TechSpot

Live Security Platinum

By quickener
Jul 31, 2012
  1. My computer has been infected with the Live Security Platinum.
    I was unable to run Malwarebytes in normal or safe mode.
    I was unable to run GMER in normal mode. When I try to run it in Safe mode, I get the following error:
    LoadDriver("C:\DOCUME~1\Owner\LOCALS~1\Temp\axtdqpow.sys") error 0xC000010E:
    Cannot create a stable subkey under a volatile parent key
    And then it does run and the result file is blank.
    I then ran DDS and it started and ran all night but never finished. It seemed to have frozen.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ========================================

    Start with this manual: http://www.bleepingcomputer.com/virus-removal/remove-live-security-platinum

    Let me know when done.
     
  3. quickener

    quickener TS Rookie Topic Starter Posts: 49

    I was able to get FixExec to run and the log file found no processes were found to kill.
    Then I went to Add or Remove Programs and tried to remove Live Security Platinum. When I click on the "Change/Remove" button for Live Security Platinum, nothing happens. Nothing gets uninstalled.
    Then I tried to launch my Firefox browser, but it says that Firefox is already running.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    What Windows version is it?
     
  5. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Windows XP
     
  6. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  7. quickener

    quickener TS Rookie Topic Starter Posts: 49

    OTL logfile created on: 8/1/2012 10:25:09 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 465.75 Gb Total Space | 369.20 Gb Free Space | 79.27% Space Free | Partition Type: NTFS
    Drive D: | 76.68 Gb Total Space | 76.62 Gb Free Space | 99.91% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2012/07/19 12:14:48 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/06/19 14:44:22 | 000,777,728 | ---- | M] (Eastman Kodak Company) [Auto] -- C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe -- (Kodak AiO Status Monitor Service)
    SRV - [2012/06/18 22:13:46 | 000,394,712 | ---- | M] (Eastman Kodak Company) [Auto] -- C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe -- (Kodak AiO Network Discovery Service)
    SRV - [2011/10/08 00:50:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
    SRV - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () [Auto] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (MSICDSetup)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2012/07/31 18:24:37 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
    DRV - [2011/07/07 19:21:30 | 000,119,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
    DRV - [2011/01/13 22:29:14 | 006,312,040 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2010/12/28 21:37:40 | 000,276,968 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
    DRV - [2010/03/22 06:29:08 | 000,018,944 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
    DRV - [2009/11/17 19:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
    DRV - [2009/11/17 19:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
    DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2007/04/16 17:46:34 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
    FF - HKLM\Software\MozillaPlugins\@soe.sony.com/installer,version=1.0.3: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nxqi753.default\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}\plugins\npsoe.dll ()
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/19 12:14:49 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/19 20:40:34 | 000,000,000 | ---D | M]

    [2012/05/03 21:26:52 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/07/19 12:14:49 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/07/06 15:29:27 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol400.dll
    [2011/03/18 14:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
    [2012/03/31 23:09:54 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2011/03/18 14:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
    [2012/06/19 20:35:06 | 000,002,252 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/06/19 20:35:06 | 000,002,040 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2008/04/14 08:00:00 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
    O4 - HKLM..\Run: [gmupap] C:\Documents and Settings\Owner\Application Data\gmupap.dll (Crytek)
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
    O4 - HKLM..\Run: [Super-Charger] C:\Program Files\MSI\Super-Charger\StartSuperCharger.exe (TODO: <Company name>)
    O4 - HKLM..\Run: [wiluit] C:\Documents and Settings\Owner\Application Data\wiluit.dll (EFD Software)
    O4 - HKU\Owner_ON_C..\Run: [HP Photosmart 6510 series (NET)] C:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
    O4 - HKU\Owner_ON_C..\Run: [KB00697532.exe] C:\Documents and Settings\Owner\Application Data\KB00697532.exe (polmop)
    O4 - HKU\Owner_ON_C..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
    O4 - HKU\.DEFAULT..\RunOnce: [KodakHomeCenter] C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe (Eastman Kodak Company)
    O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
    O4 - HKU\systemprofile_ON_C..\RunOnce: [KodakHomeCenter] C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe (Eastman Kodak Company)
    O4 - HKU\systemprofile_ON_C..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
    O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\UpdatusUser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1303497883750 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/04/22 02:03:27 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O36 - AppCertDlls: logmgpwd - (C:\WINDOWS\system32\ddesator.dll) - C:\WINDOWS\system32\ddesator.dll (FRISK Software International)
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/08/01 20:30:56 | 000,883,616 | ---- | C] (Bleeping Computer, LLC) -- C:\FixExec.com
    [2012/07/31 22:55:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Administrative Tools
    [2012/07/31 18:03:56 | 000,000,000 | --SD | C] -- C:\Documents and Settings\NetworkService\UserData
    [2012/07/31 17:58:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2012/07/31 17:58:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2012/07/31 17:26:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2012/07/31 17:26:18 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LocalService\UserData
    [2012/07/31 17:26:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2012/07/31 17:25:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Live Security Platinum
    [2012/07/31 17:22:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\036E1BAF0054753300081DB97B07D287
    [2012/07/31 17:22:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{D80D9D8A-DB55-11E1-8270-B8AC6F996F26}
    [2012/07/31 17:22:37 | 000,452,608 | ---- | C] (EFD Software) -- C:\Documents and Settings\Owner\Application Data\wiluit.dll
    [2012/07/31 17:22:10 | 000,056,320 | -H-- | C] (FRISK Software International) -- C:\WINDOWS\System32\ddesator.dll
    [2012/07/31 17:21:45 | 000,150,016 | -HS- | C] (Crytek) -- C:\Documents and Settings\Owner\Application Data\gmupap.dll
    [2012/07/31 17:21:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Application Data\E9E174FD
    [2012/07/31 17:21:36 | 000,116,591 | -HS- | C] (polmop) -- C:\Documents and Settings\Owner\Application Data\KB00697532.exe
    [2012/07/31 17:18:30 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2012/07/31 17:11:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
    [2012/07/21 20:54:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
    [2012/07/21 08:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Kodak
    [2012/07/12 16:25:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\My Games
    [2012/07/12 16:25:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\My Documents\My Games
    [2012/07/12 15:51:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Steam
    [2012/07/12 12:42:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Steam
    [2012/07/12 12:42:44 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
    [2012/07/05 07:09:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\GTT
    [2011/10/30 20:37:55 | 000,800,824 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\UpdatusUser\Application Data\DPInst.exe
    [2011/10/30 20:37:55 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\UpdatusUser\Application Data\gacutil.exe
    [2011/10/30 20:37:55 | 000,036,352 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\UpdatusUser\Application Data\PnPutil.exe
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/08/01 22:15:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/08/01 21:34:03 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/08/01 20:29:12 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/08/01 15:16:38 | 000,883,616 | ---- | M] (Bleeping Computer, LLC) -- C:\FixExec.com
    [2012/07/31 18:24:37 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2012/07/31 17:25:19 | 000,002,256 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Live Security Platinum.lnk
    [2012/07/31 17:22:39 | 000,452,608 | ---- | M] (EFD Software) -- C:\Documents and Settings\Owner\Application Data\wiluit.dll
    [2012/07/31 17:22:10 | 000,056,320 | -H-- | M] (FRISK Software International) -- C:\WINDOWS\System32\ddesator.dll
    [2012/07/31 17:21:30 | 000,150,016 | -HS- | M] (Crytek) -- C:\Documents and Settings\Owner\Application Data\gmupap.dll
    [2012/07/31 17:21:26 | 000,116,591 | -HS- | M] (polmop) -- C:\Documents and Settings\Owner\Application Data\KB00697532.exe
    [2012/07/31 17:11:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
    [2012/07/31 17:11:02 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
    [2012/07/31 17:11:00 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
    [2012/07/31 17:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
    [2012/07/31 17:10:58 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Games
    [2012/07/31 17:10:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\LEGO Company
    [2012/07/31 17:10:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Kodak
    [2012/07/31 17:10:53 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\OpenOffice.org 3.3
    [2012/07/31 17:10:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/31 17:10:52 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    [2012/07/31 17:10:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Steam
    [2012/07/31 17:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Ulead PhotoImpact 6
    [2012/07/31 16:01:01 | 000,000,332 | ---- | M] () -- C:\WINDOWS\tasks\HP Photo Creations Messager.job
    [2012/07/31 15:40:37 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
    [2012/07/31 11:10:01 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
    [2012/07/31 08:11:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
    [2012/07/31 08:11:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Legends of Norrath
    [2012/07/31 08:11:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack
    [2012/07/31 08:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\HP
    [2012/07/31 08:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\EverQuest
    [2012/07/30 21:40:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
    [2012/07/30 19:56:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
    [2012/07/30 15:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
    [2012/07/27 15:35:53 | 000,141,982 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Insurance.jpg
    [2012/07/27 15:35:53 | 000,003,974 | ---- | M] () -- C:\WINDOWS\ULEAD32.INI
    [2012/07/26 21:41:07 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
    [2012/07/26 21:41:07 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
    [2012/07/25 09:40:55 | 000,033,456 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Whoops window.jpg
    [2012/07/21 11:54:10 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2012/07/21 08:49:56 | 000,001,859 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
    [2012/07/21 08:49:04 | 000,001,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Get CleanPrint.lnk
    [2012/07/17 19:01:04 | 000,120,544 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/07/17 18:52:54 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/07/16 16:59:58 | 000,230,840 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
    [2012/07/15 13:47:13 | 000,000,077 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Sid Meier's Civilization V.url
    [2012/07/12 12:47:40 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
    [2012/07/10 12:47:24 | 000,176,847 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\beauty_salon_makeover.jpg
    [2012/07/03 14:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/07/31 18:07:13 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/07/31 17:25:18 | 000,002,256 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Live Security Platinum.lnk
    [2012/07/27 15:35:53 | 000,141,982 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Insurance.jpg
    [2012/07/25 09:40:55 | 000,033,456 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Whoops window.jpg
    [2012/07/21 08:49:56 | 000,001,859 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
    [2012/07/21 08:49:04 | 000,001,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Get CleanPrint.lnk
    [2012/07/12 15:51:57 | 000,000,077 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Sid Meier's Civilization V.url
    [2012/07/12 12:42:46 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
    [2012/07/10 12:47:23 | 000,176,847 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\beauty_salon_makeover.jpg
    [2012/04/24 19:53:22 | 000,000,057 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Ament.ini
    [2012/02/19 10:44:57 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/14 12:33:31 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit.INI
    [2011/12/27 18:54:34 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
    [2011/12/27 18:54:33 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
    [2011/10/30 20:37:55 | 000,000,181 | ---- | C] () -- C:\Documents and Settings\UpdatusUser\Application Data\gacutil.exe.config
    [2011/10/30 20:36:51 | 000,285,176 | -H-- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
    [2011/10/30 20:36:51 | 000,285,176 | -H-- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
    [2011/10/30 20:36:51 | 000,000,001 | -H-- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
    [2011/10/28 21:14:13 | 000,003,974 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
    [2011/06/28 16:49:21 | 000,000,129 | -H-- | C] () -- C:\Documents and Settings\Owner\jagex_runescape_preferences2.dat
    [2011/06/28 16:48:19 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
    [2011/06/01 23:06:34 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
    [2011/05/11 23:17:55 | 000,000,128 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
    [2011/05/02 18:46:37 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/04/26 19:00:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2011/04/22 21:40:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2011/04/22 21:39:12 | 000,120,544 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/04/22 14:27:43 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2011/04/22 14:22:20 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2011/04/22 14:22:20 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
    [2011/04/22 14:22:19 | 000,631,808 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2011/04/22 14:22:19 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2011/04/22 14:22:18 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2011/04/22 02:09:37 | 000,081,936 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
    [2011/04/22 02:04:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2011/04/22 02:01:22 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2008/04/14 08:00:00 | 000,441,450 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2008/04/14 08:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2008/04/14 08:00:00 | 000,071,642 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2008/04/14 08:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
    [2008/04/14 08:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2008/04/14 08:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2008/04/14 08:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

    ========== LOP Check ==========

    [2011/05/03 23:31:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Temp
    [2011/05/31 19:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canneverbe Limited
    [2011/07/06 15:29:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Catalina Marketing Corp
    [2012/07/31 17:22:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\E9E174FD
    [2011/12/09 09:41:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EDrawings
    [2011/12/27 18:52:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterTrust
    [2011/09/04 11:14:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Juniper Networks
    [2011/12/03 12:05:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LEGO Company
    [2011/04/26 19:00:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org
    [2012/04/24 20:21:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sony Online Entertainment
    [2011/12/18 16:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
    [2011/04/29 08:10:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Temp
    [2011/05/18 15:54:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Unity
    [2011/09/08 00:26:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\UpdatusUser\Application Data\Temp
    [2012/07/31 17:24:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\036E1BAF0054753300081DB97B07D287
    [2011/05/31 19:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
    [2011/05/20 09:14:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
    [2012/06/18 22:27:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
    [2012/07/31 11:10:01 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
    [2012/07/30 21:40:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
    [2012/07/30 19:56:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
    [2012/07/30 15:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job

    ========== Purity Check ==========


    < End of report >
     
  8. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [gmupap] C:\Documents and Settings\Owner\Application Data\gmupap.dll (Crytek)
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [wiluit] C:\Documents and Settings\Owner\Application Data\wiluit.dll (EFD Software)
    O4 - HKU\Owner_ON_C..\Run: [KB00697532.exe] C:\Documents and Settings\Owner\Application Data\KB00697532.exe (polmop)
    O36 - AppCertDlls: logmgpwd - (C:\WINDOWS\system32\ddesator.dll) - C:\WINDOWS\system32\ddesator.dll (FRISK Software International)
    [2012/07/31 17:25:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Live Security Platinum
    [2012/07/31 17:22:37 | 000,452,608 | ---- | C] (EFD Software) -- C:\Documents and Settings\Owner\Application Data\wiluit.dll
    [2012/07/31 17:22:10 | 000,056,320 | -H-- | C] (FRISK Software International) -- C:\WINDOWS\System32\ddesator.dll
    [2012/07/31 17:21:45 | 000,150,016 | -HS- | C] (Crytek) -- C:\Documents and Settings\Owner\Application Data\gmupap.dll
    [2012/07/31 17:21:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Application Data\E9E174FD
    [2012/07/31 17:21:36 | 000,116,591 | -HS- | C] (polmop) -- C:\Documents and Settings\Owner\Application Data\KB00697532.exe
    [2012/07/31 11:10:01 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
    [2012/07/30 21:40:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
    [2012/07/30 19:56:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
    [2012/07/30 15:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
    [2012/07/31 17:25:18 | 000,002,256 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Live Security Platinum.lnk
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.

    Let me know if you can operate your computer fairly normally.
     
  9. quickener

    quickener TS Rookie Topic Starter Posts: 49

    ========== OTL ==========
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\gmupap deleted successfully.
    C:\Documents and Settings\Owner\Application Data\gmupap.dll moved successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wiluit deleted successfully.
    C:\Documents and Settings\Owner\Application Data\wiluit.dll moved successfully.
    Registry value HKEY_USERS\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\KB00697532.exe deleted successfully.
    C:\Documents and Settings\Owner\Application Data\KB00697532.exe moved successfully.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls\\logmgpwd deleted successfully.
    C:\WINDOWS\system32\ddesator.dll moved successfully.
    C:\Documents and Settings\Owner\Start Menu\Programs\Live Security Platinum folder moved successfully.
    File C:\Documents and Settings\Owner\Application Data\wiluit.dll not found.
    File C:\WINDOWS\System32\ddesator.dll not found.
    File C:\Documents and Settings\Owner\Application Data\gmupap.dll not found.
    C:\Documents and Settings\Owner\Application Data\E9E174FD folder moved successfully.
    File C:\Documents and Settings\Owner\Application Data\KB00697532.exe not found.
    C:\WINDOWS\tasks\At1.job moved successfully.
    C:\WINDOWS\tasks\At2.job moved successfully.
    C:\WINDOWS\tasks\At3.job moved successfully.
    C:\WINDOWS\tasks\At4.job moved successfully.
    C:\Documents and Settings\Owner\Desktop\Live Security Platinum.lnk moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 08012012_225136
    I rebooted into Windows normally. However, some of the icons on the desktop (pictures, pdf files) are semi-transparent (but still accessible); normally, these icons are not transparent at all. However, Firefox still will not start - it says that another firefox is already running even though one is not running
     
  10. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  11. quickener

    quickener TS Rookie Topic Starter Posts: 49

    ComboFix seems like it's running - it shows a lot of actions being done, but there is no log file produced at C:\
    It behaves the same in both normal mode and safe mode.
    Since ComboFix seems to run, do I need to run the Rkill now?
     
  12. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Delete that last point - I didn't give it enough time - ComboFix is now doing more
     
  13. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Yeah, be patient.
     
  14. quickener

    quickener TS Rookie Topic Starter Posts: 49

    I let it run all night but it never finished - the computer clock stopped and so, I assume it's frozen
     
  15. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
     
  16. quickener

    quickener TS Rookie Topic Starter Posts: 49

    I am not able to install MalwareBytes in normal or safe mode - it says Acess is denied.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ==================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  18. quickener

    quickener TS Rookie Topic Starter Posts: 49

    RogueKiller V7.6.4 [07/17/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Safe mode with network support
    User: Owner [Admin rights]
    Mode: Scan -- Date: 08/03/2012 00:26:07
    ¤¤¤ Bad processes: 0 ¤¤¤
    ¤¤¤ Registry Entries: 4 ¤¤¤
    [] HKLM\[...]\Windows : () -> ACCESS DENIED
    [HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [] HKLM\[...]\Windows : () -> ACCESS DENIED
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] n : c:\windows\installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\n --> FOUND
    [ZeroAccess][FOLDER] U : c:\windows\installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U --> FOUND
    [ZeroAccess][FOLDER] L : c:\windows\installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\L --> FOUND
    [ZeroAccess][FILE] n : c:\documents and settings\owner\local settings\application data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\n --> FOUND
    [ZeroAccess][FILE] @ : c:\documents and settings\owner\local settings\application data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\@ --> FOUND
    [ZeroAccess][FOLDER] U : c:\documents and settings\owner\local settings\application data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U --> FOUND
    [ZeroAccess][FOLDER] L : c:\documents and settings\owner\local settings\application data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\L --> FOUND
    ¤¤¤ Driver: [NOT LOADED] ¤¤¤
    ¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD5000AAKX-001CA0 +++++
    --- User ---
    [MBR] f2b26f4a06648a628753ed362c9d30e5
    [BSP] 7fb7dea00ad6e99de11b2a8ceacbf9b5 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
    User = LL1 ... OK!
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] 64b8b3e7154e60982ac38a1f53fa5243
    [BSP] 7fb7dea00ad6e99de11b2a8ceacbf9b5 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
    1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 976752000 | Size: 10 Mo
    +++++ PhysicalDrive1: HDS728080PLA380 +++++
    Error reading User MBR!
    Error reading LL1 MBR!
    User = LL2 ... OK!
    +++++ PhysicalDrive2: Generic Flash Disk USB Device +++++
    --- User ---
    [MBR] e9321e57397cd6917a1faf5e355946a9
    [BSP] b110915c91eb31922bb631406f7f0bd7 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] UNKNOWN (0x72) [VISIBLE] Offset (sectors): 778135908 | Size: 557377 Mo
    1 - [XXXXXX] UNKNOWN (0x65) [VISIBLE] Offset (sectors): 168689522 | Size: 945326 Mo
    2 - [XXXXXX] UNKNOWN (0x79) [VISIBLE] Offset (sectors): 1869881465 | Size: 945326 Mo
    3 - [XXXXXX] UNKNOWN (0x0d) [VISIBLE] Offset (sectors): 2885681152 | Size: 27 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[1].txt >>
    RKreport[1].txt



    aswMBR will not run in safe mode - it says that "A device attached to the system is not functioning"
     
  19. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    We need to use the Recovery Console to try to fix your issue.

    • You'll need to find your Windows XP installation disk.
    • Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
    • If prompted, click any options that are required to start the computer from the CD-ROM drive.
    • When the Welcome to Setup screen appears, press R to start the Recovery Console.
    • The Recovery Console will start and ask you which Windows installation you would like to log on to.
      • If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
    • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
    • You will now be presented with a C:\Windows> prompt
    • Type with an Enter after each line:

    • fixmbr

      fixboot

      exit
    • Restart computer.

    ************************

    If you don't have Windows CD...
    Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
    Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    Using Imgburn, burn rc.iso to a CD.
    Boot to the CD...let it finish loading.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

    ====================================

    When done post new RogueKiller log.
     
  20. quickener

    quickener TS Rookie Topic Starter Posts: 49

    I did the recovery and now a black screen comes up on restart that says "NTLDR is missing" and all I can do is restart. But it always comes back to that screen. It seems that something is very wrong now.
     
  21. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You will need a USB flash drive.

    Download GETxPUD.exe to the desktop of your clean computer
    • Run GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Next download rst.sh to your USB flash drive
    • Remove the USB & CD and insert it in the sick computer
    • Boot the Sick computer with the CD you just burned
    • The computer must be set to boot from the CD
    • Gently tap F12 and choose to boot from the CD
    • Follow the prompts
    • A Welcome to xPUD screen will appear
    • Press File
    • Expand mnt
    • sda1,2...usually corresponds to your HDD
    • sdb1 is likely your USB
    • Click on the folder that represents your USB drive (sdb1 ?)
    • Confirm that you see rst.sh that you downloaded there
    • Press Tool at the top
    • Choose Open Terminal
    • Type bash rst.sh
    • Press Enter
    • After it has finished a report will be located on your USB drive named enum.log
    • Remove the USB drive and insert it back in your working computer and navigate to enum.log

      Please note - all text entries are case sensitive
    Copy and paste the enum.log for my review
     
  22. quickener

    quickener TS Rookie Topic Starter Posts: 49

    I made it to the Welcome to xPUD screen, then it went to a dos screen with a good number of problems such as "unable to connect to X server" and "Server error". At the bottom of the screen is a prompt

    sh-4.0#
    This is far as it gets.
     
  23. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

    Please print this guide for future reference!

    You will need a blank CD, a clean computer and a flash drive.

    Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

    :step1:

    1. Download and Run Ultimate Boot CD for Windows
    • Save it to your Desktop.
    • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
    • Follow all of the instructions/prompts that come up.
      NOTES:
      • Do not install to a folder with spaces in it's name.
      • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
    2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
    • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
    • Click "I agree" to the Builders License.
    • Click NO to Search for Windows Installation Files
    • Make the following selections from the Main Screen that pops up:
      • Builder
        • Source:(path to Windows installation files)
          • Enter the path to the drive where your XP CD is located.
          • You can click on the "..." button on the right to navigate to the path as well.
        • Custom: (include files and folders from this directory)
          • No information is necessary, leave blank.
        • Output: (C:\ubcd4win\BartPE)
          • Keep the default BartPE
      • Media output
        • Choose Create ISO image
        • Do not choose Burn to CD/DVD


        Please note: If your XP install disc is SP1 then please .....
        1. Disable- DComLaunch Service
        2. Enable- LargeIDE Fix

          This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

        Also note: If you have a Dell XP install disc you will need to follow the instructions here
        http://www.ubcd4win.com/faq.htm#dell

      3. Click on the "Build" button
      • You will see the Windows EULA message. Click on I Agree
      • You will now see the Build Screen. Let it run it's course
      • When the Build is finished you can click close, then exit


      4. Burn your ISO file to CD
      • Please see HERE on how to burn an ISO to CD.

    ==========

    :step2:

    Next, from your clean computer:

    Download Farbar Recovery Scan Tool
    and save it to your flash drive.

    Now plug your flashdrive back into your sick computer and follow the next instructions:

    ==========

    :step3:

    1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
    • Insert the UBCD4Win disc in to one of your CD/DVD drives.
    • Restart your computer.
      • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
    • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
      • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
    • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
      • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
    • You should now have a desktop that looks like this:
      [​IMG]

    ==========

    :step4:

    • Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
    • Double click on it to begin running the tool.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.
     
  24. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 04-08-2012 02:26:18
    Running from E:\Virus Removal
    Microsoft Windows XP Service Pack 2 (X86) OS Language: Georgian
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]
    HKLM\...\Run: [Super-Charger] C:\Program Files\MSI\Super-Charger\StartSuperCharger.exe [303104 2011-01-25] (TODO: <Company name>)
    HKLM\...\Run: [Conime] %windir%\system32\conime.exe [x]
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
    HKLM\...\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe [2510848 2011-06-16] (Eastman Kodak Company)
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [16744256 2011-10-08] (NVIDIA Corporation)
    HKLM\...\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login [x]
    HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet [1632360 2011-10-08] ()
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Owner\...\Run: [HP Photosmart 6510 series (NET)] "C:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN21G411Y305QB:NW" -scfn "HP Photosmart 6510 series (NET)" -AutoStart 1 [1804648 2011-09-16] (Hewlett-Packard Co.)
    HKU\Owner\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [1242448 2012-07-12] (Valve Corporation)
    Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
    Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    ShortcutTarget: Acrobat Assistant.lnk -> C:\PROGRAMS\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (No File)
    Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\PROGRAMS\OpenOffice.org 3\program\quickstart.exe (No File)
    ================================ Services (Whitelisted) ==================
    2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
    2 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe [394712 2012-06-19] (Eastman Kodak Company)
    2 Kodak AiO Status Monitor Service; "C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe" [777728 2012-06-19] (Eastman Kodak Company)
    2 NMSAccess; C:\Program Files\CDBurnerXP\NMSAccessU.exe [71096 2010-03-05] ()
    2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2253120 2011-10-08] (NVIDIA Corporation)
    2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
    ========================== Drivers (Whitelisted) =============
    3 Ambfilt; C:\Windows\System32\drivers\Ambfilt.sys [1691480 2009-11-17] (Creative)
    1 AmdPPM; C:\Windows\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
    3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows (R) Server 2003 DDK provider)
    3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2012-08-03] (Malwarebytes Corporation)
    3 Monfilt; C:\Windows\System32\drivers\Monfilt.sys [1395800 2009-11-17] (Creative Technology Ltd.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-21] (Microsoft Corporation)
    3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [119656 2011-07-07] (NVIDIA Corporation)
    3 nvsmu; C:\Windows\System32\DRIVERS\nvsmu.sys [18944 2010-03-22] (NVIDIA Corporation)
    3 RTLE8023xp; C:\Windows\System32\DRIVERS\Rtenicxp.sys [276968 2010-12-29] (Realtek Semiconductor Corporation )
    3 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [7168 2009-11-12] ()
    4 Abiosdsk; [x]
    4 abp480n5; [x]
    4 adpu160m; [x]
    4 Aha154x; [x]
    4 aic78u2; [x]
    4 aic78xx; [x]
    4 AliIde; [x]
    4 amsint; [x]
    4 asc; [x]
    4 asc3350p; [x]
    4 asc3550; [x]
    4 Atdisk; [x]
    3 catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys [x]
    4 cd20xrnt; [x]
    1 Changer; [x]
    4 CmdIde; [x]
    4 Cpqarray; [x]
    4 dac2w2k; [x]
    4 dac960nt; [x]
    4 dpti2o; [x]
    4 hpn; [x]
    1 i2omgmt; [x]
    4 i2omp; [x]
    4 ini910u; [x]
    4 IntelIde; [x]
    1 lbrtfdc; [x]
    4 mraid35x; [x]
    3 MSICDSetup; \??\D:\CDriver.sys [x]
    1 PCIDump; [x]
    3 PDCOMP; [x]
    3 PDFRAME; [x]
    3 PDRELI; [x]
    3 PDRFRAME; [x]
    4 perc2; [x]
    4 perc2hib; [x]
    4 ql1080; [x]
    4 Ql10wnt; [x]
    4 ql12160; [x]
    4 ql1240; [x]
    4 ql1280; [x]
    4 Simbad; [x]
    4 Sparrow; [x]
    4 symc810; [x]
    4 symc8xx; [x]
    4 sym_hi; [x]
    4 sym_u3; [x]
    4 TosIde; [x]
    4 ultra; [x]
    4 ViaIde; [x]
    3 WDICA; [x]
    3 {79007602-0CDB-4405-9DBF-1257BB3226EE}; Combo-Fix.sys [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-08-04 02:26 - 2012-08-04 02:26 - 00000000 ____D C:\FRST
    2012-08-03 05:26 - 2012-08-03 05:26 - 00003089 ____A C:\Documents and Settings\Owner\Desktop\RKreport[1].txt
    2012-08-03 05:25 - 2012-08-03 05:26 - 00000000 ____D C:\Documents and Settings\Owner\Desktop\RK_Quarantine
    2012-08-03 05:24 - 2012-08-03 02:27 - 04731392 ____A (AVAST Software) C:\Documents and Settings\Owner\Desktop\aswMBR.exe
    2012-08-03 05:24 - 2012-08-03 02:26 - 01552384 ____A C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
    2012-08-03 03:17 - 2012-08-01 19:39 - 10651816 ____A (Malwarebytes Corporation ) C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
    2012-08-02 13:18 - 2012-08-02 13:24 - 00000000 ___SD C:\ComboFix
    2012-08-02 05:58 - 2012-08-02 05:58 - 00000000 RASHD C:\cmdcons
    2012-08-02 05:58 - 2011-04-22 18:11 - 00000223 ____A C:\Boot.bak
    2012-08-02 05:58 - 2004-08-04 04:00 - 00260272 _RASH C:\cmldr
    2012-08-02 05:41 - 2011-06-26 06:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-08-02 05:41 - 2010-11-07 17:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-08-02 05:41 - 2009-04-20 04:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-08-02 05:41 - 2000-08-31 00:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-08-02 05:41 - 2000-08-31 00:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-08-02 05:41 - 2000-08-31 00:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
    2012-08-02 05:41 - 2000-08-31 00:00 - 00098816 ____A C:\Windows\sed.exe
    2012-08-02 05:41 - 2000-08-31 00:00 - 00080412 ____A C:\Windows\grep.exe
    2012-08-02 05:41 - 2000-08-31 00:00 - 00068096 ____A C:\Windows\zip.exe
    2012-08-02 05:28 - 2012-08-02 05:28 - 00000000 ____D C:\Windows\erdnt
    2012-08-02 05:27 - 2012-08-02 05:27 - 00000000 ____D C:\Qoobox
    2012-08-02 05:27 - 2012-08-02 03:22 - 04722680 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    2012-08-02 02:51 - 2012-08-02 02:51 - 00000000 ____D C:\_OTL
    2012-08-02 02:26 - 2012-08-02 02:26 - 00057456 ____A C:\OTL.Txt
    2012-08-02 00:31 - 2012-08-02 00:35 - 00001240 ____A C:\Documents and Settings\Owner\Desktop\FixExec.txt
    2012-08-02 00:30 - 2012-08-01 19:16 - 00883616 ____A (Bleeping Computer, LLC) C:\FixExec.com
    2012-07-31 22:07 - 2012-08-03 10:30 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
    2012-07-31 22:03 - 2012-07-31 22:03 - 00000000 ___SD C:\Documents and Settings\NetworkService\UserData
    2012-07-31 21:58 - 2012-07-31 21:58 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Macromedia
    2012-07-31 21:58 - 2012-07-31 21:58 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Adobe
    2012-07-31 21:54 - 2012-07-31 21:54 - 00090112 ____A C:\Windows\Minidump\Mini073112-01.dmp
    2012-07-31 21:26 - 2012-07-31 21:26 - 00000000 ___SD C:\Documents and Settings\LocalService\UserData
    2012-07-31 21:26 - 2012-07-31 21:26 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
    2012-07-31 21:26 - 2012-07-31 21:26 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
    2012-07-31 21:22 - 2012-07-31 21:24 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\036E1BAF0054753300081DB97B07D287
    2012-07-31 21:22 - 2012-07-31 21:22 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\Application Data\{D80D9D8A-DB55-11E1-8270-B8AC6F996F26}
    2012-07-31 21:18 - 2012-08-03 03:15 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-07-31 21:03 - 2012-07-21 12:45 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\KODAK AiO Home Center462547390
    2012-07-22 00:54 - 2012-07-22 00:55 - 00000000 ____D C:\Windows\System32\NtmsData
    2012-07-21 12:49 - 2012-07-21 12:49 - 00001859 ____A C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
    2012-07-21 12:49 - 2012-07-21 12:49 - 00001790 ____A C:\Documents and Settings\All Users\Desktop\Get CleanPrint.lnk
    2012-07-21 12:48 - 2012-07-21 12:48 - 00000000 ____D C:\Documents and Settings\All Users\Kodak
    2012-07-21 12:45 - 2012-07-21 12:45 - 00000000 ____D C:\Documents and Settings\Default User\Application Data\KODAK AiO Home Center462547390
    2012-07-17 22:52 - 2012-07-17 22:52 - 00010756 ____A C:\Windows\KB2718523.log
    2012-07-17 22:52 - 2012-07-17 22:52 - 00000000 __HDC C:\Windows\$NtUninstallKB2719985$
    2012-07-17 22:52 - 2012-07-17 22:52 - 00000000 __HDC C:\Windows\$NtUninstallKB2718523$
    2012-07-17 22:52 - 2012-07-17 22:52 - 00000000 __HDC C:\Windows\$NtUninstallKB2691442$
    2012-07-17 22:52 - 2012-07-17 22:52 - 00000000 __HDC C:\Windows\$NtUninstallKB2655992$
    2012-07-17 22:50 - 2012-07-17 22:50 - 00010115 ____A C:\Windows\KB2698365.log
    2012-07-17 22:50 - 2012-07-17 22:50 - 00000000 __HDC C:\Windows\$NtUninstallKB2698365$
    2012-07-14 19:57 - 2012-07-17 22:53 - 00017063 ____A C:\Windows\KB2691442.log
    2012-07-14 19:57 - 2012-07-17 22:52 - 00016173 ___AH C:\Windows\KB2655992.log
    2012-07-14 19:57 - 2012-07-17 22:52 - 00015755 ____A C:\Windows\KB2719985.log
    2012-07-12 20:25 - 2012-07-12 20:25 - 00000000 ___HD C:\Documents and Settings\Owner\My Documents\My Games
    2012-07-12 20:25 - 2012-07-12 20:25 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\Application Data\My Games
    2012-07-12 19:51 - 2012-07-15 17:47 - 00000077 ___AH C:\Documents and Settings\Owner\Desktop\Sid Meier's Civilization V.url
    2012-07-12 16:42 - 2012-08-03 03:15 - 00000000 ____D C:\Program Files\Steam
    2012-07-12 16:42 - 2012-07-12 16:47 - 00000664 ____A C:\Documents and Settings\All Users\Desktop\Steam.lnk
    2012-07-05 11:09 - 2012-07-05 11:09 - 00000000 ____D C:\Documents and Settings\Owner\Desktop\GTT
    ============ 3 Months Modified Files ========================
    2012-08-03 14:35 - 2011-04-22 06:07 - 00000178 __ASH C:\Documents and Settings\Owner\ntuser.ini
    2012-08-03 14:35 - 2011-04-22 06:02 - 01660885 ___AH C:\Windows\WindowsUpdate.log
    2012-08-03 10:30 - 2012-07-31 22:07 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
    2012-08-03 05:26 - 2012-08-03 05:26 - 00003089 ____A C:\Documents and Settings\Owner\Desktop\RKreport[1].txt
    2012-08-03 03:56 - 2011-04-22 06:07 - 00000062 __ASH C:\Documents and Settings\Owner\Local Settings\desktop.ini
    2012-08-03 03:56 - 2011-04-22 06:06 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
    2012-08-03 03:56 - 2011-04-22 06:05 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
    2012-08-03 03:56 - 2008-04-14 12:00 - 00013646 ____A C:\Windows\System32\wpa.dbl
    2012-08-03 03:39 - 2011-04-23 01:41 - 00000048 ___AH C:\Windows\wiaservc.log
    2012-08-03 03:39 - 2011-04-22 06:06 - 00032588 ____A C:\Windows\SchedLgU.Txt
    2012-08-03 03:39 - 2011-04-22 06:06 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-03 03:15 - 2012-07-31 21:18 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-08-03 03:15 - 2011-10-31 00:37 - 00000062 __ASH C:\Documents and Settings\UpdatusUser\Local Settings\desktop.ini
    2012-08-03 02:27 - 2012-08-03 05:24 - 04731392 ____A (AVAST Software) C:\Documents and Settings\Owner\Desktop\aswMBR.exe
    2012-08-03 02:26 - 2012-08-03 05:24 - 01552384 ____A C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
    2012-08-02 05:58 - 2011-04-23 01:38 - 00000339 _RASH C:\boot.ini
    2012-08-02 03:22 - 2012-08-02 05:27 - 04722680 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    2012-08-02 02:26 - 2012-08-02 02:26 - 00057456 ____A C:\OTL.Txt
    2012-08-02 00:35 - 2012-08-02 00:31 - 00001240 ____A C:\Documents and Settings\Owner\Desktop\FixExec.txt
    2012-08-01 19:39 - 2012-08-03 03:17 - 10651816 ____A (Malwarebytes Corporation ) C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
    2012-08-01 19:16 - 2012-08-02 00:30 - 00883616 ____A (Bleeping Computer, LLC) C:\FixExec.com
    2012-08-01 02:27 - 2011-10-31 00:37 - 00000178 ___SH C:\Documents and Settings\UpdatusUser\ntuser.ini
    2012-07-31 21:54 - 2012-07-31 21:54 - 00090112 ____A C:\Windows\Minidump\Mini073112-01.dmp
    2012-07-31 21:13 - 2011-04-23 01:39 - 00642672 ____A C:\Windows\setupapi.log
    2012-07-31 20:01 - 2012-04-24 23:56 - 00000332 ____A C:\Windows\Tasks\HP Photo Creations Messager.job
    2012-07-31 19:40 - 2012-05-01 03:23 - 00000384 ___AH C:\Windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    2012-07-31 12:32 - 2011-04-23 01:41 - 00000275 ___AH C:\Windows\wiadebug.log
    2012-07-28 05:54 - 2011-04-22 06:01 - 00009646 ___AH C:\Windows\wmsetup.log
    2012-07-27 19:35 - 2011-10-29 01:14 - 00003974 ____A C:\Windows\ULEAD32.INI
    2012-07-27 01:41 - 2012-05-04 01:31 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-27 01:41 - 2011-05-15 18:27 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-21 12:49 - 2012-07-21 12:49 - 00001859 ____A C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
    2012-07-21 12:49 - 2012-07-21 12:49 - 00001790 ____A C:\Documents and Settings\All Users\Desktop\Get CleanPrint.lnk
    2012-07-21 12:46 - 2011-04-22 18:11 - 00036148 ___AH C:\Windows\DPINST.LOG
    2012-07-21 12:45 - 2011-09-08 04:26 - 00800824 ____A (Microsoft Corporation) C:\Documents and Settings\Default User\Application Data\DPInst.exe
    2012-07-21 12:45 - 2011-09-08 04:26 - 00106496 ____A (Microsoft Corporation) C:\Documents and Settings\Default User\Application Data\gacutil.exe
    2012-07-21 12:45 - 2011-09-08 04:26 - 00036352 ____A (Microsoft Corporation) C:\Documents and Settings\Default User\Application Data\PnPutil.exe
    2012-07-17 23:01 - 2011-04-23 01:39 - 00120544 ___AH C:\Windows\System32\FNTCACHE.DAT
    2012-07-17 22:53 - 2012-07-14 19:57 - 00017063 ____A C:\Windows\KB2691442.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 01160797 ___AH C:\Windows\iis6.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 01011800 ___AH C:\Windows\FaxSetup.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00502584 ____A C:\Windows\ocgen.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00470349 ____A C:\Windows\tsoc.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00347744 ___AH C:\Windows\comsetup.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00322038 ____A C:\Windows\msmqinst.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00210151 ____A C:\Windows\ntdtcsetup.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00178231 ____A C:\Windows\netfxocm.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00070705 ____A C:\Windows\MedCtrOC.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00056907 ____A C:\Windows\ocmsn.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00051365 ____A C:\Windows\tabletoc.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00051188 ____A C:\Windows\msgsocm.log
    2012-07-17 22:53 - 2011-04-23 01:40 - 00001374 ___AH C:\Windows\imsins.log
    2012-07-17 22:52 - 2012-07-17 22:52 - 00010756 ____A C:\Windows\KB2718523.log
    2012-07-17 22:52 - 2012-07-14 19:57 - 00016173 ___AH C:\Windows\KB2655992.log
    2012-07-17 22:52 - 2012-07-14 19:57 - 00015755 ____A C:\Windows\KB2719985.log
    2012-07-17 22:52 - 2011-04-23 01:40 - 00001374 ___AH C:\Windows\imsins.BAK
    2012-07-17 22:52 - 2011-04-22 18:56 - 00087226 ____A C:\Windows\updspapi.log
    2012-07-17 22:51 - 2011-04-22 19:00 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-17 22:50 - 2012-07-17 22:50 - 00010115 ____A C:\Windows\KB2698365.log
    2012-07-16 20:59 - 2011-05-10 15:38 - 00230840 ___RA (Coupons, Inc.) C:\Windows\System32\cpnprt2.cid
    2012-07-15 17:47 - 2012-07-12 19:51 - 00000077 ___AH C:\Documents and Settings\Owner\Desktop\Sid Meier's Civilization V.url
    2012-07-12 16:47 - 2012-07-12 16:42 - 00000664 ____A C:\Documents and Settings\All Users\Desktop\Steam.lnk
    2012-07-03 18:46 - 2011-05-11 00:44 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-02 23:17 - 2012-02-08 04:28 - 00027878 ___AH C:\Inventory.xls
    2012-07-02 23:17 - 2012-02-08 04:28 - 00011668 ___AH C:\Spellbook.xls
    2012-06-19 11:41 - 2012-06-19 11:41 - 00001866 ____A C:\Documents and Settings\Owner\Desktop\The Lord of the Rings Online.lnk
    2012-06-19 02:26 - 2012-06-19 02:26 - 02377640 ____A C:\Documents and Settings\Owner\Desktop\lotrostandard.exe
    2012-06-17 00:24 - 2012-06-16 20:30 - 00014355 ____A C:\Windows\KB2707511.log
    2012-06-17 00:24 - 2011-04-23 01:40 - 00501770 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-06-17 00:20 - 2012-06-17 00:20 - 00007444 ____A C:\Windows\KB2685939.log
    2012-06-17 00:17 - 2012-06-16 20:29 - 00012586 ____A C:\Windows\KB2709162.log
    2012-06-13 13:19 - 2008-04-14 12:00 - 01866112 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\win32k.sys
    2012-06-13 13:19 - 2008-04-14 12:00 - 01866112 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-11 16:42 - 2012-06-11 16:42 - 00323624 ____A (Microsoft Corporation) C:\Windows\System32\wiaaut.dll
    2012-06-08 14:26 - 2008-04-14 12:00 - 08462848 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\shell32.dll
    2012-06-08 14:26 - 2008-04-14 12:00 - 08462848 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 15:50 - 2008-04-14 12:00 - 01372672 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msxml6.dll
    2012-06-05 15:50 - 2008-04-14 12:00 - 01372672 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 15:50 - 2008-04-14 12:00 - 01172480 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msxml3.dll
    2012-06-05 15:50 - 2008-04-14 12:00 - 01172480 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-04 11:14 - 2012-06-04 11:13 - 00011504 ____A C:\Windows\KB2718704.log
    2012-06-04 04:32 - 2008-04-14 12:00 - 00152576 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\schannel.dll
    2012-06-04 04:32 - 2008-04-14 12:00 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 01933848 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuaueng.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 00577048 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuapi.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 00329240 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wucltui.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 00329240 ____A (Microsoft Corporation) C:\Windows\System32\wucltui.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 00219160 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuaucpl.cpl
    2012-06-02 20:19 - 2011-04-22 06:02 - 00219160 ____A (Microsoft Corporation) C:\Windows\System32\wuaucpl.cpl
    2012-06-02 20:19 - 2011-04-22 06:02 - 00210968 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuweb.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 00210968 ____A (Microsoft Corporation) C:\Windows\System32\wuweb.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 00053784 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuauclt.exe
    2012-06-02 20:19 - 2011-04-22 06:02 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 20:19 - 2011-04-22 06:02 - 00035864 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wups.dll
    2012-06-02 20:19 - 2011-04-22 06:02 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 20:19 - 2009-08-07 00:24 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 20:19 - 2009-08-07 00:24 - 00022040 ___AH (Microsoft Corporation) C:\Windows\System32\wucltui.dll.mui
    2012-06-02 20:19 - 2009-08-07 00:24 - 00017944 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll.mui
    2012-06-02 20:19 - 2009-08-07 00:24 - 00015384 ____A (Microsoft Corporation) C:\Windows\System32\wuaucpl.cpl.mui
    2012-06-02 20:19 - 2009-08-07 00:24 - 00015384 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll.mui
    2012-06-02 20:19 - 2008-04-14 12:00 - 00097304 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\cdm.dll
    2012-06-02 20:19 - 2008-04-14 12:00 - 00097304 ____A (Microsoft Corporation) C:\Windows\System32\cdm.dll
    2012-06-02 20:18 - 2011-04-26 23:04 - 00275696 ____A (Microsoft Corporation) C:\Windows\System32\mucltui.dll
    2012-06-02 20:18 - 2011-04-26 23:04 - 00017136 ___AH (Microsoft Corporation) C:\Windows\System32\mucltui.dll.mui
    2012-06-02 20:18 - 2009-08-07 00:23 - 00214256 ____A (Microsoft Corporation) C:\Windows\System32\muweb.dll
    2012-05-31 13:22 - 2008-04-14 12:00 - 00599040 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\crypt32.dll
    2012-05-31 13:22 - 2008-04-14 12:00 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-05-28 18:16 - 2011-04-22 06:01 - 00536576 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msado15.dll
    2012-05-16 23:43 - 2011-05-02 22:46 - 00019968 ____A C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-13 04:51 - 2012-05-13 04:51 - 00118149 ___AH C:\Windows\KB2659262.log
    2012-05-13 04:46 - 2012-05-13 04:46 - 00120591 ____A C:\Windows\KB2686509.log
    2012-05-13 04:46 - 2012-05-13 04:46 - 00119938 ____A C:\Windows\KB2695962.log
    2012-05-13 04:46 - 2012-05-10 17:39 - 00130159 ____A C:\Windows\KB2676562.log

    ZeroAccess:
    C:\Windows\Installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}
    C:\Windows\Installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\L
    C:\Windows\Installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\n
    C:\Windows\Installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U
    ZeroAccess:
    C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}
    C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\@
    C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\L
    C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\n
    C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U
    C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U\00000001.@
    C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U\80000000.@
    C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U\800000cb.@
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points (XP) =====================
    RP: -> 2012-08-02 13:20 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP609
    RP: -> 2012-07-31 21:06 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP608
    RP: -> 2012-07-31 12:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP607
    RP: -> 2012-07-31 02:17 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP606
    RP: -> 2012-07-30 01:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP605
    RP: -> 2012-07-29 06:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP604
    RP: -> 2012-07-29 01:44 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP603
    RP: -> 2012-07-28 01:44 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP602
    RP: -> 2012-07-27 01:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP601
    RP: -> 2012-07-25 16:05 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP600
    RP: -> 2012-07-24 16:06 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP599
    RP: -> 2012-07-23 16:05 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP598
    RP: -> 2012-07-22 16:06 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP597
    RP: -> 2012-07-22 07:23 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP596
    RP: -> 2012-07-21 19:59 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP595
    RP: -> 2012-07-20 19:20 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP594
    RP: -> 2012-07-20 01:32 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP593
    RP: -> 2012-07-18 23:12 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP592
    RP: -> 2012-07-18 23:05 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP591
    RP: -> 2012-07-17 22:50 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP590
    RP: -> 2012-07-17 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP589
    RP: -> 2012-07-16 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP588
    RP: -> 2012-07-15 06:33 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP587
    RP: -> 2012-07-15 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP586
    RP: -> 2012-07-14 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP585
    RP: -> 2012-07-13 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP584
    RP: -> 2012-07-12 19:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP583
    RP: -> 2012-07-12 18:58 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP582
    RP: -> 2012-07-12 17:11 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP581
    RP: -> 2012-07-12 16:42 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP580
    RP: -> 2012-07-12 16:41 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP579
    RP: -> 2012-07-12 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP578
    RP: -> 2012-07-11 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP577
    RP: -> 2012-07-10 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP576
    RP: -> 2012-07-09 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP575
    RP: -> 2012-07-08 06:33 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP574
    RP: -> 2012-07-08 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP573
    RP: -> 2012-07-07 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP572
    RP: -> 2012-07-06 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP571
    RP: -> 2012-07-05 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP570
    RP: -> 2012-07-04 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP569
    RP: -> 2012-07-03 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP568
    RP: -> 2012-07-02 01:56 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP567
    RP: -> 2012-07-01 06:32 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP566
    RP: -> 2012-07-01 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP565
    RP: -> 2012-06-30 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP564
    RP: -> 2012-06-29 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP563
    RP: -> 2012-06-28 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP562
    RP: -> 2012-06-27 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP561
    RP: -> 2012-06-26 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP560
    RP: -> 2012-06-25 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP559
    RP: -> 2012-06-24 06:32 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP558
    RP: -> 2012-06-24 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP557
    RP: -> 2012-06-23 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP556
    RP: -> 2012-06-23 00:48 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP555
    RP: -> 2012-06-22 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP554
    RP: -> 2012-06-22 00:13 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP553
    RP: -> 2012-06-21 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP552
    RP: -> 2012-06-20 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP551
    RP: -> 2012-06-19 11:41 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP550
    RP: -> 2012-06-19 11:41 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP549
    RP: -> 2012-06-19 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP548
    RP: -> 2012-06-18 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP547
    RP: -> 2012-06-17 00:17 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP546
    RP: -> 2012-06-16 20:38 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP545
    RP: -> 2012-06-15 21:02 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP544
    RP: -> 2012-06-14 21:01 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP543
    RP: -> 2012-06-13 20:01 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP542
    RP: -> 2012-06-12 19:08 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP541
    RP: -> 2012-06-11 19:08 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP540
    RP: -> 2012-06-11 07:01 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP539
    RP: -> 2012-06-10 06:36 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP538
    RP: -> 2012-06-10 00:28 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP537
    RP: -> 2012-06-09 00:27 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP536
    RP: -> 2012-06-08 00:28 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP535
    RP: -> 2012-06-07 11:26 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP534
    RP: -> 2012-06-06 11:14 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP533
    RP: -> 2012-06-05 20:07 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP532
    RP: -> 2012-06-04 19:21 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP531
    RP: -> 2012-06-04 11:14 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP530
    RP: -> 2012-06-03 19:21 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP529
    RP: -> 2012-06-03 07:29 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP528
    RP: -> 2012-06-03 02:14 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP527
    RP: -> 2012-06-02 01:20 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP526
    RP: -> 2012-06-01 01:20 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP525
    RP: -> 2012-05-31 01:21 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP524
    RP: -> 2012-05-29 03:28 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP523
    RP: -> 2012-05-29 00:23 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP522
    RP: -> 2012-05-27 23:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP521
    RP: -> 2012-05-27 06:38 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP520
    RP: -> 2012-05-26 23:46 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP519
    RP: -> 2012-05-26 12:42 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP518
    RP: -> 2012-05-25 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP517
    RP: -> 2012-05-24 11:36 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP516
    RP: -> 2012-05-24 11:36 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP515
    RP: -> 2012-05-23 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP514
    RP: -> 2012-05-22 12:08 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP513
    RP: -> 2012-05-22 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP512
    RP: -> 2012-05-21 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP511
    RP: -> 2012-05-20 07:19 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP509
    RP: -> 2012-05-19 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP508
    RP: -> 2012-05-18 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP507
    RP: -> 2012-05-17 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP506
    RP: -> 2012-05-16 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP505
    RP: -> 2012-05-15 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP504
    RP: -> 2012-05-14 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP503
    RP: -> 2012-05-14 07:36 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP502
    RP: -> 2012-05-13 06:40 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP501
    RP: -> 2012-05-13 04:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP500
    RP: -> 2012-05-13 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP499
    RP: -> 2012-05-12 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP498
    RP: -> 2012-05-11 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP497
    RP: -> 2012-05-10 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP496
    RP: -> 2012-05-09 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP495
    RP: -> 2012-05-08 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP494
    RP: -> 2012-05-07 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP493
    RP: -> 2012-05-06 06:40 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP492
    RP: -> 2012-05-06 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP491

    ========================= Memory info ======================
    Percentage of memory in use: 35%
    Total physical RAM: 2047.17 MB
    Available physical RAM: 1329.79 MB
    Total Pagefile: 1877.86 MB
    Available Pagefile: 1347.35 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2000.91 MB
    ======================= Partitions =========================
    1 Drive b: (RAMDisk) (Fixed) (Total:0.5 GB) (Free:0.5 GB) FAT
    2 Drive c: () (Fixed) (Total:465.75 GB) (Free:371.51 GB) NTFS ==>[Drive with boot components (Windows XP)]
    3 Drive d: (Lil Buddy) (Fixed) (Total:76.68 GB) (Free:76.61 GB) NTFS
    4 Drive e: () (Removable) (Total:3.82 GB) (Free:3.58 GB) FAT32
    5 Drive x: (UBCD4Windows) (CDROM) (Total:0.62 GB) (Free:0 GB) CDFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B
    Disk 1 Online 77 GB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 466 GB 32 KB
    Partition 2 Unknown 10 MB 466 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 466 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 Partition 10 MB Healthy
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 77 GB 32 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D Lil Buddy NTFS Partition 77 GB Healthy
    ==================================================================================
    ======================= End Of Log ==========================
     
  25. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    We have all kind of issues here....

    We'll try system restore first.

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can boot normally.
     

    Attached Files:

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...