14 21:48 -------- d-----w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\XfireXO
    2010-08-14 11:52 . 2010-09-07 22:24 -------- d-----w- c:\program files\StepMania
    2010-08-13 21:55 . 2010-08-13 21:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
    2010-08-13 16:28 . 2010-08-13 16:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\XfireXO
    2010-08-13 06:21 . 2010-08-13 06:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
    1601-01-01 00:00 . 1601-01-01 00:00 -------- d-----w- C:\4848b493421c2e5185

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-11 03:01 . 2009-04-01 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
    2010-09-11 02:57 . 2010-01-15 22:38 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-11 02:55 . 2009-03-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-09-11 02:39 . 2009-04-03 23:47 -------- d-----w- c:\program files\Steam
    2010-09-07 22:10 . 2010-02-28 04:44 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\Audacity
    2010-09-01 20:00 . 2009-04-25 18:16 -------- d-----w- c:\program files\Yahoo!
    2010-08-27 13:29 . 2009-04-04 01:12 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\DNA
    2010-08-27 12:24 . 2009-04-04 01:12 -------- d-----w- c:\program files\DNA
    2010-08-27 04:57 . 2009-04-04 01:04 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\LimeWire
    2010-08-26 21:51 . 2009-03-26 03:50 50056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-26 20:01 . 2010-08-26 20:01 225280 ----a-w- c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923\newsecureapp70700.exe
    2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
    2010-08-15 12:46 . 2009-04-01 20:25 50056 ----a-w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-14 21:47 . 2009-04-01 20:57 50056 ----a-w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-12 23:28 . 2009-04-04 01:13 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\BitTorrent
    2010-08-03 14:19 . 2009-03-26 03:44 -------- d-----w- c:\program files\McAfee
    2010-08-03 13:59 . 2009-04-03 23:43 50056 ----a-w- c:\documents and settings\Michael Bryant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-03 13:59 . 2010-08-03 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
    2010-08-03 13:57 . 2010-08-03 13:57 65536 ----a-r- c:\documents and settings\Michael Bryant\Application Data\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
    2010-08-03 13:56 . 2010-08-03 13:56 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
    2010-08-03 13:56 . 2009-03-26 03:41 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-18 18:19 . 2010-07-18 18:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
    2010-07-17 23:52 . 2010-07-17 23:52 -------- d-----w- c:\program files\XfireXO
    2010-07-17 23:52 . 2010-07-17 23:52 -------- d-----w- c:\program files\Conduit
    2010-07-17 23:45 . 2010-07-17 23:45 -------- d-----w- c:\program files\Z8Games
    2010-07-17 13:22 . 2009-07-27 02:05 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-07-17 13:22 . 2009-06-13 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
    2010-07-17 13:21 . 2009-07-27 02:05 -------- d-----w- c:\program files\ParetoLogic
    2010-07-17 13:21 . 2009-06-13 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
    2010-07-15 19:18 . 2009-03-26 03:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
    2010-07-03 13:16 . 2010-05-08 22:11 99 ----a-w- c:\documents and settings\Katy Lutz\jagex_runescape_preferences2.dat
    2010-07-03 13:00 . 2010-05-08 22:10 46 ----a-w- c:\documents and settings\Katy Lutz\jagex_runescape_preferences.dat
    2010-07-02 14:25 . 2010-09-01 02:38 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
    2010-07-02 14:25 . 2010-09-01 02:38 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
    2010-06-30 12:31 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 02:14 . 2008-04-25 16:16 1861120 ----a-w- c:\windows\system32\win32k.sys
    2010-06-22 20:50 . 2010-06-22 20:50 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1E.tmp.exe
    2010-06-21 15:27 . 2008-04-25 16:16 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-19 00:12 . 2009-04-04 21:52 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-06-19 00:11 . 2009-04-04 12:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-06-17 14:03 . 2008-04-25 16:16 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2008-04-25 21:27 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . 6BA2B344AD063BB35ADA1D33EFF8FA2B . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

    [-] 2008-04-14 . 9AB873E5C3DE27BCDEA5343EA6EA95CB . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    2010-06-13 23:10 2734688 ----a-w- c:\program files\XfireXO\tbXfir.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-06-13 2734688]

    [HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-13 39408]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-19 864112]
    "iPodVideoConverter_upgrade"="c:\program files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe" [2009-09-08 503808]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Michael Bryant\Start Menu\Programs\Startup\
    LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-3-10 139776]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
    hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2009-03-26 03:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Steam\\steamapps\\d3m0nc1aw\\team fortress classic\\hl.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/4/2009 8:37 AM 64288]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 4:16 PM 135664]
    S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
    S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
    S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:11]

    2010-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

    2010-08-14 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4251465998.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

    2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:16]

    2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:16]

    2009-06-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 16:22]

    2009-11-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 16:22]

    2010-08-14 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

    2009-12-29 c:\windows\Tasks\ParetoLogic Update Version2.job
    - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.msn.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyServer = http=127.0.0.1:6522
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vo.mcbh.org/MLWebCacheCleaner.cab
    DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-15079.cab
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    HKCU-Run-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-11 09:08
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
     
  4. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
    "AB141C35E9F4BF344B9FC010BB17F68A"=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(748)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

    - - - - - - - > 'explorer.exe'(3040)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\program files\McAfee\MSK\MskSrver.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
    c:\windows\system32\msiexec.exe
    c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\ATI Technologies\ATI.ACE\cli.exe
    c:\progra~1\mcafee\msc\mcupdmgr.exe
    c:\program files\Java\jre6\bin\jucheck.exe
    c:\progra~1\mcafee\msc\mcupdui.exe
    c:\program files\mcafee\virusscan\mcinsupd.exe
    c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-11 09:19:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-11 13:19

    Pre-Run: 461,987,045,376 bytes free
    Post-Run: 458,944,847,872 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 9E66EDD22C1F77494E537F8819BD6168
     
  5. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Combofix header is missing. Please, always post entire log.

    Are you able to operate from normal mode now?

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      explorer.exe
      winlogon.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    =======================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Iceqahaqevemite.dat
    c:\windows\Mratumejabive.bin
    
    
    Folder::
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\vtkaog
    c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923
    
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:6522
    uInternet Settings,ProxyOverride = <local>
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  6. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    Systemlook Log:

    SystemLook 04.09.10 by jpshortstuff
    Log created at 15:01 on 11/09/2010 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "explorer.exe"
    C:\WINDOWS\explorer.exe --a---- 1033728 bytes [16:16 25/04/2008] [12:00 14/04/2008] 9AB873E5C3DE27BCDEA5343EA6EA95CB

    Searching for "winlogon.exe"
    C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [16:16 25/04/2008] [12:00 14/04/2008] 6BA2B344AD063BB35ADA1D33EFF8FA2B

    -= EOF =-
     
  7. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    Combo Fix:

    ComboFix 10-09-09.04 - Administrator 09/11/2010 15:14:43.2.4 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.3038 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    FILE ::
    "c:\windows\Iceqahaqevemite.dat"
    "c:\windows\Mratumejabive.bin"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Heather Lutz\Application Data\64dlls.exe
    c:\documents and settings\Heather Lutz\Application Data\intel64.exe
    c:\documents and settings\Heather Lutz\Application Data\Kernel32.exe
    c:\documents and settings\Heather Lutz\Application Data\localsys64.exe
    c:\documents and settings\Heather Lutz\Application Data\ntos.exe
    c:\documents and settings\Heather Lutz\Application Data\oembios.exe
    c:\documents and settings\Heather Lutz\Application Data\sdra64.exe
    c:\documents and settings\Heather Lutz\Application Data\sdra73.exe
    c:\documents and settings\Heather Lutz\Application Data\swin32.exe
    c:\documents and settings\Heather Lutz\Application Data\twex.exe
    c:\documents and settings\Heather Lutz\Application Data\twext.exe
    c:\documents and settings\Heather Lutz\Application Data\wsnpoema.exe
    c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923
    c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923\newsecureapp70700.exe
    c:\documents and settings\Michael Bryant\Local Settings\Application Data\vtkaog
    c:\windows\Iceqahaqevemite.dat
    c:\windows\Mratumejabive.bin

    c:\windows\system32\winlogon.exe . . . is infected!!

    c:\windows\explorer.exe . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
    .

    2010-09-11 13:19 . 2010-09-11 13:19 -------- d-----w- c:\windows\LastGood
    2010-09-08 22:07 . 2010-09-08 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
    2010-09-01 20:00 . 2010-09-11 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
    2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\program files\CCleaner
    2010-09-01 19:49 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-09-01 02:38 . 2010-07-09 14:26 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
    2010-09-01 02:38 . 2010-07-02 14:25 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
    2010-09-01 02:38 . 2010-07-02 14:25 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
    2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
    2010-08-31 14:09 . 2010-08-31 14:09 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-08-31 01:30 . 2010-08-31 01:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
    2010-08-26 23:35 . 2010-09-11 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-08-26 23:35 . 2010-08-26 23:35 -------- d-----w- c:\program files\Alwil Software
    2010-08-26 23:29 . 2010-08-26 23:29 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2010-08-26 22:03 . 2010-08-26 22:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-26 22:01 . 2010-08-26 22:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-08-26 19:44 . 2010-08-26 19:44 45116 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-08-15 12:46 . 2010-08-15 12:46 -------- d-----w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\Conduit
    2010-08-15 12:46 . 2010-08-15 12:46 -------- d-----w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\XfireXO
    2010-08-14 21:48 . 2010-08-14 21:48 -------- d-----w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\Conduit
    2010-08-14 21:48 . 2010-08-14 21:48 -------- d-----w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\XfireXO
    2010-08-14 11:52 . 2010-09-07 22:24 -------- d-----w- c:\program files\StepMania
    2010-08-13 21:55 . 2010-08-13 21:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
    2010-08-13 16:28 . 2010-08-13 16:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\XfireXO
    2010-08-13 06:21 . 2010-08-13 06:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-11 18:56 . 2009-04-04 01:12 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\DNA
    2010-09-11 17:49 . 2009-04-03 23:47 -------- d-----w- c:\program files\Steam
    2010-09-11 14:33 . 2010-02-28 04:44 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\Audacity
    2010-09-11 13:46 . 2009-04-04 01:04 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\LimeWire
    2010-09-11 13:44 . 2009-04-04 01:12 -------- d-----w- c:\program files\DNA
    2010-09-11 13:29 . 2010-07-17 23:52 -------- d-----w- c:\program files\XfireXO
    2010-09-11 13:19 . 2009-03-26 03:44 -------- d-----w- c:\program files\McAfee
    2010-09-11 03:01 . 2009-04-01 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
    2010-09-11 02:57 . 2010-01-15 22:38 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-11 02:55 . 2009-03-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-09-01 20:00 . 2009-04-25 18:16 -------- d-----w- c:\program files\Yahoo!
    2010-08-26 21:51 . 2009-03-26 03:50 50056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-15 12:46 . 2009-04-01 20:25 50056 ----a-w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-14 21:47 . 2009-04-01 20:57 50056 ----a-w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-12 23:28 . 2009-04-04 01:13 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\BitTorrent
    2010-08-03 13:59 . 2009-04-03 23:43 50056 ----a-w- c:\documents and settings\Michael Bryant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-03 13:59 . 2010-08-03 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
    2010-08-03 13:57 . 2010-08-03 13:57 65536 ----a-r- c:\documents and settings\Michael Bryant\Application Data\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
    2010-08-03 13:56 . 2010-08-03 13:56 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
    2010-08-03 13:56 . 2009-03-26 03:41 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-18 18:19 . 2010-07-18 18:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
    2010-07-17 23:52 . 2010-07-17 23:52 -------- d-----w- c:\program files\Conduit
    2010-07-17 23:45 . 2010-07-17 23:45 -------- d-----w- c:\program files\Z8Games
    2010-07-17 13:22 . 2009-07-27 02:05 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-07-17 13:22 . 2009-06-13 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
    2010-07-17 13:21 . 2009-07-27 02:05 -------- d-----w- c:\program files\ParetoLogic
    2010-07-17 13:21 . 2009-06-13 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
    2010-07-15 19:18 . 2009-03-26 03:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-07-03 13:16 . 2010-05-08 22:11 99 ----a-w- c:\documents and settings\Katy Lutz\jagex_runescape_preferences2.dat
    2010-07-03 13:00 . 2010-05-08 22:10 46 ----a-w- c:\documents and settings\Katy Lutz\jagex_runescape_preferences.dat
    2010-06-30 12:31 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 02:14 . 2008-04-25 16:16 1861120 ----a-w- c:\windows\system32\win32k.sys
    2010-06-22 20:50 . 2010-06-22 20:50 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1E.tmp.exe
    2010-06-21 15:27 . 2008-04-25 16:16 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-19 00:12 . 2009-04-04 21:52 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-06-19 00:11 . 2009-04-04 12:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-06-17 14:03 . 2008-04-25 16:16 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2008-04-25 21:27 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . 6BA2B344AD063BB35ADA1D33EFF8FA2B . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

    [-] 2008-04-14 . 9AB873E5C3DE27BCDEA5343EA6EA95CB . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    2010-09-11 13:29 2735200 ----a-w- c:\program files\XfireXO\tbXfi1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfi1.dll" [2010-09-11 2735200]

    [HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdobeUpdater6"="c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe" [2009-04-04 2521464]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-19 864112]
    "iPodVideoConverter_upgrade"="c:\program files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe" [2009-09-08 503808]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Michael Bryant\Start Menu\Programs\Startup\
    LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-3-10 139776]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
    hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2009-03-26 03:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Steam\\steamapps\\d3m0nc1aw\\team fortress classic\\hl.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/4/2009 8:37 AM 64288]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
    S2 0120501284211202mcinstcleanup;McAfee Application Installer Cleanup (0120501284211202);c:\windows\TEMP\012050~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\012050~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 4:16 PM 135664]
    S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
    S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
    S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:11]

    2010-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

    2010-09-11 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4251465998.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

    2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:16]

    2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:16]

    2009-06-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 16:22]

    2009-11-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 16:22]

    2010-08-14 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

    2009-12-29 c:\windows\Tasks\ParetoLogic Update Version2.job
    - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
    .
    .
    ------- Supplementary Scan -------
    .
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vo.mcbh.org/MLWebCacheCleaner.cab
    DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-15079.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-11 15:23
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-8834206-3494891491-1703734855-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3f,c9,27,6c,9f,bf,e6,4f,9a,b2,ed,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3f,c9,27,6c,9f,bf,e6,4f,9a,b2,ed,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
    "AB141C35E9F4BF344B9FC010BB17F68A"=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(636)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
    .
    Completion time: 2010-09-11 15:24:43
    ComboFix-quarantined-files.txt 2010-09-11 19:24
    ComboFix2.txt 2010-09-11 13:19

    Pre-Run: 462,568,198,144 bytes free
    Post-Run: 462,562,418,688 bytes free

    - - End Of File - - 5D90D107D018EFAD6E353E1D7872B32D
     
  8. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Do you have Windows XP CD?


    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    winlogon.exe
    explorer.exe
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    I do not have my Disk.

    OTL.Txt

    OTL logfile created on: 9/12/2010 8:51:27 AM - Run 1
    OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Administrator\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
    5.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 596.13 Gb Total Space | 430.70 Gb Free Space | 72.25% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: HEATHERLUTZ
    Current User Name: Administrator
    Logged in as Administrator.

    Current Boot Mode: SafeMode with Networking
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/09/12 08:46:15 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    PRC - [2010/07/02 18:24:00 | 001,352,832 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    PRC - [2010/06/18 20:11:29 | 000,864,112 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
    PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
    PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
    PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/09/12 08:46:15 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\ComboFix\PEV.cfx -- (PEVSystemStart)
    SRV - File not found [Auto | Stopped] -- C:\WINDOWS\TEMP\012050~1.EXE -- (0120501284211202mcinstcleanup) McAfee Application Installer Cleanup (0120501284211202)
    SRV - [2010/07/02 18:24:00 | 001,352,832 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
    SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
    SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
    SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
    SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
    SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
    SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
    SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
    SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
    SRV - [2009/03/25 23:48:15 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
    SRV - [2008/10/04 14:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
    SRV - [2003/03/09 21:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva359.sys -- (XDva359)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva358.sys -- (XDva358)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva352.sys -- (XDva352)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
    DRV - [2010/06/18 20:11:40 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
    DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
    DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
    DRV - [2008/09/24 22:39:06 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
    DRV - [2008/09/24 22:38:54 | 003,007,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2008/04/14 08:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
    DRV - [2008/04/14 08:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
    DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
    DRV - [2007/07/20 01:10:10 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel(R)
    DRV - [2007/07/19 21:26:24 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
    DRV - [2007/07/16 22:48:54 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2001/08/17 22:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
    DRV - [2001/08/17 22:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
    DRV - [2001/08/17 22:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
    DRV - [2001/08/17 22:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
    DRV - [2001/08/17 22:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
    DRV - [2001/08/17 21:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
    DRV - [2001/08/17 21:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
    DRV - [2001/08/17 21:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
    DRV - [2001/08/17 21:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
    DRV - [2001/08/17 21:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
    DRV - [2001/08/17 21:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
    DRV - [2001/08/17 21:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
    DRV - [2001/08/17 21:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
    DRV - [2001/08/17 21:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
    DRV - [2001/08/17 21:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USCON/1

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
    IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\software\mozilla\Firefox\extensions\\{EBEAAD45-0E03-48F1-8CC7-B2B09A8D6E25}: C:\Documents and Settings\Heather Lutz\Local Settings\Application Data\{EBEAAD45-0E03-48F1-8CC7-B2B09A8D6E25}\


    O1 HOSTS File: ([2010/09/11 15:23:35 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (XfireXO Toolbar) - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfi1.dll (Conduit Ltd.)
    O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
    O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
    O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (XfireXO Toolbar) - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfi1.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
     
  10. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
    O4 - HKLM..\Run: [combofix] C:\ComboFix\CF12610.cfx File not found
    O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe ()
    O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
    O4 - HKLM..\Run: [iPodVideoConverter_upgrade] C:\Program Files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe (E-Z soft)
    O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKCU..\Run: [AdobeUpdater6] C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe (Adobe Systems Incorporated)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file://C:\Program Files\Paradise Pet Salon\Images\stg_drm.ocx (SpinTop DRM Control)
    O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} https://vo.mcbh.org/XTSAC.cab (XTSAC Control)
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
    O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} https://vo.mcbh.org/MLWebCacheCleaner.cab (WebCacheCleaner Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} http://www.wildpockets.com/common/WildPocketsLoader-15079.cab (Wild Pockets Loader Plugin Control Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file://C:\Program Files\Paradise Pet Salon\Images\armhelper.ocx (ArmHelper Control)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.247.24.53 24.247.15.53 68.115.71.53
    O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
    O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/04/25 17:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
    Drivers32: VIDC.FPS1 - C:\WINDOWS\System32\frapsvid.dll (Beepa P/L)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

    CREATERESTOREPOINT
    Error starting restore point: The function was called in safe mode.
    Error closing restore point: The sequence number is invalid.

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/09/12 08:46:14 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    [2010/09/11 15:07:28 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2010/09/11 08:31:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/09/11 08:27:11 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/09/11 08:27:11 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/09/11 08:27:11 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/09/11 08:27:11 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/09/11 08:27:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/09/11 08:23:49 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/09/10 22:48:55 | 001,293,400 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
    [2010/09/10 22:48:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\WinRAR
    [2010/09/08 18:07:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Audacity
    [2010/09/08 17:37:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
    [2010/09/01 16:00:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    [2010/09/01 16:00:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Yahoo!
    [2010/09/01 16:00:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2010/08/30 21:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
    [2010/08/26 19:35:10 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
    [2010/08/26 19:35:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/08/26 19:29:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
    [2010/08/26 18:03:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    [2010/08/26 18:01:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
    [2010/08/26 17:32:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2010/08/14 07:52:45 | 000,000,000 | ---D | C] -- C:\Program Files\StepMania
    [2010/08/13 17:55:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft
    [2010/08/13 12:28:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\XfireXO
    [2010/08/13 02:21:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
    [2010/08/12 23:57:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
    [2010/08/03 09:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe Systems
    [2010/08/03 09:56:22 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe Systems Shared
    [2010/08/03 05:40:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
    [2010/07/18 14:19:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Xfire
    [2010/07/17 21:09:07 | 000,000,000 | ---D | C] -- C:\CFLog
    [2010/07/17 19:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
    [2010/07/17 19:52:48 | 000,000,000 | ---D | C] -- C:\Program Files\XfireXO
    [2010/07/17 19:45:33 | 000,000,000 | ---D | C] -- C:\Program Files\Z8Games
    [2010/07/04 23:28:28 | 000,000,000 | ---D | C] -- C:\Program Files\IDoser v4
    [2010/07/04 23:24:32 | 000,000,000 | ---D | C] -- C:\Program Files\I-Doser
    [2010/07/04 23:23:05 | 000,000,000 | ---D | C] -- C:\Program Files\SBaGen
    [2010/07/02 22:34:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\inixwukvf
    [2010/06/23 04:20:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2010/06/23 04:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2010/06/22 12:33:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2010/06/22 12:33:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2010/06/20 13:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/06/20 13:12:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/06/16 14:31:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
    [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 90 Days ==========

    [2010/09/12 08:48:08 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
    [2010/09/12 08:46:15 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    [2010/09/12 08:45:38 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
    [2010/09/12 08:44:26 | 000,032,535 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
    [2010/09/12 08:44:23 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/09/12 08:43:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/09/12 08:42:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/09/12 08:42:29 | 000,008,212 | ---- | M] () -- C:\WINDOWS\mfebcdata
    [2010/09/12 03:31:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2010/09/11 18:31:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2010/09/11 18:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
    [2010/09/11 15:35:43 | 000,000,562 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/09/11 15:28:54 | 003,712,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
    [2010/09/11 15:23:40 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/09/11 15:23:35 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/09/11 15:13:07 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
    [2010/09/11 15:00:55 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
    [2010/09/11 09:49:00 | 000,000,404 | ---- | M] () -- C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1251465998.job
    [2010/09/11 08:31:35 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2010/09/11 08:25:50 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/09/11 08:23:31 | 003,842,041 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2010/09/11 08:20:19 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
    [2010/09/11 08:18:12 | 000,196,960 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/09/10 23:09:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/09/10 23:08:02 | 000,533,076 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/09/10 23:08:02 | 000,463,840 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/09/10 23:08:02 | 000,078,990 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/09/10 22:57:19 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/09/10 22:53:33 | 000,001,815 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
    [2010/09/10 22:46:45 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
    [2010/09/07 18:00:02 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
    [2010/09/07 14:44:52 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
    [2010/09/01 16:00:09 | 000,000,684 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
    [2010/09/01 08:42:52 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/08/31 10:09:34 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
    [2010/08/26 17:51:05 | 000,050,056 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    [2010/08/26 15:44:57 | 000,045,116 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/08/13 12:28:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2010/08/03 09:56:21 | 000,001,764 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Audition 3.0.lnk
    [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
    [2010/06/18 20:12:22 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
    [2010/06/18 20:11:40 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
    [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========
     
  11. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    [2010/09/12 08:42:29 | 000,008,212 | ---- | C] () -- C:\WINDOWS\mfebcdata
    [2010/09/11 15:00:55 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
    [2010/09/11 08:31:35 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/09/11 08:31:33 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2010/09/11 08:27:11 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/09/11 08:27:11 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/09/11 08:27:11 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/09/11 08:27:11 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/09/11 08:27:11 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/09/11 08:23:27 | 003,842,041 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2010/09/11 08:20:18 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
    [2010/09/10 22:55:36 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
    [2010/09/10 22:46:45 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
    [2010/09/01 16:00:09 | 000,000,684 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
    [2010/08/31 10:09:34 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
    [2010/08/26 15:44:57 | 000,045,116 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/08/03 09:56:21 | 000,001,764 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Audition 3.0.lnk
    [2010/01/17 10:51:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ABC_mru.ini
    [2009/08/28 09:06:13 | 000,000,456 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
    [2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2009/07/08 12:28:29 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2009/07/08 12:28:29 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
    [2009/03/26 01:25:08 | 000,876,544 | ---- | C] () -- C:\WINDOWS\System32\TEACico2.dll
    [2009/03/26 01:24:17 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2009/03/26 00:03:21 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2009/03/26 00:02:36 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
    [2008/04/25 17:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
    [2005/05/28 21:45:43 | 000,647,168 | ---- | C] () -- C:\WINDOWS\System32\pqdvdb.dll

    ========== LOP Check ==========

    [2010/09/08 18:09:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Audacity
    [2009/03/25 23:37:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
    [2010/08/30 21:30:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
    [2010/09/11 08:25:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2009/06/06 17:13:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
    [2009/07/08 12:28:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\doubleTwist Corporation
    [2010/07/17 09:21:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
    [2010/06/23 03:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
    [2010/07/17 09:22:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
    [2009/06/06 17:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
    [2009/03/25 23:50:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
    [2009/03/25 23:50:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
    [2009/10/10 14:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
    [2009/03/25 23:50:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
    [2009/07/08 12:39:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/03/25 23:48:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
    [2009/12/30 12:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
    [2009/04/03 20:07:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    [2010/06/06 00:53:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2010/05/21 20:10:05 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    [2009/04/17 19:38:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    [2010/09/12 08:45:38 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
    [2010/09/11 09:49:00 | 000,000,404 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1251465998.job
    [2009/06/15 01:00:00 | 000,000,356 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
    [2009/11/01 01:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
    [2010/09/11 18:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration.job
    [2009/12/29 01:43:03 | 000,000,434 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Update Version2.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/09/12 08:43:49 | 000,130,089 | ---- | M] () -- C:\aaw7boot.log
    [2008/04/25 17:29:32 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/09/01 08:42:52 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/09/11 08:31:35 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2010/09/11 15:24:43 | 000,019,118 | ---- | M] () -- C:\ComboFix.txt
    [2008/04/25 17:29:32 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2009/03/26 01:25:54 | 000,004,653 | RH-- | M] () -- C:\dell.sdr
    [2009/08/28 09:21:46 | 000,000,526 | -H-- | M] () -- C:\hpothb07.dat
    [2009/08/28 09:21:46 | 000,001,001 | -H-- | M] () -- C:\hpothb07.tif
    [2008/04/25 17:29:32 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
    [2008/04/25 17:29:32 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
    [2008/09/03 20:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\npbittorrent.dll
    [2008/04/14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/04/14 08:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/09/12 08:43:55 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
    [2010/09/11 08:20:27 | 000,000,408 | ---- | M] () -- C:\rkill.log
    [2010/09/10 22:49:49 | 000,045,640 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_10.09.2010_22.48.57_log.txt

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2008/04/25 17:29:00 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2007/10/21 20:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD97.DLL
    [2007/10/21 20:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP97.DLL
    [2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2006/10/26 20:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
    [2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [1998/08/30 11:48:18 | 000,135,168 | ---- | M] () -- C:\WINDOWS\Lens32.scr
    [2008/12/04 23:55:20 | 000,307,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2008/04/25 05:21:09 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2008/04/25 05:21:09 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2008/04/25 05:21:09 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/04/25 17:29:41 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2008/04/25 17:33:03 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2008/04/25 17:33:01 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/09/11 08:23:31 | 003,842,041 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2010/09/10 22:46:45 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
    [2010/09/12 08:46:15 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    [2010/09/11 15:00:55 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
    [2010/09/07 14:44:52 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >
     
     
  12. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2008/04/14 08:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\addins\fxsext.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2008/04/25 17:33:01 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010/09/12 08:50:37 | 000,049,152 | -HS- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 08:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2007/04/03 07:37:24 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2007/04/03 07:37:24 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 10:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/14 07:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 13:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/03 07:37:24 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/03 07:37:24 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/03 07:37:26 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2007/04/03 07:37:28 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2007/04/03 07:34:02 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < MD5 for: EXPLORER.EXE >
    [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=9AB873E5C3DE27BCDEA5343EA6EA95CB -- C:\WINDOWS\explorer.exe

    < MD5 for: WINLOGON.EXE >
    [2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=6BA2B344AD063BB35ADA1D33EFF8FA2B -- C:\WINDOWS\system32\winlogon.exe

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B3A4EC2
    @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:242231A9
    @Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B9D8E22
    @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94D41096
    < End of report >
     
  13. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    Extras

    OTL Extras logfile created on: 9/12/2010 8:51:28 AM - Run 1
    OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Administrator\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
    5.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 596.13 Gb Total Space | 430.70 Gb Free Space | 72.25% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: HEATHERLUTZ
    Current User Name: Administrator
    Logged in as Administrator.

    Current Boot Mode: SafeMode with Networking
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22008

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
    "C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
    "C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
    "C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
    "C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
    "C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
    "C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
    "C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
    "C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
    "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
    "C:\Program Files\Steam\steamapps\d3m0nc1aw\team fortress classic\hl.exe" = C:\Program Files\Steam\steamapps\d3m0nc1aw\team fortress classic\hl.exe:*:Enabled:Team Fortress Classic -- (Valve)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
    "{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
    "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
    "{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
    "{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
    "{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
    "{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 17
    "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
    "{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar
    "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
    "{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
    "{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
    "{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}" = Adobe Audition 3.0
    "{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
    "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
    "{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
    "{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
    "{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
    "{87841AF8-C785-42FF-A76E-CC0F0C2816CC}" = ATI Catalyst Control Center
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
    "{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
    "{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{903679E8-44C8-4C07-9600-05C92654FC50}" = QualXServ Service Agreement
    "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
    "{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
    "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
    "{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
    "{C900EF06-2E76-49C7-8DB0-41F629B21DC5}" = hp psc 1200 series
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}" = Adobe Audition 3.0.1 Patch
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
    "{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
    "{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
    "{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
    "{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
    "{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
    "{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
    "{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
    "7-Zip" = 7-Zip 4.57
    "Ad-Aware" = Ad-Aware
    "Adobe AIR" = Adobe AIR
    "Adobe Audition 3.0" = Adobe Audition 3.0
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Advanced Batch Converter" = Advanced Batch Converter
    "ATI Display Driver" = ATI Display Driver
    "Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.11 (Unicode)
    "AviSynth" = AviSynth 2.5
    "AVS Audio Converter 5.1_is1" = AVS Audio Converter version 5.1
    "AVS Update Manager_is1" = AVS Update Manager 1.0
    "CCleaner" = CCleaner
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "Cross Fire_is1" = Cross Fire En
    "Digital Media Converter_is1" = Digital Media Converter 2.7
    "ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
    "FL Studio 9" = FL Studio 9
    "Fraps" = Fraps
    "Free iPod Video Converter_is1" = Free iPod Video Converter 1.34
    "Frets on Fire" = Frets On Fire
    "Google Chrome" = Google Chrome
    "GoToAssist" = GoToAssist 8.0.0.514
    "Hardcore" = Hardcore
    "HOMESTUDENTR" = Microsoft Office Home and Student 2007
    "HP PSC 1200 Series" = HP Photo and Imaging 2.0 - hp psc 1200 series
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "I-Doser 4.50" = I-Doser 4.50
    "ie8" = Windows Internet Explorer 8
    "IL Download Manager" = IL Download Manager
    "LimeWire" = LimeWire 5.1.2
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mpeg2Decoder_is1" = Mpeg2Decoder 1.3
    "MSC" = McAfee SecurityCenter
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "Product_Name" = Risk 2
    "PROSet" = Intel(R) PRO Network Connections Drivers
    "PSP ToolKit_is1" = PSP Toolkit 1.1
    "Sawer" = Sawer
    "SBaGen_is1" = SBaGen 1.4.4
    "Steam App 20" = Team Fortress Classic
    "Steam App 218" = Source SDK Base - Orange Box
    "Steam App 440" = Team Fortress 2
    "StepMania" = StepMania 3.9a (remove only)
    "Toxic Biohazard" = Toxic Biohazard
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WinRAR archiver" = WinRAR archiver
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "XfireXO Toolbar" = XfireXO Toolbar
    "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
    "Yahoo! Companion" = Yahoo! Toolbar
     
  14. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 9/12/2010 8:41:50 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 9/12/2010 8:41:50 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 16839296

    Error - 9/12/2010 8:41:50 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 16839296

    Error - 9/12/2010 8:41:52 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 9/12/2010 8:41:52 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 16841250

    Error - 9/12/2010 8:41:52 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 16841250

    Error - 9/12/2010 8:42:04 AM | Computer Name = HEATHERLUTZ | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: A connection with the server could not be established

    Error - 9/12/2010 8:42:04 AM | Computer Name = HEATHERLUTZ | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 9/12/2010 8:42:04 AM | Computer Name = HEATHERLUTZ | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 9/12/2010 8:42:04 AM | Computer Name = HEATHERLUTZ | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    [ System Events ]
    Error - 9/11/2010 3:13:06 PM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 9/11/2010 3:14:13 PM | Computer Name = HEATHERLUTZ | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Fips intelppm mfehidk

    Error - 9/11/2010 3:14:21 PM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 9/11/2010 3:16:29 PM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service McNASvc with
    arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

    Error - 9/11/2010 3:16:35 PM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service McNASvc with
    arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

    Error - 9/11/2010 3:32:01 PM | Computer Name = HEATHERLUTZ | Source = Service Control Manager | ID = 7023
    Description = The HID Input Service service terminated with the following error:
    %%126

    Error - 9/12/2010 8:44:23 AM | Computer Name = HEATHERLUTZ | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Fips intelppm mfehidk

    Error - 9/12/2010 8:44:30 AM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 9/12/2010 8:46:17 AM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service McNASvc with
    arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

    Error - 9/12/2010 8:46:18 AM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service McNASvc with
    arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}


    < End of report >
     
  15. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\WINDOWS\explorer.exe
    - C:\WINDOWS\system32\winlogon.exe
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  16. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    Explorer

    Antivirus Version Last Update Result
    AhnLab-V3 2010.09.12.01 2010.09.12 Win-Trojan/Patched.BT
    AntiVir 8.2.4.50 2010.09.12 -
    Antiy-AVL 2.0.3.7 2010.09.12 -
    Authentium 5.2.0.5 2010.09.11 W32/Patched.B
    Avast 4.8.1351.0 2010.09.12 -
    Avast5 5.0.594.0 2010.09.12 Win32:Bamital-X
    AVG 9.0.0.851 2010.09.12 Win32/Patched.FL
    BitDefender 7.2 2010.09.12 Win32.Loader.O
    CAT-QuickHeal 11.00 2010.09.10 Trojan.Patched.JW
    ClamAV 0.96.2.0-git 2010.09.12 -
    Comodo 6058 2010.09.12 -
    DrWeb 5.0.2.03300 2010.09.12 Win32.Dat.3
    Emsisoft 5.0.0.37 2010.09.12 Virus.Win32.Bamital!IK
    eSafe 7.0.17.0 2010.09.12 -
    eTrust-Vet 36.1.7850 2010.09.12 Win32/Patcher.F
    F-Prot 4.6.1.107 2010.09.12 W32/Patched.B
    F-Secure 9.0.15370.0 2010.09.11 Win32.Loader.O
    Fortinet 4.1.143.0 2010.09.12 -
    GData 21 2010.09.12 Win32.Loader.O
    Ikarus T3.1.1.88.0 2010.09.12 Virus.Win32.Bamital
    Jiangmin 13.0.900 2010.09.12 -
    K7AntiVirus 9.63.2496 2010.09.11 Virus
    Kaspersky 7.0.0.125 2010.09.12 Trojan.Win32.Patched.kl
    McAfee 5.400.0.1158 2010.09.12 W32/Bamital.a
    McAfee-GW-Edition 2010.1B 2010.09.12 -
    Microsoft 1.6103 2010.09.12 Virus:Win32/Bamital.C
    NOD32 5445 2010.09.12 Win32/Bamital.DX
    Norman 6.06.06 2010.09.12 W32/Patched.Q
    nProtect 2010-09-12.01 2010.09.12 Trojan/W32.Bamital
    Panda 10.0.2.7 2010.09.12 W32/Patched.AC
    PCTools 7.0.3.5 2010.09.12 Trojan.Bamital
    Prevx 3.0 2010.09.12 -
    Rising 22.64.06.00 2010.09.12 Trojan.Win32.Generic.522811B8
    Sophos 4.57.0 2010.09.12 Troj/Patched-O
    Sunbelt 6867 2010.09.12 Virus.Win32.Bamital.c (v)
    SUPERAntiSpyware 4.40.0.1006 2010.09.12 -
    Symantec 20101.1.1.7 2010.09.12 Trojan.Bamital!inf
    TheHacker 6.7.0.0.016 2010.09.12 -
    TrendMicro 9.120.0.1004 2010.09.12 PE_PATCHED.AM
    TrendMicro-HouseCall 9.120.0.1004 2010.09.12 PE_PATCHED.AM
    VBA32 3.12.14.0 2010.09.08 -
    ViRobot 2010.9.8.4031 2010.09.12 Win32.Patched.AF
    VirusBuster 12.65.2.0 2010.09.12 -
    Additional informationShow all
    MD5 : 9ab873e5c3de27bcdea5343ea6ea95cb
    SHA1 : 67d39b2553ca272f277d95239c68c56e1b07d5f0
    SHA256: 16f37a7c2146c6789dbceddd7cd0af36d331fd726073125b3979369460c938c9

    WinLogon

    Antivirus Version Last Update Result
    AhnLab-V3 2010.09.12.01 2010.09.12 Win-Trojan/Patched.BT
    AntiVir 8.2.4.50 2010.09.12 -
    Antiy-AVL 2.0.3.7 2010.09.12 Trojan/Win32.Patched.gen
    Authentium 5.2.0.5 2010.09.11 W32/Patched.B
    Avast 4.8.1351.0 2010.09.12 -
    Avast5 5.0.594.0 2010.09.12 Win32:Bamital-X
    AVG 9.0.0.851 2010.09.12 Win32/Patched.FM
    BitDefender 7.2 2010.09.12 Win32.Loader.O
    CAT-QuickHeal 11.00 2010.09.10 Trojan.Patched.JW
    ClamAV 0.96.2.0-git 2010.09.12 -
    Comodo 6058 2010.09.12 -
    DrWeb 5.0.2.03300 2010.09.12 Win32.Dat.3
    Emsisoft 5.0.0.37 2010.09.12 Trojan.Win32.Patched!IK
    eSafe 7.0.17.0 2010.09.12 -
    eTrust-Vet 36.1.7850 2010.09.12 Win32/Patcher.F
    F-Prot 4.6.1.107 2010.09.12 W32/Patched.B
    F-Secure 9.0.15370.0 2010.09.11 Win32.Loader.O
    Fortinet 4.1.143.0 2010.09.12 -
    GData 21 2010.09.12 Win32.Loader.O
    Ikarus T3.1.1.88.0 2010.09.12 Trojan.Win32.Patched
    Jiangmin 13.0.900 2010.09.12 TrojanDownloader.Small.asus
    K7AntiVirus 9.63.2496 2010.09.11 Virus
    Kaspersky 7.0.0.125 2010.09.12 Trojan.Win32.Patched.kl
    McAfee 5.400.0.1158 2010.09.12 W32/Bamital.a
    McAfee-GW-Edition 2010.1B 2010.09.12 -
    Microsoft 1.6103 2010.09.12 Virus:Win32/Bamital.C
    NOD32 5445 2010.09.12 Win32/Bamital.DX
    Norman 6.06.06 2010.09.12 W32/Patched.Q
    nProtect 2010-09-12.01 2010.09.12 Trojan/W32.Bamital
    Panda 10.0.2.7 2010.09.12 W32/Patched.AC
    PCTools 7.0.3.5 2010.09.12 Trojan.Bamital
    Prevx 3.0 2010.09.12 -
    Rising 22.64.06.00 2010.09.12 Trojan.Win32.Generic.5222CCBB
    Sophos 4.57.0 2010.09.12 Troj/Patched-O
    Sunbelt 6867 2010.09.12 Trojan.Win32.Generic!BT
    SUPERAntiSpyware 4.40.0.1006 2010.09.12 -
    Symantec 20101.1.1.7 2010.09.12 Trojan.Bamital!inf
    TheHacker 6.7.0.0.016 2010.09.12 -
    TrendMicro 9.120.0.1004 2010.09.12 PE_PATCHED.AM
    TrendMicro-HouseCall 9.120.0.1004 2010.09.12 PE_PATCHED.AM
    VBA32 3.12.14.0 2010.09.08 -
    ViRobot 2010.9.8.4031 2010.09.12 Win32.Patched.AF
    VirusBuster 12.65.2.0 2010.09.12 -
    Additional informationShow all
    MD5 : 6ba2b344ad063bb35ada1d33eff8fa2b
    SHA1 : cbebd2dfef87a87274c2d2dce7075e8d01d8198b
    SHA256: 09dca849d31d55648f1694fdc0dac327027b4b109f93e99ff837368a48112aab
     
  17. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Yeah, this is bad and we have to replace those two files.

    Download zipped explorer.exe and winlogon.exe files from HERE

    Unzip both files and copy both of them to your C:\ folder.

    When done...


    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      winlogon.exe
      explorer.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  18. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    Yeah this is bad haha.
    Ummm when I tried to replace the file it told me that access was denied.
    Was my goal to replace it or only place it in there?
     
  19. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Please, read my instructions VERY carefully.
    This is very dangerous part.
    If you do something wrong, we're in trouble!!

    I said:
     
  20. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    Ok it's done. Sorry it has been a while since my last relpy, disadvantages to being a highschool student with homeworking pushing teachers.

    System Look Log:

    SystemLook 04.09.10 by jpshortstuff
    Log created at 19:51 on 14/09/2010 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "winlogon.exe"
    C:\winlogon.exe --a---- 507904 bytes [23:49 14/09/2010] [05:36 21/03/2008] B8135E9ED99A0858DF535CE0A0271558
    C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [16:16 25/04/2008] [12:00 14/04/2008] 6BA2B344AD063BB35ADA1D33EFF8FA2B

    Searching for "explorer.exe"
    C:\explorer.exe --a---- 1033728 bytes [23:26 12/09/2010] [09:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
    C:\WINDOWS\explorer.exe --a---- 1033728 bytes [16:16 25/04/2008] [12:00 14/04/2008] 9AB873E5C3DE27BCDEA5343EA6EA95CB

    -= EOF =-
     
  21. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      C:\WINDOWS\system32\winlogon.exe|C:\winlogon.exe /replace
      C:\WINDOWS\explorer.exe|C:\explorer.exe /replace
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Post fresh SystemLook log (same script as in my reply #17)
     
  22. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    OTL Log:

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    Unable to replace file: C:\WINDOWS\system32\winlogon.exe with C:\winlogon.exe without a reboot.
    Unable to replace file: C:\WINDOWS\explorer.exe with C:\explorer.exe without a reboot.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 66560 bytes
    ->Temporary Internet Files folder emptied: 39568250 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 1441 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 321 bytes

    User: Heather Lutz

    User: Katy Lutz
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 168679 bytes
    ->Java cache emptied: 11407713 bytes
    ->Flash cache emptied: 291173 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 9050 bytes
    ->Flash cache emptied: 15229 bytes

    User: Madison Bryant
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 157915 bytes
    ->Java cache emptied: 549074 bytes
    ->Flash cache emptied: 40431 bytes

    User: Michael Bryant
    ->Temp folder emptied: 638138 bytes
    ->Temporary Internet Files folder emptied: 328823 bytes
    ->Java cache emptied: 72870198 bytes
    ->Google Chrome cache emptied: 57814924 bytes
    ->Flash cache emptied: 109327 bytes

    User: Natalie Lutz
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 157915 bytes
    ->Java cache emptied: 7617538 bytes
    ->Flash cache emptied: 15907830 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 32208 bytes
    ->Flash cache emptied: 51410 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 102417 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1739425 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 200.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Heather Lutz

    User: Katy Lutz
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: Madison Bryant
    ->Flash cache emptied: 0 bytes

    User: Michael Bryant
    ->Flash cache emptied: 0 bytes

    User: Natalie Lutz
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.12.0 log created on 09152010_161315

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBF5C.tmp not found!
    File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBF69.tmp not found!
    File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBFC3.tmp not found!
    File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBFD0.tmp not found!
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUUVHE8V\topic153181-2[1].html moved successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CYLX7523\sh23[1].html moved successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0JMSTF6Y\01[1].htm moved successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0JMSTF6Y\ads[8].htm moved successfully.
    File\Folder C:\WINDOWS\temp\mcmsc_KpVtt8xdgdkeawO not found!

    Registry entries deleted on Reboot...
     
  23. Broni

    Broni Malware Annihilator Posts: 47,704   +268

     
  24. d3m0nc1aw

    d3m0nc1aw TS Rookie Topic Starter Posts: 19

    I did. But i ran system look again.



    Administrator - Elevation successful

    Invalid Context: OTL

    Invalid Context: Services

    ========== Reg ==========

    Invalid Context: Files

    No Context: C:\WINDOWS\system32\winlogon.exe|C:\winlogon.exe /replace

    No Context: C:\WINDOWS\explorer.exe|C:\explorer.exe /replace

    Invalid Context: Commands

    No Context: [purity]

    No Context: [emptytemp]

    No Context: [emptyflash]

    No Context: [Reboot]

    -= EOF =-
     
  25. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    This is not SystemLook log.
    I said like in my reply #17.
    I asked you before to be careful and to pay attention, or we'll screw something up pretty good.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.