TechSpot

I have a virus on my PC, I cannot identify it and I don't know what to do next

Solved
By monrayl
Aug 22, 2011
Topic Status:
Not open for further replies.
  1. My pc recently got infected by a virus, I have tried my best to get rid of it, but to no avail. The virus prevents me from using any sort of antivirus software and I get redirected when I click on google search results. The only thing I'm sure of at the moment, is that there is a weird process running (it continues to run when I log on in safe mode). The process is: 2453828619:4102798701.exe. I tried a google search on this process but there are no results for it. I would really appreciate it if someone could help me. Thanx in advance.
  2. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. monrayl

    monrayl TS Member Topic Starter Posts: 74

    I am sorry for replying so late to your post , it was about 2:30am in South Africa when I started the thread. Anyway, I clicked on the 6-step viruses/spyware...preliminary removal instructions link. I am not able to do step 1 or step 2 as the virus disables all antivirus software. I already had malwarebytes antimalware installed a few months ago, but when i tried to use it the program closed. Ever since, when i tried to start the program i would get the following message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Should I skip the first two steps? If not, what do you suggest?
  4. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Complete as many steps as you can.
  5. monrayl

    monrayl TS Member Topic Starter Posts: 74

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-24 12:59:02
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3250318AS rev.CC38
    Running: u47v462n.exe; Driver: C:\DOCUME~1\Monray\LOCALS~1\Temp\uxtdypob.sys


    ---- System - GMER 1.0.15 ----

    SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF759E5DC]
    SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF75AA120]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdePort0 85F7F008
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 85F7F008
    Device \Driver\atapi \Device\Ide\IdePort1 85F7F008
    Device \Driver\atapi \Device\Ide\IdePort2 85F7F008
    Device \Driver\atapi \Device\Ide\IdePort3 85F7F008
    Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 85F7F008
    Device \Driver\d347prt \Device\Scsi\d347prt1Port5Path0Target0Lun0 85FA7AD0
    Device \Driver\a347scsi \Device\Scsi\a347scsi1Port4Path0Target0Lun0 85D46008
    Device \Driver\a347scsi \Device\Scsi\a347scsi1 85D46008
    Device \Driver\d347prt \Device\Scsi\d347prt1 85FA7AD0
    Device \FileSystem\Ntfs \Ntfs 863E0C48

    AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

    Device \FileSystem\Fastfat \Fat 85617578

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Modules - GMER 1.0.15 ----

    Module _________ F7500000-F7518000 (98304 bytes)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:156] F769FFC0
    Thread System [4:160] F769FFC0
    Thread System [4:164] F6674105
    Thread System [4:168] F6674105

    ---- EOF - GMER 1.0.15 ----
  6. monrayl

    monrayl TS Member Topic Starter Posts: 74

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_25
    Run by Monray at 13:58:16 on 2011-08-24
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.432 [GMT 2:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\2453828619:4102798701.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Monray\My Documents\last xp software\RocketDock\RocketDock.exe
    C:\Program Files\Outlook Messenger\OutlookMessenger.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\WinFlip\WinFlip.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uLocal Page = \blank.htm
    uStart Page = hxxp://www.google.co.za/
    mSearchAssistant = hxxp://start.facemoods.com/?a=w7th1&s={searchTerms}&f=4
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mWinlogon: Userinit=Userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\documents and settings\monray\my documents\last xp software\flashget\jccatch.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: facemoods Helper: {64182481-4f71-486b-a045-b233bd0da8fc} - CescrtHlpr Object
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: DealPly: {a6174f27-1fff-e1d6-a93f-ba48ad5dd448} - c:\program files\dealply\DealPlyIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: QT Breadcrumbs Address Bar: {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll
    TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} -
    TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [RocketDock] "c:\documents and settings\monray\my documents\last xp software\rocketdock\RocketDock.exe"
    uRun: [OutlookMessenger] "c:\program files\outlook messenger\OutlookMessenger.exe" /m
    uRun: [CursorXP] c:\program files\cursorxp\CursorXP.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SkyTel] SkyTel.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [NVRTCLK] c:\windows\system32\nvrtclk\NVRTClk.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
    StartupFolder: c:\docume~1\monray\startm~1\programs\startup\winflip.lnk - c:\program files\winflip\WinFlip.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
    IE: &Download All with FlashGet - c:\documents and settings\monray\my documents\last xp software\flashget\jc_all.htm
    IE: &Download with FlashGet - c:\documents and settings\monray\my documents\last xp software\flashget\jc_link.htm
    IE: Download with ImTOO Download YouTube Video - c:\program files\imtoo\download youtube video\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_06-win.cab
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    TCP: DhcpNameServer = 196.28.182.20
    TCP: Interfaces\{898E868A-DEAE-4FC6-954C-89D0B5ECA4EC} : DhcpNameServer = 196.28.182.20
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    IFEO: finepixviewers.exe - "c:\program files\tuneup utilities 2011\TUAutoReactivator32.exe"
    IFEO: javaw.exe - "c:\program files\tuneup utilities 2011\TUAutoReactivator32.exe"
    IFEO: javaws.exe - "c:\program files\tuneup utilities 2011\TUAutoReactivator32.exe"
    IFEO: quickdcf2.exe - "c:\program files\tuneup utilities 2011\TUAutoReactivator32.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\monray\application data\mozilla\firefox\profiles\ekei0mud.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.za/
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\monray\application data\mozilla\firefox\profiles\ekei0mud.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    FF - plugin: c:\documents and settings\monray\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2011-1-10 160640]
    R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2011-1-10 5248]
    R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2011-7-2 155136]
    R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2011-7-2 5248]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-8-20 51984]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-8-20 69392]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-5 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-5 29584]
    S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-12-14 1517376]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2011-2-27 947528]
    S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\monray\locals~1\temp\cdrmkaun.sys --> c:\docume~1\monray\locals~1\temp\cdrmkaun.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-26 41272]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-8-20 33552]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-11-29 10064]
    S3 UTS2pl;Motorola Serial port driver;c:\windows\system32\drivers\UTS2pl.sys [2010-9-26 43264]
    .
    =============== Created Last 30 ================
    .
    2011-08-21 20:22:31 -------- d-----w- c:\program files\NoAdware5.0
    2011-08-20 14:30:34 69392 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
    2011-08-20 14:30:34 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
    2011-08-20 14:30:34 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
    2011-08-20 14:30:33 -------- d-----w- c:\program files\ThreatFire
    2011-08-20 14:30:33 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
    2011-08-19 14:56:33 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-08-19 14:56:33 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-08-08 18:08:00 -------- d-----w- c:\program files\EA GAMES
    2011-08-08 17:27:15 442368 ----a-w- c:\windows\system32\vp6vfw.dll
    2011-08-07 20:23:11 -------- d-----w- c:\program files\Copy Cat
    2011-08-06 17:37:12 -------- d-----w- c:\documents and settings\monray\nvram
    2011-08-06 17:37:12 -------- d-----w- c:\documents and settings\monray\memcard
    2011-08-06 17:37:12 -------- d-----w- c:\documents and settings\monray\cfg
    2011-08-03 00:18:03 -------- d-----w- c:\program files\DzSoft
    2011-08-03 00:07:11 1311335 ----a-w- c:\windows\system32\aquarium.scr
    2011-08-03 00:02:11 -------- d-----w- c:\program files\Isotope244 Graphics
    2011-08-02 22:41:21 40960 ----a-r- c:\documents and settings\monray\application data\microsoft\installer\{a31838f1-8e0d-4ca3-a40a-20825b92f125}\Serials2005.exe1_A31838F18E0D4CA3A40A20825B92F125.exe
    2011-08-02 22:41:21 40960 ----a-r- c:\documents and settings\monray\application data\microsoft\installer\{a31838f1-8e0d-4ca3-a40a-20825b92f125}\Serials2005.exe_A31838F18E0D4CA3A40A20825B92F125.exe
    2011-08-02 22:41:20 -------- d-----w- c:\program files\Serials 2005
    2011-07-27 12:10:57 -------- d-----w- c:\program files\Astro Avenger II
    2011-07-25 15:25:13 2288128 ----a-w- c:\windows\system32\TUKernel.exe
    .
    ==================== Find3M ====================
    .
    2011-07-12 20:17:35 1201727 ----a-w- c:\program files\common files\unins000.exe
    2011-07-06 17:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 17:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 13:01:46 218624 ----a-w- c:\windows\system32\uxtheme.dll
    2011-07-06 13:01:42 1949184 ----a-w- c:\windows\system32\logonui.exe
    2011-06-27 23:19:14 28672 ----a-w- c:\windows\system32\ssconfig.exe
    2011-06-27 23:19:14 180224 ----a-w- c:\windows\UninstallWSST.exe
    2011-06-05 12:07:24 1295928 ----a-w- c:\documents and settings\monray\setup.exe
    2011-06-03 13:42:09 1949184 ----a-w- c:\windows\system32\logonui.backup
    2011-05-29 10:24:10 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-05-26 16:04:54 249856 ------w- c:\windows\Setup1.exe
    2011-05-26 16:04:53 73216 ----a-w- c:\windows\ST6UNST.EXE
    .
    ============= FINISH: 13:58:24.07 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/5/2010 8:34:38 PM
    System Uptime: 8/24/2011 11:18:18 AM (2 hours ago)
    .
    Motherboard: JW Technology.,Ltd | | JW-IG31-MKII
    Processor: Intel Pentium III Xeon processor | CPU 1 | 2593/200mhz
    Processor: Intel Pentium III Xeon processor | CPU 1 | 2593/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 91.271 GiB free.
    D: is CDROM ()
    E: is CDROM (CDFS)
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 8/23/2011 12:47:32 AM - System Checkpoint
    RP2: 8/24/2011 1:21:24 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .

    1769 Bible 2.0
    2007 Microsoft Office Suite Service Pack 2 (SP2)
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.3
    Advertising Center
    Applian FLV Player
    Astro Avenger II
    AVG Free 9.0
    cars Screensaver
    Cheatbook Database 2008
    ComicRack v0.9.134
    Commandos 3 - Destination Berlin
    Compatibility Pack for the 2007 Office system
    Cool Edit Pro 2.0
    Copy Cat 2.0
    CorelDRAW Graphics Suite X3
    CursorXP
    DAEMON Tools
    DealPly
    Digital Guitar Tuner 2.3
    DirectX 10 NE (New Edition)
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Web Player
    DVD Decrypter (Remove Only)
    DVDFab Platinum 3.0.8.6
    Easy Language Classic
    EN
    Final Fantasy VII - Ultima Edition
    Final Fantasy VII XP Patch
    FontNav
    FUJIFILM FinePixViewer S Ver.2.1
    Google Chrome
    Google Talk (remove only)
    Google Update Helper
    Great Secrect Da Vinci
    Guitar Calculator Pro 4
    Guitar Power 1.5.0
    High Definition Audio Driver Package - KB888111
    IconTweaker 1.12
    Image Icon Converter 1.3
    ImagXpress
    Imperial Sudoku
    ImTOO Download YouTube Video
    Intel(R) Graphics Media Accelerator Driver
    IZArc 3.5 beta 3
    Java 2 Runtime Environment Standard Edition v1.3.1_06
    Java Auto Updater
    Java(TM) 6 Update 25
    K-Lite Mega Codec Pack 1.66
    Kyodai Mahjongg 2006 v1.42
    Learning Essentials for Microsoft Office
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Marvell Miniport Driver
    Menu Templates - Starter Kit
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 3.0
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Math
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Professional Edition 2003
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office XP Media Content
    Microsoft Picture It! Photo Standard 9
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Student 2007 for Learning Essentials
    Microsoft Student with Encarta Premium 2009
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Works
    Microsoft Works 2004 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word
    Microsoft XNA Framework Redistributable 1.0 Refresh
    Motorola Driver Installation
    Motorola Phone Tools
    Movie Templates - Starter Kit
    Mozilla Firefox 4.0 (x86 en-US)
    MSN
    MSXML 6.0 Parser (KB925673)
    Nero 9 Essentials
    Nero BurnRights
    Nero BurnRights Help
    Nero ControlCenter
    Nero CoverDesigner
    Nero CoverDesigner Help
    Nero DiscSpeed
    Nero DiscSpeed Help
    Nero DriveSpeed
    Nero DriveSpeed Help
    Nero Express Help
    Nero InfoTool
    Nero InfoTool Help
    Nero Installer
    Nero Online Upgrade
    Nero Rescue Agent
    Nero RescueAgent Help
    Nero ShowTime
    Nero StartSmart
    Nero StartSmart Help
    Nero Vision
    Nero Vision Help
    NeroExpress
    neroxml
    NoAdware v5.0
    OpenAL
    OutlookMessenger V5.0
    PDFCreator 0.8.0
    Peggle Nights Deluxe
    Pineda Network Secure Copy 2
    PowerDVD
    Pro Evolution Soccer 5
    Real Chess
    Realtek High Definition Audio Driver
    RMClock 2.2
    SAMSUNG Mobile USB Modem 1.0 Software
    Samsung PC Studio
    Samsung PC Studio 3 USB Driver Installer
    Serials 2005
    Sonic Foundry Vegas 4.0d
    Static TV 3D Screensaver Free
    The KMPlayer (remove only)
    The Sims 2
    TheMatrix Screen Saver version 1.14
    ThreatFire
    Total Video Converter 3.10
    TuneUp Utilities 2011
    TuneUp Utilities Language Pack (en-US)
    Update for Windows XP (KB898461)
    Update Manager
    VBA
    VC80CRTRedist - 8.0.50727.762
    Vista Anthracite Pack - UltraLite 1.31
    WebFldrs XP
    Winamp
    Winamp Lyrics (Explorer Version) v1.22
    Windows Communication Foundation
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Presentation Foundation
    Windows Workflow Foundation
    WinFlip 0.50
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/23/2011 1:54:19 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/23/2011 1:24:19 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/23/2011 1:09:02 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/22/2011 8:00:28 PM, error: SRService [104] - The System Restore initialization process failed.
    8/22/2011 8:00:28 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    8/22/2011 7:22:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    8/20/2011 6:23:07 PM, error: Service Control Manager [7000] - The ThreatFire service failed to start due to the following error: Access is denied.
    8/20/2011 3:34:02 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service TuneUp.UtilitiesSvc with arguments "" in order to run the server: {02849255-07CD-4C09-97D7-017DA2AE45AA}
    8/20/2011 3:33:57 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service TuneUp.UtilitiesSvc with arguments "" in order to run the server: {C1174535-161F-4CB7-B63F-A12BA2EB7C88}
    8/20/2011 3:02:47 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service TuneUp.UtilitiesSvc with arguments "" in order to run the server: {5EF1CF5D-87A9-434B-8786-2A08E1C30F6C}
    8/20/2011 10:50:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    8/19/2011 9:58:43 PM, error: Service Control Manager [7001] - The AVG Free E-mail Scanner service depends on the AVG Free WatchDog service which failed to start because of the following error: Access is denied.
    8/19/2011 9:58:43 PM, error: Service Control Manager [7000] - The TuneUp Utilities Service service failed to start due to the following error: Access is denied.
    8/19/2011 9:58:43 PM, error: Service Control Manager [7000] - The Nero BackItUp Scheduler 4.0 service failed to start due to the following error: Access is denied.
    8/19/2011 9:58:43 PM, error: Service Control Manager [7000] - The AVG Free WatchDog service failed to start due to the following error: Access is denied.
    8/19/2011 4:58:33 PM, error: System Error [1003] - Error code 000000ea, parameter1 85642020, parameter2 85de5870, parameter3 86140c90, parameter4 00000001.
    8/19/2011 4:12:41 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'i8042prt.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    8/19/2011 4:10:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    8/19/2011 4:06:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    8/19/2011 4:06:06 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    8/19/2011 4:06:06 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/19/2011 4:06:06 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/19/2011 4:06:06 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    8/19/2011 4:05:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    8/19/2011 4:05:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    8/19/2011 11:11:25 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    8/17/2011 8:48:05 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer TESRAY that believes that it is the master browser for the domain on transport NetBT_Tcpip_{898E868A-DEAE-4FC6-95. The master browser is stopping or an election is being forced.
    .
    ==== End Of File ===========================
  7. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  8. monrayl

    monrayl TS Member Topic Starter Posts: 74

    I ran tdsskiller.exe and it detected a malicious item. I was asked to reboot the computer and I did. Here is the log that you asked for:

    2011/08/25 12:13:44.0562 2948 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
    2011/08/25 12:13:46.0562 2948 ================================================================================
    2011/08/25 12:13:46.0562 2948 SystemInfo:
    2011/08/25 12:13:46.0562 2948
    2011/08/25 12:13:46.0562 2948 OS Version: 5.1.2600 ServicePack: 2.0
    2011/08/25 12:13:46.0562 2948 Product type: Workstation
    2011/08/25 12:13:46.0562 2948 ComputerName: MONRAY
    2011/08/25 12:13:46.0562 2948 UserName: Monray
    2011/08/25 12:13:46.0562 2948 Windows directory: C:\WINDOWS
    2011/08/25 12:13:46.0562 2948 System windows directory: C:\WINDOWS
    2011/08/25 12:13:46.0562 2948 Processor architecture: Intel x86
    2011/08/25 12:13:46.0562 2948 Number of processors: 2
    2011/08/25 12:13:46.0562 2948 Page size: 0x1000
    2011/08/25 12:13:46.0562 2948 Boot type: Normal boot
    2011/08/25 12:13:46.0562 2948 ================================================================================
    2011/08/25 12:13:49.0156 2948 Initialize success
    2011/08/25 12:13:50.0843 3832 ================================================================================
    2011/08/25 12:13:50.0843 3832 Scan started
    2011/08/25 12:13:50.0843 3832 Mode: Manual;
    2011/08/25 12:13:50.0843 3832 ================================================================================
    2011/08/25 12:13:57.0187 3832 a347bus (1f61cacacb521215f39061789147968c) C:\WINDOWS\system32\DRIVERS\a347bus.sys
    2011/08/25 12:13:57.0453 3832 a347scsi (113e4b318bbaa7483ca4e582a4d63f49) C:\WINDOWS\system32\Drivers\a347scsi.sys
    2011/08/25 12:13:57.0937 3832 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/08/25 12:13:58.0296 3832 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/08/25 12:13:58.0625 3832 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2011/08/25 12:13:58.0687 3832 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
    2011/08/25 12:13:58.0875 3832 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/08/25 12:13:58.0890 3832 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/08/25 12:13:58.0890 3832 Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\atapi.sys. md5: cdfe4411a69c224bd1d11b2da92dac51
    2011/08/25 12:13:58.0906 3832 atapi - detected LockedFile.Multi.Generic (1)
    2011/08/25 12:13:58.0937 3832 atksgt (72bc628af75c4c3250f2a3bac260265a) C:\WINDOWS\system32\DRIVERS\atksgt.sys
    2011/08/25 12:13:59.0000 3832 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/08/25 12:13:59.0046 3832 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/08/25 12:13:59.0078 3832 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
    2011/08/25 12:13:59.0125 3832 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
    2011/08/25 12:13:59.0140 3832 b744292 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\2453828619:4102798701.exe
    2011/08/25 12:13:59.0140 3832 Suspicious file (Hidden): C:\WINDOWS\2453828619:4102798701.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
    2011/08/25 12:13:59.0140 3832 b744292 - detected HiddenFile.Multi.Generic (1)
    2011/08/25 12:13:59.0171 3832 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/08/25 12:13:59.0187 3832 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/08/25 12:13:59.0203 3832 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/08/25 12:13:59.0234 3832 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/08/25 12:13:59.0328 3832 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/08/25 12:13:59.0421 3832 d347bus (5776322f93cdb91086111f5ffbfda2a0) C:\WINDOWS\system32\DRIVERS\d347bus.sys
    2011/08/25 12:13:59.0421 3832 d347prt (b49f79ace459763f4e0380071be9cb45) C:\WINDOWS\system32\Drivers\d347prt.sys
    2011/08/25 12:13:59.0484 3832 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/08/25 12:13:59.0546 3832 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/08/25 12:13:59.0625 3832 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/08/25 12:13:59.0640 3832 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/08/25 12:13:59.0687 3832 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/08/25 12:13:59.0718 3832 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/08/25 12:13:59.0734 3832 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/08/25 12:13:59.0750 3832 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/08/25 12:13:59.0765 3832 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/08/25 12:13:59.0781 3832 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/08/25 12:13:59.0828 3832 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/08/25 12:13:59.0828 3832 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/08/25 12:13:59.0843 3832 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/08/25 12:13:59.0859 3832 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/08/25 12:13:59.0890 3832 GVCplDrv (f22bf7f345df95c09942951246aaa28d) C:\WINDOWS\system32\drivers\GVCplDrv.sys
    2011/08/25 12:13:59.0921 3832 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/08/25 12:13:59.0953 3832 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/08/25 12:14:00.0000 3832 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/08/25 12:14:00.0062 3832 i8042prt (64ea90326f9e5df7f487791996f7248c) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/08/25 12:14:00.0078 3832 i8042prt - detected Rootkit.Win32.ZAccess.f (0)
    2011/08/25 12:14:00.0187 3832 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    2011/08/25 12:14:00.0281 3832 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/08/25 12:14:00.0375 3832 IntcAzAudAddService (8c65fcf7ab3389e7c224ea2ec4456f2d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/08/25 12:14:00.0468 3832 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/08/25 12:14:00.0515 3832 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/08/25 12:14:00.0578 3832 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/08/25 12:14:00.0625 3832 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/08/25 12:14:00.0656 3832 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/08/25 12:14:00.0687 3832 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/08/25 12:14:00.0734 3832 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/08/25 12:14:00.0765 3832 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/08/25 12:14:00.0796 3832 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/08/25 12:14:00.0843 3832 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/08/25 12:14:00.0890 3832 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/08/25 12:14:00.0953 3832 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
    2011/08/25 12:14:00.0968 3832 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2011/08/25 12:14:01.0000 3832 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/08/25 12:14:01.0031 3832 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/08/25 12:14:01.0062 3832 motmodem (59f513e9a519a5fd6fa6b03d3aa8081b) C:\WINDOWS\system32\DRIVERS\motmodem.sys
    2011/08/25 12:14:01.0109 3832 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/08/25 12:14:01.0140 3832 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/08/25 12:14:01.0156 3832 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/08/25 12:14:01.0203 3832 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/08/25 12:14:01.0218 3832 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/08/25 12:14:01.0265 3832 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/08/25 12:14:01.0296 3832 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/08/25 12:14:01.0312 3832 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/08/25 12:14:01.0328 3832 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/08/25 12:14:01.0343 3832 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/08/25 12:14:01.0375 3832 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/08/25 12:14:01.0390 3832 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/08/25 12:14:01.0421 3832 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/08/25 12:14:01.0453 3832 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/08/25 12:14:01.0484 3832 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/08/25 12:14:01.0515 3832 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/08/25 12:14:01.0531 3832 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/08/25 12:14:01.0546 3832 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/08/25 12:14:01.0578 3832 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/08/25 12:14:01.0609 3832 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/08/25 12:14:01.0640 3832 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/08/25 12:14:01.0671 3832 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/08/25 12:14:01.0687 3832 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/08/25 12:14:01.0718 3832 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
    2011/08/25 12:14:01.0734 3832 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/08/25 12:14:01.0765 3832 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/08/25 12:14:01.0781 3832 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/08/25 12:14:01.0796 3832 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/08/25 12:14:01.0828 3832 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/08/25 12:14:01.0937 3832 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/08/25 12:14:01.0953 3832 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/08/25 12:14:01.0968 3832 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/08/25 12:14:02.0015 3832 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/08/25 12:14:02.0078 3832 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/08/25 12:14:02.0109 3832 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/08/25 12:14:02.0125 3832 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/08/25 12:14:02.0140 3832 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/08/25 12:14:02.0156 3832 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/08/25 12:14:02.0171 3832 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/08/25 12:14:02.0187 3832 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/08/25 12:14:02.0218 3832 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/08/25 12:14:02.0265 3832 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/08/25 12:14:02.0312 3832 Secdrv (890cada2ab7acf53a5f9cce7515522a2) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/08/25 12:14:02.0328 3832 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/08/25 12:14:02.0343 3832 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/08/25 12:14:02.0375 3832 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/08/25 12:14:02.0421 3832 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2011/08/25 12:14:02.0453 3832 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/08/25 12:14:02.0500 3832 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/08/25 12:14:02.0515 3832 ss_bus (bbe84b6cde6771515c2b241a95771e51) C:\WINDOWS\system32\DRIVERS\ss_bus.sys
    2011/08/25 12:14:02.0546 3832 ss_mdfl (99493ceb59d7e98aaf05c3b6c453bb73) C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
    2011/08/25 12:14:02.0578 3832 ss_mdm (8a701b84bdad9d42f86f0d8658a7b6b6) C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
    2011/08/25 12:14:02.0609 3832 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/08/25 12:14:02.0640 3832 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/08/25 12:14:02.0703 3832 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/08/25 12:14:02.0734 3832 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/08/25 12:14:02.0781 3832 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/08/25 12:14:02.0796 3832 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/08/25 12:14:02.0843 3832 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/08/25 12:14:02.0875 3832 TfFsMon (a56ec942ecabfb7849bfa76060f929fb) C:\WINDOWS\system32\drivers\TfFsMon.sys
    2011/08/25 12:14:02.0906 3832 TfNetMon (917ef522563f6047685486efa486fb3c) C:\WINDOWS\system32\drivers\TfNetMon.sys
    2011/08/25 12:14:02.0921 3832 TfSysMon (57edbb5fe7ff09bb21121d13bb950ba5) C:\WINDOWS\system32\drivers\TfSysMon.sys
    2011/08/25 12:14:03.0046 3832 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys
    2011/08/25 12:14:03.0093 3832 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/08/25 12:14:03.0171 3832 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/08/25 12:14:03.0218 3832 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/08/25 12:14:03.0281 3832 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/08/25 12:14:03.0281 3832 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/08/25 12:14:03.0312 3832 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/08/25 12:14:03.0359 3832 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/08/25 12:14:03.0390 3832 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/08/25 12:14:03.0421 3832 UTS2pl (bda32ce7d8f1b752e06f3248d4b6bb4f) C:\WINDOWS\system32\DRIVERS\UTS2pl.sys
    2011/08/25 12:14:03.0500 3832 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/08/25 12:14:03.0531 3832 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/08/25 12:14:03.0578 3832 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/08/25 12:14:03.0625 3832 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2011/08/25 12:14:03.0703 3832 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/08/25 12:14:03.0812 3832 yukonwxp (a5d4eae27e68625296d685a786897491) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
    2011/08/25 12:14:03.0828 3832 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    2011/08/25 12:14:03.0906 3832 Boot (0x1200) (6996510498ad3b919b8a8f686dba24d9) \Device\Harddisk0\DR0\Partition0
    2011/08/25 12:14:03.0906 3832 ================================================================================
    2011/08/25 12:14:03.0906 3832 Scan finished
    2011/08/25 12:14:03.0906 3832 ================================================================================
    2011/08/25 12:14:03.0921 0428 Detected object count: 3
    2011/08/25 12:14:03.0921 0428 Actual detected object count: 3
    2011/08/25 12:14:28.0515 0428 LockedFile.Multi.Generic(atapi) - User select action: Skip
    2011/08/25 12:14:28.0531 0428 HiddenFile.Multi.Generic(b744292) - User select action: Skip
    2011/08/25 12:14:28.0578 0428 i8042prt (64ea90326f9e5df7f487791996f7248c) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/08/25 12:14:29.0984 0428 Backup copy found, using it..
    2011/08/25 12:14:30.0000 0428 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured after reboot
    2011/08/25 12:14:30.0000 0428 Rootkit.Win32.ZAccess.f(i8042prt) - User select action: Cure
    2011/08/25 12:15:03.0656 3844 Deinitialize success




    I'll be waiting for more instructions. :grinthumb
  9. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Good :)

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  10. monrayl

    monrayl TS Member Topic Starter Posts: 74

    I downloaded aswMBR.exe, but as soon as I started the scan the program closed. When I double click on the file I get the same message that I got when I tried to access the my other antivirus software: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I cannot delete or move that file now. I did make an extra copy of the file when I downloaded it though. I downloaded combofix in the meantime but i didn't use it yet. I'll wait on a response from you before I do anything else.
  11. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Go ahead with Combofix.
     
  12. monrayl

    monrayl TS Member Topic Starter Posts: 74

    Hey there, things are looking better :D. I ran combofix and it detected a couple of infected files. Here's the log:

    ComboFix 11-08-27.01 - Monray 08/27/2011 17:56:32.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.679 [GMT 2:00]
    Running from: c:\documents and settings\Monray\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Monray\Application Data\facemoods.com
    c:\documents and settings\Monray\My Documents\psx\Need for Speed Underground 2\SDATA\Desktop_.ini
    c:\documents and settings\Monray\Recent\Thumbs.db
    c:\documents and settings\Monray\WINDOWS
    C:\index.htm
    c:\program files\ThreatFire\TFService.exe
    C:\VDM2E.tmp
    C:\VDM2F.tmp
    c:\windows\$NtUninstallKB46617$
    c:\windows\$NtUninstallKB46617$\1533150368
    c:\windows\$NtUninstallKB46617$\192168594\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
    c:\windows\$NtUninstallKB46617$\192168594\click.tlb
    c:\windows\$NtUninstallKB46617$\192168594\L\bljvogys
    c:\windows\$NtUninstallKB46617$\192168594\loader.tlb
    c:\windows\$NtUninstallKB46617$\192168594\U\@00000001
    c:\windows\$NtUninstallKB46617$\192168594\U\@000000c0
    c:\windows\$NtUninstallKB46617$\192168594\U\@000000cb
    c:\windows\$NtUninstallKB46617$\192168594\U\@000000cf
    c:\windows\$NtUninstallKB46617$\192168594\U\@80000000
    c:\windows\$NtUninstallKB46617$\192168594\U\@800000c0
    c:\windows\$NtUninstallKB46617$\192168594\U\@800000cb
    c:\windows\$NtUninstallKB46617$\192168594\U\@800000cf
    c:\windows\daemon.dll
    c:\windows\desktop
    c:\windows\ST6UNST.000
    c:\windows\system32\c_67333.nls
    c:\windows\system32\paypal.url
    c:\windows\system32\setup.ini
    c:\windows\system32\winx.url
    .
    Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
    Restored copy from - The cat found it :)
    c:\windows\system32\userinit.exe . . . is infected!!
    .
    Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
    Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
    .
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe . . . is infected!!
    .
    c:\program files\ThreatFire\TFService.exe . . . is infected!!
    .
    c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe . . . is infected!!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_b744292
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-27 15:53 . 2004-08-04 12:00 74752 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
    2011-08-27 15:53 . 2004-08-04 12:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2011-08-25 10:15 . 2011-08-25 10:15 43408 --sha-w- c:\windows\system32\c_67333.nl_
    2011-08-21 20:22 . 2011-08-21 20:27 -------- d-----w- c:\program files\NoAdware5.0
    2011-08-20 14:30 . 2011-02-22 11:57 69392 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
    2011-08-20 14:30 . 2011-02-22 11:57 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
    2011-08-20 14:30 . 2011-02-22 11:57 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
    2011-08-20 14:30 . 2011-08-27 16:06 -------- d-----w- c:\program files\ThreatFire
    2011-08-20 14:30 . 2011-08-20 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-08-19 14:56 . 2011-08-19 14:56 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-08-19 11:08 . 2011-08-19 15:00 -------- d-----w- c:\documents and settings\Monray\Application Data\Skype
    2011-08-08 18:08 . 2011-08-08 18:08 -------- d-----w- c:\program files\EA GAMES
    2011-08-08 17:27 . 2004-08-18 02:14 442368 ----a-w- c:\windows\system32\vp6vfw.dll
    2011-08-07 20:23 . 2011-08-07 20:23 -------- d-----w- c:\program files\Copy Cat
    2011-08-06 17:37 . 2011-08-06 17:37 -------- d-----w- c:\documents and settings\Monray\nvram
    2011-08-06 17:37 . 2011-08-06 17:37 -------- d-----w- c:\documents and settings\Monray\memcard
    2011-08-06 17:37 . 2011-08-06 17:37 -------- d-----w- c:\documents and settings\Monray\cfg
    2011-08-03 00:18 . 2011-08-03 00:18 -------- d-----w- c:\program files\DzSoft
    2011-08-03 00:07 . 2011-08-03 00:07 1311335 ----a-w- c:\windows\system32\aquarium.scr
    2011-08-03 00:02 . 2011-08-03 00:02 -------- d-----w- c:\program files\Isotope244 Graphics
    2011-08-02 22:41 . 2011-08-02 22:41 40960 ----a-r- c:\documents and settings\Monray\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe1_A31838F18E0D4CA3A40A20825B92F125.exe
    2011-08-02 22:41 . 2011-08-02 22:41 40960 ----a-r- c:\documents and settings\Monray\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe_A31838F18E0D4CA3A40A20825B92F125.exe
    2011-08-02 22:41 . 2011-08-21 20:49 -------- d-----w- c:\program files\Serials 2005
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-25 10:15 . 2004-08-04 12:00 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-07-25 15:25 . 2011-07-25 15:25 2288128 ----a-w- c:\windows\system32\TUKernel.exe
    2011-07-12 20:17 . 2011-07-12 20:18 1201727 ----a-w- c:\program files\Common Files\unins000.exe
    2011-07-06 17:52 . 2011-05-26 08:39 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 17:52 . 2011-05-26 08:39 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 13:01 . 2004-08-04 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
    2011-07-06 13:01 . 2004-08-04 12:00 1949184 ----a-w- c:\windows\system32\logonui.exe
    2011-06-27 23:19 . 2011-06-27 23:19 28672 ----a-w- c:\windows\system32\ssconfig.exe
    2011-06-27 23:19 . 2011-06-27 23:19 180224 ----a-w- c:\windows\UninstallWSST.exe
    2011-06-05 12:07 . 2011-06-05 12:06 1295928 ----a-w- c:\documents and settings\Monray\setup.exe
    2011-06-03 13:42 . 2011-07-06 13:01 1949184 ----a-w- c:\windows\system32\logonui.backup
    2011-03-18 17:53 . 2011-03-30 22:47 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
    [7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
    [-] 2004-08-03 20:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
    [7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\documents and settings\Monray\My Documents\last xp software\RocketDock\RocketDock.exe" [2011-01-14 495616]
    "OutlookMessenger"="c:\program files\Outlook Messenger\OutlookMessenger.exe" [2009-02-16 6422528]
    "CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]
    "L09AXLRD_40790265"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" [2008-06-03 351000]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 155648]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 131072]
    "RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16841216]
    "SkyTel"="SkyTel.EXE" [2007-08-03 1826816]
    "NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
    "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2011-02-22 378128]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    .
    c:\documents and settings\Monray\Start Menu\Programs\Startup\
    WinFlip.lnk - c:\program files\WinFlip\WinFlip.exe [2008-5-30 483328]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-5-26 303104]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\documents and settings\Monray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
    "googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Eidos\\Pyro Studios\\Commandos 3 - Destination Berlin\\commandos3.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Outlook Messenger\\OutlookMessenger.exe"=
    "c:\\Program Files\\Outlook Messenger\\OMDesktop.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\Emulators\\snes9x\\snes9x.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\KONAMI\\Pro Evolution Soccer 5\\PES5.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\COD\\CoDMP.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\COD\\CoDUOMP.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\Emulators\\fceu\\fceu.exe"=
    "c:\\Program Files\\Kyodai Mahjongg 2006\\kmj.exe"=
    "c:\\WINDOWS\\system32\\winver.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\last xp software\\Flashget\\flashget.exe"=
    "c:\\Documents and Settings\\Monray\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\Downloads\\tdsskiller.exe"=
    "c:\\Program Files\\ThreatFire\\TFHS.exe"=
    "c:\\Program Files\\ThreatFire\\TFNotice.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\Downloads\\avinstall.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\myapp.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\cool.exe"=
    "c:\\Documents and Settings\\Monray\\Desktop\\avinstall.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
    "c:\\Program Files\\NoAdware5.0\\NoAdware5.exe"=
    "c:\\Documents and Settings\\Monray\\Desktop\\TDSSKiller.exe"=
    "c:\\Program Files\\ImTOO\\Download YouTube Video\\DownloadYouTubeVideo.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\Emulators\\fba\\fba.exe"=
    "c:\\Program Files\\Microsoft Student\\Microsoft Student with Encarta Premium 2009 DVD\\ENCARTA.EXE"=
    "c:\\Documents and Settings\\Monray\\My Documents\\tdsskiller.exe"=
    "c:\\Documents and Settings\\Monray\\Desktop\\aswMBR.exe"=
    .
    R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [1/10/2011 11:49 PM 160640]
    R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [1/10/2011 11:49 PM 5248]
    R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [7/2/2011 10:33 PM 155136]
    R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [7/2/2011 10:33 PM 5248]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [8/20/2011 4:30 PM 51984]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [8/20/2011 4:30 PM 69392]
    S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;"c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe" --> c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [?]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2/27/2011 5:17 PM 947528]
    S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Monray\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\Monray\LOCALS~1\Temp\cdrmkaun.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/26/2011 10:39 AM 41272]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [8/20/2011 4:30 PM 33552]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [11/29/2010 7:27 PM 10064]
    S3 UTS2pl;Motorola Serial port driver;c:\windows\system32\drivers\UTS2pl.sys [9/26/2010 5:23 PM 43264]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = \blank.htm
    uStart Page = hxxp://www.google.co.za/
    IE: &Download All with FlashGet - c:\documents and settings\Monray\My Documents\last xp software\Flashget\jc_all.htm
    IE: &Download with FlashGet - c:\documents and settings\Monray\My Documents\last xp software\Flashget\jc_link.htm
    IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 196.28.182.20
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    FF - ProfilePath - c:\documents and settings\Monray\Application Data\Mozilla\Firefox\Profiles\ekei0mud.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.za/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    Notify-avgrsstarter - (no file)
    SafeBoot-78435852.sys
    MSConfigStartUp-4ECYTQ9SIC - c:\docume~1\Monray\LOCALS~1\Temp\Ghd.exe
    AddRemove-Final Fantasy VII - c:\program files\Final Fantasy VII\Uninst.isu
    AddRemove-Final Fantasy VII XP Patch - c:\program files\Square Soft
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-27 18:07
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
    "AlternateImagePath"=""
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2052111302-73586283-1801674531-1003\Software\SecuROM\License information*]
    "datasecu"=hex:dd,7a,8b,72,7b,f3,88,f3,a6,60,a4,b5,b9,a9,4a,ba,9d,4b,45,4d,ea,
    5e,a5,3f,b8,ee,5f,94,26,c7,59,48,ba,c3,de,36,3f,ac,50,47,1e,6d,89,c5,ec,2d,\
    "rkeysecu"=hex:f8,d2,05,da,fe,db,d2,f4,6b,9e,ac,3c,52,f1,e1,59
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(940)
    c:\documents and settings\Monray\My Documents\last xp software\RocketDock\RocketDock.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\program files\WinFlip\WFHook.dll
    c:\windows\system32\msi.dll
    c:\program files\CursorXP\CurXP0.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\wdfmgr.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-27 18:10:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-27 16:10
    .
    Pre-Run: 97,367,482,368 bytes free
    Post-Run: 97,655,791,616 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=KD1AO6 /Kernel=TUKernel.exe
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=KD1AO6-BAK
    .
    - - End Of File - - 7D37278015EA3AF92C3CAFAC3DD8D25E


    That weird process: 2453828619:4102798701.exe is no longer running. Firefox still freezes when i browse the net though. I've clicked on a few google search results and it seems that the google redirecting problem has been resolved:grinthumb. Should I go ahead with rkill?
  13. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    No. You run only when Combofix doesn't want to run (as my instructions say).

    We still have work to do.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\windows\system32\dllcache\atapi.sys | c:\windows\system32\drivers\atapi.sys
    
    File::
    c:\windows\system32\c_67333.nl_
    c:\docume~1\Monray\LOCALS~1\Temp\cdrmkaun.sys
    
    
    Driver::
    cdrmkaun
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  14. monrayl

    monrayl TS Member Topic Starter Posts: 74

    Combofix ran a scan and rebooted my pc. Here's the log: ComboFix 11-08-27.01 - Monray 08/27/2011 19:54:44.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.503 [GMT 2:00]
    Running from: c:\documents and settings\Monray\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Monray\Desktop\CFScript.txt
    .
    FILE ::
    "c:\docume~1\Monray\LOCALS~1\Temp\cdrmkaun.sys"
    "c:\windows\system32\c_67333.nl_"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\c_67333.nl_
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\system32\dllcache\atapi.sys --> c:\windows\system32\drivers\atapi.sys
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_CDRMKAUN
    -------\Service_cdrmkaun
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-27 15:53 . 2004-08-04 12:00 74752 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
    2011-08-27 15:53 . 2004-08-04 12:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2011-08-21 20:22 . 2011-08-21 20:27 -------- d-----w- c:\program files\NoAdware5.0
    2011-08-20 14:30 . 2011-02-22 11:57 69392 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
    2011-08-20 14:30 . 2011-02-22 11:57 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
    2011-08-20 14:30 . 2011-02-22 11:57 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
    2011-08-20 14:30 . 2011-08-27 16:06 -------- d-----w- c:\program files\ThreatFire
    2011-08-20 14:30 . 2011-08-20 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-08-19 14:56 . 2011-08-19 14:56 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-08-19 11:08 . 2011-08-19 15:00 -------- d-----w- c:\documents and settings\Monray\Application Data\Skype
    2011-08-08 18:08 . 2011-08-08 18:08 -------- d-----w- c:\program files\EA GAMES
    2011-08-08 17:27 . 2004-08-18 02:14 442368 ----a-w- c:\windows\system32\vp6vfw.dll
    2011-08-07 20:23 . 2011-08-07 20:23 -------- d-----w- c:\program files\Copy Cat
    2011-08-06 17:37 . 2011-08-06 17:37 -------- d-----w- c:\documents and settings\Monray\nvram
    2011-08-06 17:37 . 2011-08-06 17:37 -------- d-----w- c:\documents and settings\Monray\memcard
    2011-08-06 17:37 . 2011-08-06 17:37 -------- d-----w- c:\documents and settings\Monray\cfg
    2011-08-03 00:18 . 2011-08-03 00:18 -------- d-----w- c:\program files\DzSoft
    2011-08-03 00:07 . 2011-08-03 00:07 1311335 ----a-w- c:\windows\system32\aquarium.scr
    2011-08-03 00:02 . 2011-08-03 00:02 -------- d-----w- c:\program files\Isotope244 Graphics
    2011-08-02 22:41 . 2011-08-02 22:41 40960 ----a-r- c:\documents and settings\Monray\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe1_A31838F18E0D4CA3A40A20825B92F125.exe
    2011-08-02 22:41 . 2011-08-02 22:41 40960 ----a-r- c:\documents and settings\Monray\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe_A31838F18E0D4CA3A40A20825B92F125.exe
    2011-08-02 22:41 . 2011-08-21 20:49 -------- d-----w- c:\program files\Serials 2005
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-25 10:15 . 2004-08-04 12:00 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-07-25 15:25 . 2011-07-25 15:25 2288128 ----a-w- c:\windows\system32\TUKernel.exe
    2011-07-12 20:17 . 2011-07-12 20:18 1201727 ----a-w- c:\program files\Common Files\unins000.exe
    2011-07-06 17:52 . 2011-05-26 08:39 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 17:52 . 2011-05-26 08:39 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 13:01 . 2004-08-04 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
    2011-07-06 13:01 . 2004-08-04 12:00 1949184 ----a-w- c:\windows\system32\logonui.exe
    2011-06-27 23:19 . 2011-06-27 23:19 28672 ----a-w- c:\windows\system32\ssconfig.exe
    2011-06-27 23:19 . 2011-06-27 23:19 180224 ----a-w- c:\windows\UninstallWSST.exe
    2011-06-05 12:07 . 2011-06-05 12:06 1295928 ----a-w- c:\documents and settings\Monray\setup.exe
    2011-06-03 13:42 . 2011-07-06 13:01 1949184 ----a-w- c:\windows\system32\logonui.backup
    2011-03-18 17:53 . 2011-03-30 22:47 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
    [7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
    [-] 2004-08-03 20:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
    [7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\documents and settings\Monray\My Documents\last xp software\RocketDock\RocketDock.exe" [2011-01-14 495616]
    "OutlookMessenger"="c:\program files\Outlook Messenger\OutlookMessenger.exe" [2009-02-16 6422528]
    "CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]
    "L09AXLRD_40790265"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" [2008-06-03 351000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 155648]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 131072]
    "RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16841216]
    "SkyTel"="SkyTel.EXE" [2007-08-03 1826816]
    "NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
    "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2011-02-22 378128]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    .
    c:\documents and settings\Monray\Start Menu\Programs\Startup\
    WinFlip.lnk - c:\program files\WinFlip\WinFlip.exe [2008-5-30 483328]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-5-26 303104]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\documents and settings\Monray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
    "googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Eidos\\Pyro Studios\\Commandos 3 - Destination Berlin\\commandos3.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Outlook Messenger\\OutlookMessenger.exe"=
    "c:\\Program Files\\Outlook Messenger\\OMDesktop.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\Emulators\\snes9x\\snes9x.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\KONAMI\\Pro Evolution Soccer 5\\PES5.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\COD\\CoDMP.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\COD\\CoDUOMP.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\Emulators\\fceu\\fceu.exe"=
    "c:\\Program Files\\Kyodai Mahjongg 2006\\kmj.exe"=
    "c:\\WINDOWS\\system32\\winver.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\last xp software\\Flashget\\flashget.exe"=
    "c:\\Documents and Settings\\Monray\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\Downloads\\tdsskiller.exe"=
    "c:\\Program Files\\ThreatFire\\TFHS.exe"=
    "c:\\Program Files\\ThreatFire\\TFNotice.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\Downloads\\avinstall.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\myapp.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\cool.exe"=
    "c:\\Documents and Settings\\Monray\\Desktop\\avinstall.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
    "c:\\Program Files\\NoAdware5.0\\NoAdware5.exe"=
    "c:\\Documents and Settings\\Monray\\Desktop\\TDSSKiller.exe"=
    "c:\\Program Files\\ImTOO\\Download YouTube Video\\DownloadYouTubeVideo.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\Emulators\\fba\\fba.exe"=
    "c:\\Program Files\\Microsoft Student\\Microsoft Student with Encarta Premium 2009 DVD\\ENCARTA.EXE"=
    "c:\\Documents and Settings\\Monray\\My Documents\\tdsskiller.exe"=
    "c:\\Documents and Settings\\Monray\\Desktop\\aswMBR.exe"=
    .
    R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [1/10/2011 11:49 PM 160640]
    R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [1/10/2011 11:49 PM 5248]
    R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [7/2/2011 10:33 PM 155136]
    R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [7/2/2011 10:33 PM 5248]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [8/20/2011 4:30 PM 51984]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [8/20/2011 4:30 PM 69392]
    S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;"c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe" --> c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [?]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2/27/2011 5:17 PM 947528]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/26/2011 10:39 AM 41272]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [8/20/2011 4:30 PM 33552]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [11/29/2010 7:27 PM 10064]
    S3 UTS2pl;Motorola Serial port driver;c:\windows\system32\drivers\UTS2pl.sys [9/26/2010 5:23 PM 43264]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = \blank.htm
    uStart Page = hxxp://www.google.co.za/
    IE: &Download All with FlashGet - c:\documents and settings\Monray\My Documents\last xp software\Flashget\jc_all.htm
    IE: &Download with FlashGet - c:\documents and settings\Monray\My Documents\last xp software\Flashget\jc_link.htm
    IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 196.28.182.20
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    FF - ProfilePath - c:\documents and settings\Monray\Application Data\Mozilla\Firefox\Profiles\ekei0mud.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.za/
    FF - prefs.js: network.proxy.type - 0
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-27 19:59
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
    "AlternateImagePath"=""
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2052111302-73586283-1801674531-1003\Software\SecuROM\License information*]
    "datasecu"=hex:dd,7a,8b,72,7b,f3,88,f3,a6,60,a4,b5,b9,a9,4a,ba,9d,4b,45,4d,ea,
    5e,a5,3f,b8,ee,5f,94,26,c7,59,48,ba,c3,de,36,3f,ac,50,47,1e,6d,89,c5,ec,2d,\
    "rkeysecu"=hex:f8,d2,05,da,fe,db,d2,f4,6b,9e,ac,3c,52,f1,e1,59
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2036)
    c:\documents and settings\Monray\My Documents\last xp software\RocketDock\RocketDock.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\program files\WinFlip\WFHook.dll
    c:\program files\CursorXP\CurXP0.dll
    c:\windows\system32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-27 20:01:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-27 18:01
    ComboFix2.txt 2011-08-27 16:10
    .
    Pre-Run: 97,668,599,808 bytes free
    Post-Run: 97,653,944,320 bytes free
    .
    - - End Of File - - 508382AA4C9D9AD1A063948B7644FD08

    What next?
  15. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    We still have some issue with atapi.sys file.
    Let's try one more time...

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\windows\system32\dllcache\atapi.sys | c:\windows\system32\drivers\atapi.sys
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  16. monrayl

    monrayl TS Member Topic Starter Posts: 74

    Here is the log you requested:

    ComboFix 11-08-27.01 - Monray 08/27/2011 20:45:19.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.499 [GMT 2:00]
    Running from: c:\documents and settings\Monray\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Monray\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\system32\dllcache\atapi.sys --> c:\windows\system32\drivers\atapi.sys
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-27 15:53 . 2004-08-04 12:00 74752 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
    2011-08-27 15:53 . 2004-08-04 12:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2011-08-21 20:22 . 2011-08-21 20:27 -------- d-----w- c:\program files\NoAdware5.0
    2011-08-20 14:30 . 2011-02-22 11:57 69392 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
    2011-08-20 14:30 . 2011-02-22 11:57 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
    2011-08-20 14:30 . 2011-02-22 11:57 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
    2011-08-20 14:30 . 2011-08-27 16:06 -------- d-----w- c:\program files\ThreatFire
    2011-08-20 14:30 . 2011-08-20 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-08-19 14:56 . 2011-08-19 14:56 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-08-19 11:08 . 2011-08-19 15:00 -------- d-----w- c:\documents and settings\Monray\Application Data\Skype
    2011-08-08 18:08 . 2011-08-08 18:08 -------- d-----w- c:\program files\EA GAMES
    2011-08-08 17:27 . 2004-08-18 02:14 442368 ----a-w- c:\windows\system32\vp6vfw.dll
    2011-08-07 20:23 . 2011-08-07 20:23 -------- d-----w- c:\program files\Copy Cat
    2011-08-06 17:37 . 2011-08-06 17:37 -------- d-----w- c:\documents and settings\Monray\nvram
    2011-08-06 17:37 . 2011-08-06 17:37 -------- d-----w- c:\documents and settings\Monray\memcard
    2011-08-06 17:37 . 2011-08-06 17:37 -------- d-----w- c:\documents and settings\Monray\cfg
    2011-08-03 00:18 . 2011-08-03 00:18 -------- d-----w- c:\program files\DzSoft
    2011-08-03 00:07 . 2011-08-03 00:07 1311335 ----a-w- c:\windows\system32\aquarium.scr
    2011-08-03 00:02 . 2011-08-03 00:02 -------- d-----w- c:\program files\Isotope244 Graphics
    2011-08-02 22:41 . 2011-08-02 22:41 40960 ----a-r- c:\documents and settings\Monray\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe1_A31838F18E0D4CA3A40A20825B92F125.exe
    2011-08-02 22:41 . 2011-08-02 22:41 40960 ----a-r- c:\documents and settings\Monray\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe_A31838F18E0D4CA3A40A20825B92F125.exe
    2011-08-02 22:41 . 2011-08-21 20:49 -------- d-----w- c:\program files\Serials 2005
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-25 10:15 . 2004-08-04 12:00 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-07-25 15:25 . 2011-07-25 15:25 2288128 ----a-w- c:\windows\system32\TUKernel.exe
    2011-07-12 20:17 . 2011-07-12 20:18 1201727 ----a-w- c:\program files\Common Files\unins000.exe
    2011-07-06 17:52 . 2011-05-26 08:39 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 17:52 . 2011-05-26 08:39 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 13:01 . 2004-08-04 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
    2011-07-06 13:01 . 2004-08-04 12:00 1949184 ----a-w- c:\windows\system32\logonui.exe
    2011-06-27 23:19 . 2011-06-27 23:19 28672 ----a-w- c:\windows\system32\ssconfig.exe
    2011-06-27 23:19 . 2011-06-27 23:19 180224 ----a-w- c:\windows\UninstallWSST.exe
    2011-06-05 12:07 . 2011-06-05 12:06 1295928 ----a-w- c:\documents and settings\Monray\setup.exe
    2011-06-03 13:42 . 2011-07-06 13:01 1949184 ----a-w- c:\windows\system32\logonui.backup
    2011-03-18 17:53 . 2011-03-30 22:47 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\documents and settings\Monray\My Documents\last xp software\RocketDock\RocketDock.exe" [2011-01-14 495616]
    "OutlookMessenger"="c:\program files\Outlook Messenger\OutlookMessenger.exe" [2009-02-16 6422528]
    "CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]
    "L09AXLRD_40790265"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" [2008-06-03 351000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 155648]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 131072]
    "RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16841216]
    "SkyTel"="SkyTel.EXE" [2007-08-03 1826816]
    "NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
    "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2011-02-22 378128]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    .
    c:\documents and settings\Monray\Start Menu\Programs\Startup\
    WinFlip.lnk - c:\program files\WinFlip\WinFlip.exe [2008-5-30 483328]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-5-26 303104]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\documents and settings\Monray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
    "googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Eidos\\Pyro Studios\\Commandos 3 - Destination Berlin\\commandos3.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Outlook Messenger\\OutlookMessenger.exe"=
    "c:\\Program Files\\Outlook Messenger\\OMDesktop.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\Emulators\\snes9x\\snes9x.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\KONAMI\\Pro Evolution Soccer 5\\PES5.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\COD\\CoDMP.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\COD\\CoDUOMP.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\Emulators\\fceu\\fceu.exe"=
    "c:\\Program Files\\Kyodai Mahjongg 2006\\kmj.exe"=
    "c:\\WINDOWS\\system32\\winver.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\last xp software\\Flashget\\flashget.exe"=
    "c:\\Documents and Settings\\Monray\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\Downloads\\tdsskiller.exe"=
    "c:\\Program Files\\ThreatFire\\TFHS.exe"=
    "c:\\Program Files\\ThreatFire\\TFNotice.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\Downloads\\avinstall.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\myapp.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\cool.exe"=
    "c:\\Documents and Settings\\Monray\\Desktop\\avinstall.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
    "c:\\Program Files\\NoAdware5.0\\NoAdware5.exe"=
    "c:\\Documents and Settings\\Monray\\Desktop\\TDSSKiller.exe"=
    "c:\\Program Files\\ImTOO\\Download YouTube Video\\DownloadYouTubeVideo.exe"=
    "c:\\Documents and Settings\\Monray\\My Documents\\psx\\Emulators\\fba\\fba.exe"=
    "c:\\Program Files\\Microsoft Student\\Microsoft Student with Encarta Premium 2009 DVD\\ENCARTA.EXE"=
    "c:\\Documents and Settings\\Monray\\My Documents\\tdsskiller.exe"=
    "c:\\Documents and Settings\\Monray\\Desktop\\aswMBR.exe"=
    .
    R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [1/10/2011 11:49 PM 160640]
    R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [1/10/2011 11:49 PM 5248]
    R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [7/2/2011 10:33 PM 155136]
    R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [7/2/2011 10:33 PM 5248]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [8/20/2011 4:30 PM 51984]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [8/20/2011 4:30 PM 69392]
    S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;"c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe" --> c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [?]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2/27/2011 5:17 PM 947528]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/26/2011 10:39 AM 41272]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [8/20/2011 4:30 PM 33552]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [11/29/2010 7:27 PM 10064]
    S3 UTS2pl;Motorola Serial port driver;c:\windows\system32\drivers\UTS2pl.sys [9/26/2010 5:23 PM 43264]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = \blank.htm
    uStart Page = hxxp://www.google.co.za/
    IE: &Download All with FlashGet - c:\documents and settings\Monray\My Documents\last xp software\Flashget\jc_all.htm
    IE: &Download with FlashGet - c:\documents and settings\Monray\My Documents\last xp software\Flashget\jc_link.htm
    IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 196.28.182.20
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    FF - ProfilePath - c:\documents and settings\Monray\Application Data\Mozilla\Firefox\Profiles\ekei0mud.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.za/
    FF - prefs.js: network.proxy.type - 0
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-27 20:48
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
    "AlternateImagePath"=""
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2052111302-73586283-1801674531-1003\Software\SecuROM\License information*]
    "datasecu"=hex:dd,7a,8b,72,7b,f3,88,f3,a6,60,a4,b5,b9,a9,4a,ba,9d,4b,45,4d,ea,
    5e,a5,3f,b8,ee,5f,94,26,c7,59,48,ba,c3,de,36,3f,ac,50,47,1e,6d,89,c5,ec,2d,\
    "rkeysecu"=hex:f8,d2,05,da,fe,db,d2,f4,6b,9e,ac,3c,52,f1,e1,59
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1756)
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\program files\CursorXP\CurXP0.dll
    c:\windows\system32\msi.dll
    .
    Completion time: 2011-08-27 20:49:22
    ComboFix-quarantined-files.txt 2011-08-27 18:49
    ComboFix2.txt 2011-08-27 18:01
    ComboFix3.txt 2011-08-27 16:10
    .
    Pre-Run: 97,660,747,776 bytes free
    Post-Run: 97,647,751,168 bytes free
    .
    - - End Of File - - 20ECDAEFEDE1614A05B16664BA132412
  17. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Super! It worked :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  18. monrayl

    monrayl TS Member Topic Starter Posts: 74

    OTL logfile created on: 8/27/2011 9:11:20 PM - Run 1
    OTL by OldTimer - Version 3.2.26.6 Folder = C:\Documents and Settings\Monray\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1014.23 Mb Total Physical Memory | 604.91 Mb Available Physical Memory | 59.64% Memory free
    2.39 Gb Paging File | 2.12 Gb Available in Paging File | 88.90% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.88 Gb Total Space | 90.97 Gb Free Space | 39.06% Space Free | Partition Type: NTFS
    Drive E: | 650.10 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: MONRAY | User Name: Monray | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/08/27 21:08:54 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Monray\Desktop\OTL.exe
    PRC - [2011/02/22 13:57:34 | 000,378,128 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
    PRC - [2009/02/16 17:24:18 | 006,422,528 | ---- | M] (Srimax Software System) -- C:\Program Files\Outlook Messenger\OutlookMessenger.exe
    PRC - [2008/06/03 11:05:37 | 000,351,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE
    PRC - [2005/01/19 16:34:16 | 000,128,000 | ---- | M] ( ) -- C:\Program Files\CursorXP\CursorXP.exe
    PRC - [2004/08/04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (No Company Name) ==========

    MOD - [2008/06/03 11:06:14 | 000,351,000 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\Reference 2009\MSENCXML.DLL
    MOD - [2008/06/03 11:06:14 | 000,269,080 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\Reference 2009\ERSREGPR.DLL
    MOD - [2008/06/03 11:06:14 | 000,228,120 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\Reference 2009\MSENCDAT.DLL
    MOD - [2008/06/03 11:06:14 | 000,178,968 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\Reference 2009\ENCCONT.DLL
    MOD - [2008/06/03 11:05:37 | 000,068,376 | ---- | M] () -- C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICTEIT.EBK
    MOD - [2005/09/06 13:27:30 | 000,230,400 | ---- | M] () -- C:\Program Files\IZArc\IZArcCM.dll
    MOD - [2001/10/28 17:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (TuneUp.UtilitiesSvc)
    SRV - File not found [Auto | Stopped] -- -- (ThreatFire)
    SRV - File not found [Auto | Stopped] -- -- (Nero BackItUp Scheduler 4.0)
    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - [2011/03/18 08:11:02 | 000,947,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
    SRV - [2010/12/14 14:39:10 | 000,029,504 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
    DRV - [2011/02/22 13:57:52 | 000,069,392 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
    DRV - [2011/02/22 13:57:52 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
    DRV - [2011/02/22 13:57:50 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
    DRV - [2010/11/29 19:27:40 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
    DRV - [2010/08/26 21:14:33 | 000,278,728 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
    DRV - [2010/08/26 21:14:32 | 000,025,416 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
    DRV - [2007/09/05 11:31:30 | 004,611,072 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2007/04/02 22:13:46 | 000,021,632 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
    DRV - [2006/11/02 08:01:00 | 000,250,496 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
    DRV - [2005/01/24 15:38:04 | 000,084,512 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ss_mdm.sys -- (ss_mdm)
    DRV - [2005/01/24 15:38:04 | 000,006,064 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ss_mdfl.sys -- (ss_mdfl)
    DRV - [2005/01/24 15:38:00 | 000,052,384 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ss_bus.sys -- (ss_bus) Samsung Mobile USB Device 1.0 driver (WDM)
    DRV - [2004/08/22 16:31:48 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt)
    DRV - [2004/08/22 16:31:10 | 000,155,136 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus)
    DRV - [2004/05/25 10:48:06 | 000,043,264 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UTS2pl.sys -- (UTS2pl)
    DRV - [2004/05/02 10:47:08 | 000,023,040 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\GVCplDrv.sys -- (GVCplDrv)
    DRV - [2004/04/30 09:37:02 | 000,160,640 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\a347bus.sys -- (a347bus)
    DRV - [2004/04/30 09:33:00 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\a347scsi.sys -- (a347scsi)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    IE - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
    IE - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Facemoods Search"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.update: false
    FF - prefs.js..browser.startup.homepage: "http://www.google.co.za/"
    FF - prefs.js..extensions.enabledItems: {5C46D283-ABDE-4dce-B83C-08881401921C}:2.1.5
    FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
    FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.872
    FF - prefs.js..network.proxy.type: 0

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Monray\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Monray\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2011/03/03 15:34:41 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/31 00:47:54 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/29 21:29:35 | 000,000,000 | ---D | M]

    [2011/01/30 17:36:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Monray\Application Data\Mozilla\Extensions
    [2011/08/05 17:40:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Monray\Application Data\Mozilla\Firefox\Profiles\ekei0mud.default\extensions
    [2011/06/12 11:38:32 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Documents and Settings\Monray\Application Data\Mozilla\Firefox\Profiles\ekei0mud.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
    [2011/06/28 01:12:07 | 000,000,000 | ---D | M] (DealPly) -- C:\Documents and Settings\Monray\Application Data\Mozilla\Firefox\Profiles\ekei0mud.default\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}
    [2011/08/19 13:10:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/04/29 21:29:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    () (No name found) -- C:\DOCUMENTS AND SETTINGS\MONRAY\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EKEI0MUD.DEFAULT\EXTENSIONS\{056D0610-E44D-11DF-BCCF-0800200C9A66}.XPI
    () (No name found) -- C:\DOCUMENTS AND SETTINGS\MONRAY\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EKEI0MUD.DEFAULT\EXTENSIONS\{5C46D283-ABDE-4DCE-B83C-08881401921C}.XPI
    () (No name found) -- C:\DOCUMENTS AND SETTINGS\MONRAY\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EKEI0MUD.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
    () (No name found) -- C:\DOCUMENTS AND SETTINGS\MONRAY\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EKEI0MUD.DEFAULT\EXTENSIONS\ADBLOCKPOPUPS@JESSEHAKANEN.NET.XPI
    [2011/04/29 21:29:26 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/03/18 19:53:24 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/04/29 21:29:25 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2010/01/01 10:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2011/06/28 01:13:35 | 000,002,048 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fcmdSrchw7th1.xml

    O1 HOSTS File: ([2011/08/27 19:59:24 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Documents and Settings\Monray\My Documents\last xp software\Flashget\jccatch.dll (www.flashget.com)
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O3 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\..\Toolbar\ShellBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\..\Toolbar\WebBrowser: (no name) - {147D6308-0614-4112-89B1-31402F9B82C4} - No CLSID value found.
    O4 - HKLM..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTClk\NVRTClk.exe ()
    O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
    O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
    O4 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe ( )
    O4 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003..\Run: [L09AXLRD_40790265] C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE (Microsoft Corporation)
    O4 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003..\Run: [OutlookMessenger] C:\Program Files\Outlook Messenger\OutlookMessenger.exe (Srimax Software System)
    O4 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003..\Run: [RocketDock] C:\Documents and Settings\Monray\My Documents\last xp software\RocketDock\RocketDock.exe ()
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe (FUJIFILM Corporation)
    O4 - Startup: C:\Documents and Settings\Monray\Start Menu\Programs\Startup\WinFlip.lnk = C:\Program Files\WinFlip\WinFlip.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\Monray\My Documents\last xp software\Flashget\JC_ALL.HTM ()
    O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\Monray\My Documents\last xp software\Flashget\JC_LINK.HTM ()
    O8 - Extra context menu item: Download with ImTOO Download YouTube Video - C:\Program Files\ImTOO\Download YouTube Video\upod_link.HTM ()
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/jinstall-131_06-win.cab (Java Plug-in 1.3.1_06)
    O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 196.28.182.20
    O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Monray\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Monray\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/05/05 20:33:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2004/08/18 10:54:53 | 000,000,000 | R--D | M] - E:\AutoRun -- [ CDFS ]
    O32 - AutoRun File - [2004/08/18 10:37:47 | 000,663,552 | R--- | M] () - E:\AutoRun.exe -- [ CDFS ]
    O32 - AutoRun File - [2004/08/18 04:13:47 | 000,598,016 | R--- | M] () - E:\AutoRunGUI.dll -- [ CDFS ]
    O32 - AutoRun File - [2004/08/18 10:53:40 | 000,000,083 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: UxTuneUp - C:\WINDOWS\system32\uxtuneup.dll (TuneUp Software)
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
    Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
    Drivers32: VIDC.wmv3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
    Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
    Drivers32: vidc.yv12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/08/27 21:09:20 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2011/08/27 21:09:07 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Monray\Desktop\OTL.exe
    [2011/08/27 20:49:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2011/08/27 17:51:35 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/08/27 15:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\Desktop\Backtracks Jimmy Swaggart .1
    [2011/08/27 13:02:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\Desktop\grecon
    [2011/08/27 01:29:23 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/08/27 01:29:23 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/08/27 01:29:23 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/08/27 01:29:23 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/08/27 01:24:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/08/27 01:24:46 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/08/27 01:10:18 | 004,187,178 | R--- | C] (Swearware) -- C:\Documents and Settings\Monray\Desktop\ComboFix.exe
    [2011/08/26 20:32:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\Desktop\bb
    [2011/08/25 12:11:02 | 001,406,768 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Monray\My Documents\tdsskiller.exe
    [2011/08/24 13:35:58 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\Monray\Desktop\dds.scr
    [2011/08/21 22:22:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\NoAdware
    [2011/08/21 22:22:31 | 000,000,000 | ---D | C] -- C:\Program Files\NoAdware5.0
    [2011/08/20 16:30:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ThreatFire
    [2011/08/20 16:30:34 | 000,069,392 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
    [2011/08/20 16:30:34 | 000,051,984 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
    [2011/08/20 16:30:34 | 000,033,552 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
    [2011/08/20 16:30:33 | 000,000,000 | ---D | C] -- C:\Program Files\ThreatFire
    [2011/08/20 16:30:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
    [2011/08/20 15:14:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\Desktop\AVG 9
    [2011/08/19 13:08:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\Application Data\Skype
    [2011/08/08 22:04:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\Desktop\The sims 2
    [2011/08/08 20:32:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\EA Games
    [2011/08/08 20:18:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EA GAMES
    [2011/08/08 20:17:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\My Documents\EA Games
    [2011/08/08 20:08:00 | 000,000,000 | ---D | C] -- C:\Program Files\EA GAMES
    [2011/08/08 19:27:15 | 000,442,368 | ---- | C] (On2.com) -- C:\WINDOWS\System32\vp6vfw.dll
    [2011/08/07 22:23:11 | 000,000,000 | ---D | C] -- C:\Program Files\Copy Cat
    [2011/08/07 22:23:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Copy Cat
    [2011/08/06 19:37:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\nvram
    [2011/08/06 19:37:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\memcard
    [2011/08/06 19:37:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\cfg
    [2011/08/03 02:18:03 | 000,000,000 | ---D | C] -- C:\Program Files\DzSoft
    [2011/08/03 02:07:11 | 001,311,335 | ---- | C] (Axialis Software) -- C:\WINDOWS\System32\aquarium.scr
    [2011/08/03 02:02:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Static TV
    [2011/08/03 02:02:11 | 000,000,000 | ---D | C] -- C:\Program Files\Isotope244 Graphics
    [2011/08/03 00:41:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Monray\Start Menu\Programs\Serials 2005 Crew
    [2011/08/03 00:41:20 | 000,000,000 | ---D | C] -- C:\Program Files\Serials 2005
    [2011/07/02 22:33:54 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
    [2011/07/02 22:33:54 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
    [2011/03/06 14:04:27 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Monray\Application Data\pcouffin.sys
    [2011/01/10 23:49:32 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
    [2011/01/10 23:49:32 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
    [13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/08/27 21:08:54 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Monray\Desktop\OTL.exe
    [2011/08/27 19:59:24 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/08/27 19:59:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/08/27 17:51:39 | 000,000,506 | RHS- | M] () -- C:\boot.ini
    [2011/08/27 01:29:01 | 004,187,178 | R--- | M] (Swearware) -- C:\Documents and Settings\Monray\Desktop\ComboFix.exe
    [2011/08/26 21:25:35 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
    [2011/08/26 20:29:08 | 000,227,840 | ---- | M] () -- C:\Documents and Settings\Monray\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/08/26 10:35:34 | 001,916,416 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\aswMBR.exe
    [2011/08/25 15:59:18 | 000,000,125 | ---- | M] () -- C:\WINDOWS\kaillera.ini
    [2011/08/25 12:50:47 | 001,388,953 | ---- | M] () -- C:\Documents and Settings\Monray\My Documents\tdsskiller.zip
    [2011/08/25 12:12:50 | 001,406,768 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Monray\My Documents\tdsskiller.exe
    [2011/08/24 16:38:42 | 000,000,236 | ---- | M] () -- C:\n02.ini
    [2011/08/24 13:35:58 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\Monray\Desktop\dds.scr
    [2011/08/21 22:22:33 | 000,000,710 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\NoAdware.lnk
    [2011/08/20 22:52:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/08/20 16:59:44 | 000,513,008 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\avinstall.exe
    [2011/08/19 17:49:16 | 001,405,744 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\TDSSKiller.exe
    [2011/08/18 21:35:32 | 000,158,529 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\EARTHQUAKE MAP CAPE SOUTH AFRICA 2011 may13_thumb[2].jpg
    [2011/08/14 22:09:39 | 000,852,232 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\Nedbank - Local Rates - Rates and Fees.png
    [2011/08/12 23:32:04 | 002,783,068 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\The Biggest Embarrassment Of Wrestling Divas - MGID.png
    [2011/08/08 16:43:03 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
    [2011/08/03 02:11:52 | 000,153,159 | ---- | M] () -- C:\Documents and Settings\Monray\My Documents\bookfile.jar
    [2011/08/03 02:11:52 | 000,000,267 | ---- | M] () -- C:\Documents and Settings\Monray\My Documents\bookfile.jad
    [2011/08/03 02:07:12 | 001,311,335 | ---- | M] (Axialis Software) -- C:\WINDOWS\System32\aquarium.scr
    [2011/08/02 12:36:40 | 000,009,728 | ---- | M] () -- C:\WINDOWS\System32\BASSMOD.dll
    [13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/08/27 17:51:39 | 000,000,389 | ---- | C] () -- C:\Boot.bak
    [2011/08/27 17:51:36 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/08/27 01:29:23 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/08/27 01:29:23 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/08/27 01:29:23 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/08/27 01:29:23 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/08/27 01:29:23 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/08/26 10:36:10 | 001,916,416 | ---- | C] () -- C:\Documents and Settings\Monray\Desktop\aswMBR.exe
    [2011/08/25 15:59:18 | 000,000,125 | ---- | C] () -- C:\WINDOWS\kaillera.ini
    [2011/08/25 12:50:47 | 001,388,953 | ---- | C] () -- C:\Documents and Settings\Monray\My Documents\tdsskiller.zip
    [2011/08/22 22:51:19 | 001,405,744 | ---- | C] () -- C:\Documents and Settings\Monray\Desktop\TDSSKiller.exe
    [2011/08/21 22:22:33 | 000,000,710 | ---- | C] () -- C:\Documents and Settings\Monray\Desktop\NoAdware.lnk
    [2011/08/20 17:00:25 | 000,513,008 | ---- | C] () -- C:\Documents and Settings\Monray\Desktop\avinstall.exe
    [2011/08/18 21:35:35 | 000,158,529 | ---- | C] () -- C:\Documents and Settings\Monray\Desktop\EARTHQUAKE MAP CAPE SOUTH AFRICA 2011 may13_thumb[2].jpg
    [2011/08/18 12:33:19 | 000,000,236 | ---- | C] () -- C:\n02.ini
    [2011/08/14 22:09:39 | 000,852,232 | ---- | C] () -- C:\Documents and Settings\Monray\Desktop\Nedbank - Local Rates - Rates and Fees.png
    [2011/08/12 23:32:04 | 002,783,068 | ---- | C] () -- C:\Documents and Settings\Monray\Desktop\The Biggest Embarrassment Of Wrestling Divas - MGID.png
    [2011/07/17 13:12:19 | 000,000,131 | ---- | C] () -- C:\WINDOWS\chess.ini
    [2011/07/16 17:03:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mfont.dat
    [2011/07/16 17:00:32 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
    [2011/07/12 22:18:08 | 001,201,727 | ---- | C] () -- C:\Program Files\Common Files\unins000.exe
    [2011/07/12 22:18:08 | 000,376,832 | ---- | C] () -- C:\WINDOWS\System32\M2000Twn.dll
    [2011/07/12 22:18:08 | 000,169,984 | ---- | C] () -- C:\WINDOWS\System32\glut32.dll
    [2011/07/12 22:18:08 | 000,169,984 | ---- | C] () -- C:\WINDOWS\System32\glut.dll
    [2011/07/12 22:18:08 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\CompressATI2.dll
    [2011/07/12 22:18:08 | 000,023,001 | ---- | C] () -- C:\Program Files\Common Files\unins000.dat
    [2011/07/12 17:43:06 | 000,000,110 | ---- | C] () -- C:\WINDOWS\GSdx9.INI
    [2011/07/03 00:06:18 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
    [2011/06/28 01:19:15 | 000,000,149 | ---- | C] () -- C:\WINDOWS\WSST_Screen_Saver.ini
    [2011/06/28 01:19:14 | 000,180,224 | ---- | C] () -- C:\WINDOWS\UninstallWSST.exe
    [2011/06/27 20:59:13 | 000,000,277 | ---- | C] () -- C:\WINDOWS\TheMatrix.ini
    [2011/05/23 16:41:54 | 000,111,104 | ---- | C] () -- C:\WINDOWS\System32\uharc.exe
    [2011/05/13 12:00:45 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
    [2011/05/12 00:05:33 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/03/06 14:04:27 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Monray\Application Data\ezpinst.exe
    [2011/03/06 14:04:27 | 000,007,824 | ---- | C] () -- C:\Documents and Settings\Monray\Application Data\pcouffin.cat
    [2011/03/06 14:04:27 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Monray\Application Data\pcouffin.inf
    [2011/03/04 23:47:40 | 000,089,600 | ---- | C] () -- C:\WINDOWS\System32\SFUninst.exe
    [2011/02/28 00:39:17 | 000,003,659 | ---- | C] () -- C:\WINDOWS\mozver.dat
    [2011/02/26 22:54:43 | 000,000,095 | ---- | C] () -- C:\WINDOWS\winamp.ini
    [2011/02/26 22:54:39 | 000,088,064 | ---- | C] () -- C:\WINDOWS\System32\AudioExCtl.dll
    [2011/02/08 22:36:55 | 000,001,922 | ---- | C] () -- C:\WINDOWS\unins000.dat
    [2011/01/30 17:36:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2011/01/29 15:08:48 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
    [2011/01/24 14:37:44 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2011/01/24 14:37:43 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2011/01/24 12:13:38 | 000,797,541 | ---- | C] () -- C:\WINDOWS\System32\tm_redist.exe
    [2011/01/24 12:13:38 | 000,004,557 | ---- | C] () -- C:\WINDOWS\System32\lang.dat
    [2011/01/24 12:13:38 | 000,000,417 | ---- | C] () -- C:\WINDOWS\System32\os.dat
    [2011/01/24 12:13:38 | 000,000,334 | ---- | C] () -- C:\WINDOWS\System32\layout.bin
    [2011/01/10 22:43:00 | 000,000,847 | ---- | C] () -- C:\WINDOWS\eReg.dat
    [2010/11/25 20:35:35 | 000,036,904 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
    [2010/09/26 17:43:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PanelExe.INI
    [2010/09/26 17:43:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EngineExe.INI
    [2010/09/26 17:42:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\AlbumExe.INI
    [2010/09/26 17:42:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MessageExe.INI
    [2010/09/26 17:42:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\FileMgrExe.INI
    [2010/09/26 17:23:51 | 000,159,744 | R--- | C] () -- C:\WINDOWS\DrvRemover98_2K.exe
    [2010/08/26 21:14:32 | 000,278,728 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
    [2010/08/26 21:14:32 | 000,025,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
    [2010/08/05 17:07:37 | 000,000,029 | ---- | C] () -- C:\WINDOWS\coolacm.ini
    [2010/08/04 15:08:05 | 000,000,015 | ---- | C] () -- C:\WINDOWS\entpack.ini
    [2010/07/26 11:19:16 | 000,036,968 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
    [2010/07/25 00:01:46 | 000,000,536 | ---- | C] () -- C:\WINDOWS\SYMGAMES.INI
    [2010/07/24 12:51:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\word search.INI
    [2010/07/24 12:45:29 | 000,000,073 | ---- | C] () -- C:\WINDOWS\lotto.INI
    [2010/07/01 19:15:54 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\NVRTClk.exe
    [2010/07/01 19:15:48 | 000,023,040 | R--- | C] () -- C:\WINDOWS\System32\drivers\GVCplDrv.sys
    [2010/06/17 20:17:09 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
    [2010/06/13 19:22:20 | 000,000,038 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
    [2010/06/05 18:10:41 | 000,002,210 | ---- | C] () -- C:\WINDOWS\coolmp3.ini
    [2010/06/05 14:11:05 | 000,000,027 | ---- | C] () -- C:\WINDOWS\winzip32.ini
    [2010/06/05 14:11:03 | 000,010,677 | ---- | C] () -- C:\WINDOWS\coolkb2k.ini
    [2010/05/30 20:16:14 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2010/05/26 23:03:22 | 000,227,840 | ---- | C] () -- C:\Documents and Settings\Monray\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/05/24 09:53:42 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Monray\Application Data\downloads.m3u
    [2010/05/17 14:34:43 | 000,000,022 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
    [2010/05/08 18:45:23 | 000,000,382 | ---- | C] () -- C:\Documents and Settings\Monray\Application Data\default.rss
    [2010/05/05 22:24:13 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2010/05/05 22:23:17 | 000,325,112 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/05/05 21:41:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2010/05/05 21:14:37 | 000,182,560 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/05/05 20:57:31 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2010/05/05 20:51:27 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
    [2010/05/05 20:34:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2010/05/05 20:30:52 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2006/10/02 21:57:52 | 000,184,191 | ---- | C] () -- C:\WINDOWS\ApplyTheme.exe
    [2004/08/04 14:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 14:00:00 | 000,493,576 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 14:00:00 | 000,083,974 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 14:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
    [2004/08/04 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 14:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 14:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 14:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2004/08/04 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2004/04/02 09:26:22 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\PDFSpooler.exe
    [2003/01/21 13:08:36 | 000,147,515 | ---- | C] () -- C:\WINDOWS\System32\playsound.dll
    [2001/10/28 17:42:30 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
  19. monrayl

    monrayl TS Member Topic Starter Posts: 74

    ========== LOP Check ==========

    [2011/08/27 01:23:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
    [2010/11/25 20:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2011/03/20 15:32:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2011/05/23 23:40:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IconTweaker
    [2011/03/31 11:20:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ImTOO
    [2010/07/11 19:20:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
    [2010/07/07 16:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
    [2011/07/21 23:16:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2011/07/15 15:50:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TERMINAL Studio
    [2011/02/06 16:48:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
    [2011/07/23 18:31:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
    [2011/07/23 18:29:50 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
    [2011/05/22 16:15:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\cYo
    [2011/04/29 21:42:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\EarToner
    [2010/05/26 22:45:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\FUJIFILM
    [2011/07/06 14:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\GetRightToGo
    [2011/05/23 23:48:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\IconTweaker
    [2010/08/26 21:06:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Imperium Romanum
    [2011/03/31 11:21:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\ImTOO
    [2011/04/08 22:07:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Magic Academy
    [2011/06/16 14:06:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Magic Match
    [2010/09/26 17:42:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\MobileAction
    [2010/10/15 17:46:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\NetMedia Providers
    [2011/01/10 20:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\PDFCreator
    [2010/07/11 19:23:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Propellerhead Software
    [2010/10/15 17:46:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Publish Providers
    [2011/08/19 16:42:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\QuickScan
    [2011/07/17 15:15:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Runes of Avalon
    [2011/07/17 14:45:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Sahmon Games
    [2011/07/17 15:16:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Spandex Force
    [2011/07/17 15:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\SpInstallData
    [2011/02/28 00:39:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Thunderbird
    [2011/07/25 16:44:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\TuneUp Software
    [2011/05/23 16:57:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\ViStart
    [2011/03/06 14:04:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Monray\Application Data\Vso

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2011/03/27 13:52:14 | 000,307,689 | ---- | M] () -- C:\AnalysisLog.sr0
    [2010/05/05 20:33:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2011/07/25 17:25:15 | 000,000,389 | ---- | M] () -- C:\Boot.bak
    [2011/08/27 17:51:39 | 000,000,506 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/08/27 20:49:22 | 000,013,319 | ---- | M] () -- C:\ComboFix.txt
    [2010/05/05 20:33:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2010/05/08 21:31:20 | 000,000,912 | ---- | M] () -- C:\deltaStartup.log
    [2010/09/26 17:37:18 | 000,540,916 | ---- | M] () -- C:\HMV9Inst.log
    [2010/05/05 20:33:08 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010/09/26 17:35:53 | 000,180,155 | ---- | M] () -- C:\MALastLog.txt
    [2010/09/26 17:36:00 | 000,000,896 | ---- | M] () -- C:\MALog.txt
    [2010/05/05 20:33:08 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2011/08/24 16:38:42 | 000,000,236 | ---- | M] () -- C:\n02.ini
    [2004/08/04 14:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2004/08/04 14:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
    [2011/08/27 19:59:18 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
    [2010/11/25 20:07:57 | 000,000,085 | ---- | M] () -- C:\report.txt
    [2011/08/22 22:53:57 | 000,000,449 | ---- | M] () -- C:\rkill.log
    [2010/11/21 13:18:34 | 000,000,000 | ---- | M] () -- C:\t1e4.2
    [2011/08/25 12:15:03 | 000,039,384 | ---- | M] () -- C:\TDSSKiller.2.5.17.0_25.08.2011_12.13.44_log.txt
    [2011/06/13 12:31:12 | 000,002,048 | ---- | M] () -- C:\Uninstall.dat

    < %systemroot%\Fonts\*.com >
    [2006/04/19 20:21:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/07/02 22:37:10 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/19 20:21:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/07/02 22:37:12 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2010/05/05 20:32:51 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/10/14 16:43:18 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2003/06/18 17:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2006/10/14 16:44:44 | 000,671,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\PrintFilterPipelineSvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2010/08/02 22:00:50 | 000,551,424 | ---- | M] () -- C:\WINDOWS\TheMatrix.scr
    [13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2010/05/05 21:44:29 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2010/05/05 21:44:29 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2010/05/05 21:44:29 | 000,884,736 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2010/05/05 20:33:13 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2010/05/05 20:38:46 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Monray\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2010/05/05 20:38:46 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Monray\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/08/26 10:35:34 | 001,916,416 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\aswMBR.exe
    [2011/08/20 16:59:44 | 000,513,008 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\avinstall.exe
    [2011/08/27 01:29:01 | 004,187,178 | R--- | M] (Swearware) -- C:\Documents and Settings\Monray\Desktop\ComboFix.exe
    [2011/07/12 22:13:19 | 004,467,308 | ---- | M] (KM-Software ) -- C:\Documents and Settings\Monray\Desktop\dx10_xp.exe
    [2011/08/27 21:08:54 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Monray\Desktop\OTL.exe
    [2011/03/17 08:49:38 | 022,964,104 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\Monray\Desktop\SkypeSetupFull.exe
    [2011/08/19 17:49:16 | 001,405,744 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\TDSSKiller.exe
    [2011/04/08 14:13:51 | 020,815,752 | ---- | M] (TuneUp Software) -- C:\Documents and Settings\Monray\Desktop\TuneUpUtilities2011.exe

    < %PROGRAMFILES%\Common Files\*.* >
    [2011/07/12 22:18:10 | 000,023,001 | ---- | M] () -- C:\Program Files\Common Files\unins000.dat
    [2011/07/12 22:17:35 | 001,201,727 | ---- | M] () -- C:\Program Files\Common Files\unins000.exe

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2011/08/25 12:12:50 | 001,406,768 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Monray\My Documents\tdsskiller.exe

    < %USERPROFILE%\*.exe >
    [2011/06/05 14:07:24 | 001,295,928 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Monray\setup.exe

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2010/05/05 20:38:46 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Monray\Favorites\Desktop.ini
    [2011/03/12 02:34:02 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\Monray\Favorites\url.htm

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/08/27 20:50:58 | 000,081,920 | ---- | M] () -- C:\Documents and Settings\Monray\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2005/01/28 13:44:28 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2004/08/04 14:00:00 | 000,028,672 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 01:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 01:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2004/08/04 01:06:34 | 000,082,944 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2004/08/04 01:06:34 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2004/08/04 01:06:34 | 001,667,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2004/08/04 14:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/08/04 14:00:00 | 000,018,052 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/08/04 14:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2010/09/22 14:54:39 | 000,005,120 | -HS- | M] () -- C:\Program Files\Messenger\Thumbs.db
    [2004/08/04 01:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 01:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:93DDEB75
    @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B606BA34
    @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38B32B54

    < End of report >
  20. monrayl

    monrayl TS Member Topic Starter Posts: 74

    OTL Extras logfile created on: 8/27/2011 9:11:20 PM - Run 1
    OTL by OldTimer - Version 3.2.26.6 Folder = C:\Documents and Settings\Monray\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1014.23 Mb Total Physical Memory | 604.91 Mb Available Physical Memory | 59.64% Memory free
    2.39 Gb Paging File | 2.12 Gb Available in Paging File | 88.90% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.88 Gb Total Space | 90.97 Gb Free Space | 39.06% Space Free | Partition Type: NTFS
    Drive E: | 650.10 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: MONRAY | User Name: Monray | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========
  21. monrayl

    monrayl TS Member Topic Starter Posts: 74

    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-2052111302-73586283-1801674531-1003\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htafile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" ()
    Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" ()
    Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
  22. monrayl

    monrayl TS Member Topic Starter Posts: 74

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\Eidos\Pyro Studios\Commandos 3 - Destination Berlin\commandos3.exe" = C:\Program Files\Eidos\Pyro Studios\Commandos 3 - Destination Berlin\commandos3.exe:*:Enabled:commandos3 -- ()
    "C:\Program Files\Outlook Messenger\OutlookMessenger.exe" = C:\Program Files\Outlook Messenger\OutlookMessenger.exe:*:Enabled:Outlook LAN Messenger -- (Srimax Software System)
    "C:\Program Files\Outlook Messenger\OMDesktop.exe" = C:\Program Files\Outlook Messenger\OMDesktop.exe:*:Enabled:Outlook Messenger Remote Desktop -- (Srimax Software System)
    "C:\Documents and Settings\Monray\My Documents\psx\Emulators\snes9x\snes9x.exe" = C:\Documents and Settings\Monray\My Documents\psx\Emulators\snes9x\snes9x.exe:*:Enabled:Snes9XW -- (Gary Henderson)
    "C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
    "C:\Program Files\KONAMI\Pro Evolution Soccer 5\PES5.exe" = C:\Program Files\KONAMI\Pro Evolution Soccer 5\PES5.exe:*:Enabled:pes5.exe -- (KONAMI)
    "C:\Documents and Settings\Monray\My Documents\psx\COD\CoDMP.exe" = C:\Documents and Settings\Monray\My Documents\psx\COD\CoDMP.exe:*:Enabled:CoDMP -- ()
    "C:\Documents and Settings\Monray\My Documents\psx\COD\CoDUOMP.exe" = C:\Documents and Settings\Monray\My Documents\psx\COD\CoDUOMP.exe:*:Disabled:CoDUOMP -- ()
    "C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
    "C:\Documents and Settings\Monray\My Documents\psx\Emulators\fceu\fceu.exe" = C:\Documents and Settings\Monray\My Documents\psx\Emulators\fceu\fceu.exe:*:Enabled:fceu -- ()
    "C:\Program Files\Kyodai Mahjongg 2006\kmj.exe" = C:\Program Files\Kyodai Mahjongg 2006\kmj.exe:*:Enabled:Kyodai Mahjongg -- (Rene-Gilles Deberdt)
    "C:\WINDOWS\system32\winver.exe" = C:\WINDOWS\system32\winver.exe:*:Enabled:winver -- (Microsoft Corporation)
    "C:\Documents and Settings\Monray\My Documents\last xp software\Flashget\flashget.exe" = C:\Documents and Settings\Monray\My Documents\last xp software\Flashget\flashget.exe:*:Enabled:FlashGet -- (FlashGet.com)
    "C:\Documents and Settings\Monray\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" = C:\Documents and Settings\Monray\Local Settings\Application Data\Google\Chrome\Application\chrome.exe:*:Enabled:Google Chrome -- ()
    "C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
    "C:\Program Files\The KMPlayer\KMPlayer.exe" = C:\Program Files\The KMPlayer\KMPlayer.exe:*:Disabled:The KMPlayer -- (Pandora.TV)
    "C:\Documents and Settings\Monray\My Documents\Downloads\tdsskiller.exe" = C:\Documents and Settings\Monray\My Documents\Downloads\tdsskiller.exe:*:Enabled:TDSS rootkit removing tool -- ()
    "C:\Program Files\ThreatFire\TFHS.exe" = C:\Program Files\ThreatFire\TFHS.exe:*:Enabled:pC Health Scan -- ()
    "C:\Program Files\ThreatFire\TFNotice.exe" = C:\Program Files\ThreatFire\TFNotice.exe:*:Enabled:pC Tools ThreatFire Notice -- (PC Tools)
    "C:\Documents and Settings\Monray\My Documents\Downloads\avinstall.exe" = C:\Documents and Settings\Monray\My Documents\Downloads\avinstall.exe:*:Enabled:pC Tools Installer -- ()
    "C:\Program Files\Malwarebytes' Anti-Malware\myapp.exe" = C:\Program Files\Malwarebytes' Anti-Malware\myapp.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)
    "C:\Program Files\Malwarebytes' Anti-Malware\cool.exe" = C:\Program Files\Malwarebytes' Anti-Malware\cool.exe:*:Enabled:Malwarebytes' Anti-Malware -- ()
    "C:\Documents and Settings\Monray\Desktop\avinstall.exe" = C:\Documents and Settings\Monray\Desktop\avinstall.exe:*:Enabled:pC Tools Installer -- ()
    "C:\Program Files\NoAdware5.0\NoAdware5.exe" = C:\Program Files\NoAdware5.0\NoAdware5.exe:*:Enabled:Noadware Application -- ()
    "C:\Documents and Settings\Monray\Desktop\TDSSKiller.exe" = C:\Documents and Settings\Monray\Desktop\TDSSKiller.exe:*:Enabled:TDSS rootkit removing tool -- ()
    "C:\Program Files\ImTOO\Download YouTube Video\DownloadYouTubeVideo.exe" = C:\Program Files\ImTOO\Download YouTube Video\DownloadYouTubeVideo.exe:*:Enabled:DownloadYouTubeVideo -- ()
    "C:\Documents and Settings\Monray\My Documents\psx\Emulators\fba\fba.exe" = C:\Documents and Settings\Monray\My Documents\psx\Emulators\fba\fba.exe:*:Enabled:Emulator for MC68000/Z80 based arcade games -- (Team FB Alpha)
    "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\ENCARTA.EXE" = C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\ENCARTA.EXE:*:Enabled:Microsoft Encarta -- (Microsoft Corporation)
    "C:\Documents and Settings\Monray\My Documents\tdsskiller.exe" = C:\Documents and Settings\Monray\My Documents\tdsskiller.exe:*:Enabled:TDSS rootkit removing tool -- (Kaspersky Lab ZAO)
    "C:\Documents and Settings\Monray\Desktop\aswMBR.exe" = C:\Documents and Settings\Monray\Desktop\aswMBR.exe:*:Enabled:avast! Antirootkit -- ()


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator 0.8.0
    "{02627EE5-EACA-4742-A9CC-E687631773E4}" = Nero ShowTime
    "{07043840-959A-4B0D-8825-2C533F0DDB19}" = Microsoft Math
    "{09041881-2C94-4A67-8E55-8483C019C7D2}" = Microsoft Student with Encarta Premium 2009
    "{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
    "{20400DBD-E6DB-45B8-9B6B-1DD7033818EC}" = Nero InfoTool Help
    "{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
    "{2348B586-C9AE-46CE-936C-A68E9426E214}" = Nero StartSmart Help
    "{23BE4DF2-293D-4077-82F4-1FD8C269277C}" = TuneUp Utilities Language Pack (en-US)
    "{23FBECC1-FA31-472A-83FB-27520B81EC3A}_is1" = TheMatrix Screen Saver version 1.14
    "{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}" = TuneUp Utilities 2011
    "{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 25
    "{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
    "{2B00F757-3DE4-4055-85D5-96A093BD7F7C}" = Easy Language Classic
    "{311F799A-FCE9-4D9E-B5D2-CBB8859B40BB}" = Microsoft XNA Framework Redistributable 1.0 Refresh
    "{32A72502-BC2C-4C39-ACEA-BC3D463F0697}" = EN
    "{33BEE6F3-9987-4F98-A069-97A64EC8321A}" = Microsoft Works Suite Add-in for Microsoft Word
    "{33CF58F5-48D8-4575-83D6-96F574E4D83A}" = Nero DriveSpeed
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{368BA326-73AD-4351-84ED-3C0A7A52CC53}" = Nero Rescue Agent
    "{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
    "{405eb210-2a78-4096-9a25-eca9c608e80c}" = Nero 9 Essentials
    "{43E39830-1826-415D-8BAE-86845787B54B}" = Nero Vision
    "{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}" = FontNav
    "{52F6065D-27D0-4680-B2BC-C49C9A252459}" = Motorola Driver Installation
    "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
    "{595A3116-40BB-4E0F-A2E8-D7951DA56270}" = NeroExpress
    "{5D9BE3C1-8BA4-4E7E-82FD-9F74FA6815D1}" = Nero Vision Help
    "{5E08ECD1-C98E-4711-BF65-8FD736B3F969}" = Nero RescueAgent Help
    "{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}" = Nero CoverDesigner
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
    "{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
    "{7829DB6F-A066-4E40-8912-CB07887C20BB}" = Nero BurnRights
    "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
    "{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3
    "{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
    "{83202942-84B3-4C50-8622-B8C0AA2D2885}" = Nero Express Help
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{869200DB-287A-4DC0-B02B-2B6787FBCD4C}" = Nero DiscSpeed
    "{88B32652-CAE0-4909-A463-5840D2689D93}" = FUJIFILM FinePixViewer S Ver.2.1
    "{8AB8D458-939E-403F-0097-9BA1C1F013D5}" = The Sims 2
    "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
    "{90120000-0014-0000-0000-0000000FF1CE}_PRO_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_PRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_PRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_PRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_PRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_PRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A31838F1-8E0D-4CA3-A40A-20825B92F125}" = Serials 2005
    "{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
    "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
    "{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
    "{B348E585-E872-41DF-8234-E2D49917CFBB}" = Learning Essentials for Microsoft Office
    "{B4002AEF-D44E-4FA1-A0AD-9F6CF99C2C89}" = Motorola Phone Tools
    "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
    "{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit
    "{B9966F27-9678-4620-9579-925E3084647E}" = Microsoft Works
    "{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
    "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
    "{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
    "{C270BC04-1540-4673-960F-A546B2C860CD}" = Commandos 3 - Destination Berlin
    "{C81A2FE0-3574-00A9-CED4-BDAA334CBE8E}" = Nero Online Upgrade
    "{C94E45B0-6AA6-4FB9-9AAE-22085F631880}" = VBA
    "{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
    "{CC019E3F-59D2-4486-8D4B-878105B62A71}" = Nero DiscSpeed Help
    "{CE96F5A5-584D-4F8F-AA3E-9BAED413DB72}" = Nero CoverDesigner Help
    "{D2BFDD8E-D276-11D6-88AF-0050DA21757E}" = Java 2 Runtime Environment Standard Edition v1.3.1_06
    "{D67B1C57-0E05-4F8C-9011-1C8BAE293782}" = Samsung PC Studio
    "{D9DCF92E-72EB-412D-AC71-3B01276E5F8B}" = Nero ShowTime
    "{DBA8B9E1-C6FF-4624-9598-73D3B41A0903}" = Microsoft Picture It! Photo Standard 9
    "{E254F7FF-1C85-47E1-96DB-1D9400C9F52A}" = Sonic Foundry Vegas 4.0d
    "{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit
    "{E5C7D048-F9B4-4219-B323-8BDB01A2563D}" = Nero DriveSpeed Help
    "{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
    "{E9F81423-211E-46B6-9AE0-38568BC5CF6F}" =
    "{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}" = Samsung PC Studio 3 USB Driver Installer
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F4041DCE-3FE1-4E18-8A9E-9DE65231EE36}" = Nero ControlCenter
    "{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
    "{F4471F23-A2C3-4481-9C95-4D0A7D3FD2A3}" = Pro Evolution Soccer 5
    "{F4F7F393-A8E8-42CC-8C2E-7A999B48B2AE}_is1" = DirectX 10 NE (New Edition)
    "{F6BDD7C5-89ED-4569-9318-469AA9732572}" = Nero BurnRights Help
    "{FBCDFD61-7DCF-4E71-9226-873BA0053139}" = Nero InfoTool
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "{Microsoft Student 2007_54A0E938-8390-489F-8F1A-563673334DFE}" = Microsoft Student 2007 for Learning Essentials
    "1769bible_2.0_is1" = 1769 Bible 2.0
    "3554AA4B-9B0B-451a-A269-2B5F53982209_is1" = ThreatFire
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Applian FLV Player2.0.24" = Applian FLV Player
    "Astro Avenger II" = Astro Avenger II
    "cars" = cars Screensaver
    "Cheatbook Database 2008" = Cheatbook Database 2008
    "ComicRack" = ComicRack v0.9.134
    "Cool Edit Pro 2.0" = Cool Edit Pro 2.0
    "Copy Cat_is1" = Copy Cat 2.0
    "CursorXP" = CursorXP
    "DealPly" = DealPly
    "Digital Guitar Tuner 2.3_is1" = Digital Guitar Tuner 2.3
    "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
    "DVD Decrypter" = DVD Decrypter (Remove Only)
    "DVDFab Platinum_is1" = DVDFab Platinum 3.0.8.6
    "Final Fantasy VII_is1" = Final Fantasy VII - Ultima Edition
    "GEN_LYRICS_IE.DLL" = Winamp Lyrics (Explorer Version) v1.22
    "Great Secrect Da Vinci_is1" = Great Secrect Da Vinci
    "Guitar Power_is1" = Guitar Power 1.5.0
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "Image Icon Converter_is1" = Image Icon Converter 1.3
    "ImperialSudoku_is1" = Imperial Sudoku
    "ImTOO Download YouTube Video" = ImTOO Download YouTube Video
    "IZArc 3.5 beta 3_is1" = IZArc 3.5 beta 3
    "KLiteCodecPack_is1" = K-Lite Mega Codec Pack 1.66
    "Kyodai Mahjongg 2006_is1" = Kyodai Mahjongg 2006 v1.42
    "Macromedia Shockwave Player" = Macromedia Shockwave Player
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
    "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
    "Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
    "Mozilla Firefox 4.0 (x86 en-US)" = Mozilla Firefox 4.0 (x86 en-US)
    "MSNINST" = MSN
    "NoAdware 5.0_is1" = NoAdware v5.0
    "OpenAL" = OpenAL
    "OutlookMessenger_is1" = OutlookMessenger V5.0
    "Peggle Nights Deluxe" = Peggle Nights Deluxe
    "PictureIt_v9" = Microsoft Picture It! Photo Standard 9
    "PRO" = Microsoft Office Professional 2007
    "RealChess_is1" = Real Chess
    "RMClock_is1" = RMClock 2.2
    "SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
    "Secure Copy 2_is1" = Pineda Network Secure Copy 2
    "ST6UNST #1" = Guitar Calculator Pro 4
    "Static TV" = Static TV 3D Screensaver Free
    "The KMPlayer" = The KMPlayer (remove only)
    "Total Video Converter 3.10_is1" = Total Video Converter 3.10
    "TuneUp Utilities 2011" = TuneUp Utilities 2011
    "Vista Anthracite Pack - UltraLite" = Vista Anthracite Pack - UltraLite 1.31
    "Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    "WIC" = Windows Imaging Component
    "Winamp" = Winamp
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Windows Media Player" = Windows Media Player 10
    "WinFlip 0.50" = WinFlip 0.50
    "Works2004Setup" = Microsoft Works 2004 Setup Launcher
    "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2052111302-73586283-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome
    "IconTweaker" = IconTweaker 1.12

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 8/13/2011 5:02:49 PM | Computer Name = MONRAY | Source = Application Error | ID = 1000
    Description = Faulting application winflip.exe, version 0.0.0.0, faulting module
    winflip.exe, version 0.0.0.0, fault address 0x00004795.

    Error - 8/14/2011 4:42:14 AM | Computer Name = MONRAY | Source = Application Error | ID = 1000
    Description = Faulting application winflip.exe, version 0.0.0.0, faulting module
    winflip.exe, version 0.0.0.0, fault address 0x00004795.

    Error - 8/15/2011 4:26:01 PM | Computer Name = MONRAY | Source = Application Error | ID = 1000
    Description = Faulting application winflip.exe, version 0.0.0.0, faulting module
    winflip.exe, version 0.0.0.0, fault address 0x00004795.

    Error - 8/16/2011 6:15:57 AM | Computer Name = MONRAY | Source = Application Error | ID = 1000
    Description = Faulting application winflip.exe, version 0.0.0.0, faulting module
    winflip.exe, version 0.0.0.0, fault address 0x00004795.

    Error - 8/17/2011 6:40:59 AM | Computer Name = MONRAY | Source = Application Error | ID = 1000
    Description = Faulting application winflip.exe, version 0.0.0.0, faulting module
    winflip.exe, version 0.0.0.0, fault address 0x00004795.

    Error - 8/20/2011 8:36:24 AM | Computer Name = MONRAY | Source = Application Error | ID = 1000
    Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
    chrome.dll, version 12.0.742.122, fault address 0x005a6a9a.

    Error - 8/20/2011 12:16:09 PM | Computer Name = MONRAY | Source = Application Error | ID = 1000
    Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
    chrome.dll, version 12.0.742.122, fault address 0x005a6a9a.

    Error - 8/24/2011 12:07:56 PM | Computer Name = MONRAY | Source = Application Hang | ID = 1002
    Description = Hanging application mame32k.exe, version 0.67.0.0, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 8/24/2011 12:10:23 PM | Computer Name = MONRAY | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 2.0.0.4094, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 8/25/2011 10:43:29 AM | Computer Name = MONRAY | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 2.0.0.4094, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    [ System Events ]
    Error - 8/27/2011 4:55:10 AM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7023
    Description = The Network Location Awareness (NLA) service terminated with the following
    error: %%127

    Error - 8/27/2011 4:55:10 AM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7023
    Description = The Network Location Awareness (NLA) service terminated with the following
    error: %%127

    Error - 8/27/2011 12:07:36 PM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7000
    Description = The Nero BackItUp Scheduler 4.0 service failed to start due to the
    following error: %%2

    Error - 8/27/2011 12:07:36 PM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7000
    Description = The ThreatFire service failed to start due to the following error:
    %%2

    Error - 8/27/2011 12:07:36 PM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7000
    Description = The TuneUp Utilities Service service failed to start due to the following
    error: %%2

    Error - 8/27/2011 12:07:52 PM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7000
    Description = The ThreatFire service failed to start due to the following error:
    %%2

    Error - 8/27/2011 1:59:32 PM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7000
    Description = The Nero BackItUp Scheduler 4.0 service failed to start due to the
    following error: %%2

    Error - 8/27/2011 1:59:32 PM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7000
    Description = The ThreatFire service failed to start due to the following error:
    %%2

    Error - 8/27/2011 1:59:32 PM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7000
    Description = The TuneUp Utilities Service service failed to start due to the following
    error: %%2

    Error - 8/27/2011 1:59:35 PM | Computer Name = MONRAY | Source = Service Control Manager | ID = 7000
    Description = The ThreatFire service failed to start due to the following error:
    %%2


    < End of report >
  23. monrayl

    monrayl TS Member Topic Starter Posts: 74

    Firefox still freezes when I browse the internet (one of the reasons why I take a bit long to reply to your posts). Also, I am still not able to delete files that were 'blocked' by the virus. One of the files is aswMBR.exe. Any ideas?
  24. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Make sure to reinstall AVG.

    If you're using Firefox 3.x, close Firefox. Go Start>All Programs>Mozilla Firefox, click on Mozilla Firefox (safe mode).
    If you're using Firefox 4, or 5 go Help>Restart Firefox with Add-ons Disabled.
    Same issue?

    Let me see what I can do.

    =====================================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] -- -- (TuneUp.UtilitiesSvc)
      SRV - File not found [Auto | Stopped] -- -- (ThreatFire)
      SRV - File not found [Auto | Stopped] -- -- (Nero BackItUp Scheduler 4.0)
      IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
      IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
      O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
      O3 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\..\Toolbar\ShellBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
      O3 - HKU\S-1-5-21-2052111302-73586283-1801674531-1003\..\Toolbar\WebBrowser: (no name) - {147D6308-0614-4112-89B1-31402F9B82C4} - No CLSID value found.
      [13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [2011/08/26 10:35:34 | 001,916,416 | ---- | M] () -- C:\Documents and Settings\Monray\Desktop\aswMBR.exe
      @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:93DDEB75
      @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B606BA34
      @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38B32B54
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ====================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  25. monrayl

    monrayl TS Member Topic Starter Posts: 74

    Here's the OTL log:

    All processes killed
    ========== OTL ==========
    Service TuneUp.UtilitiesSvc stopped successfully!
    Service TuneUp.UtilitiesSvc deleted successfully!
    Service ThreatFire stopped successfully!
    Service ThreatFire deleted successfully!
    Service Nero BackItUp Scheduler 4.0 stopped successfully!
    Service Nero BackItUp Scheduler 4.0 deleted successfully!
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
    Registry value HKEY_USERS\S-1-5-21-2052111302-73586283-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
    Registry value HKEY_USERS\S-1-5-21-2052111302-73586283-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{147D6308-0614-4112-89B1-31402F9B82C4} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{147D6308-0614-4112-89B1-31402F9B82C4}\ not found.
    C:\WINDOWS\coolini.tmp deleted successfully.
    C:\WINDOWS\DXT20.tmp deleted successfully.
    C:\WINDOWS\DXT21.tmp deleted successfully.
    C:\WINDOWS\DXT22.tmp deleted successfully.
    C:\WINDOWS\DXT23.tmp deleted successfully.
    C:\WINDOWS\DXT24.tmp deleted successfully.
    C:\WINDOWS\DXT25.tmp deleted successfully.
    C:\WINDOWS\DXT26.tmp deleted successfully.
    C:\WINDOWS\DXT27.tmp deleted successfully.
    C:\WINDOWS\msdownld.tmp folder deleted successfully.
    C:\WINDOWS\SET3.tmp deleted successfully.
    C:\WINDOWS\SET4.tmp deleted successfully.
    C:\WINDOWS\SET8.tmp deleted successfully.
    C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
    C:\Documents and Settings\Monray\Desktop\aswMBR.exe moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:93DDEB75 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:B606BA34 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:38B32B54 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Monray
    ->Temp folder emptied: 11567644 bytes
    ->Temporary Internet Files folder emptied: 317568 bytes
    ->Java cache emptied: 9721 bytes
    ->FireFox cache emptied: 59209785 bytes
    ->Google Chrome cache emptied: 9679591 bytes
    ->Flash cache emptied: 148814 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 888204 bytes

    Total Files Cleaned = 78.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: LocalService

    User: Monray
    ->Flash cache emptied: 0 bytes

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.26.6 log created on 08272011_234949

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.