TechSpot

SmartFortress2012 - Blocks rkill, gmer, etc

By AustinSchnitzel
Mar 3, 2012
  1. Hail, folks. I've been tasked to assist with a friend-of-a-friend's laptop, which has come down with a bad case of malware posing as antimalware. Even in Safe Mode, this sucker jumps in and blocks all of my attempts to run any of the preliminary "deep cleaner" programs as posted in the above guide. If I could post logs, I would. What can I do to intercept this nastiness from the boot-level?
     
  2. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==================================================================

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  3. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Brilliant! Just what I needed. Log posted below.
    OTL logfile created on: 3/4/2012 10:59:12 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 92.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.88 Gb Total Space | 214.18 Gb Free Space | 91.97% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled] -- -- (HidServ)
    SRV - [2012/02/15 13:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
    SRV - [2010/01/25 08:22:56 | 000,245,760 | ---- | M] (Brother Industries, Ltd.) [On_Demand] -- C:\Program Files\Browny02\BrYNSvc.exe -- (BrYNSvc)
    SRV - [2008/07/29 09:11:00 | 000,071,512 | ---- | M] (O2Micro International) [Auto] -- C:\WINDOWS\system32\drivers\o2flash.exe -- (o2flash)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | Boot] -- -- (cerc6)
    DRV - [2009/11/12 13:48:56 | 000,005,504 | ---- | M] () [File_System | Auto] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2009/06/26 17:21:02 | 001,956,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
    DRV - [2008/07/29 09:11:30 | 000,051,288 | ---- | M] (O2Micro ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\o2media.sys -- (O2MDRDR)
    DRV - [2008/06/12 08:30:12 | 000,043,608 | ---- | M] (O2Micro ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\o2sd.sys -- (O2SDRDR)
    DRV - [2008/01/03 21:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
    DRV - [2007/11/14 16:14:02 | 004,625,408 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2007/10/09 12:17:42 | 001,123,328 | R--- | M] (Broadcom Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=14
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/27 13:03:50 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2011/09/27 12:55:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/09/27 12:55:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
    [2011/09/22 23:28:29 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/09/22 20:16:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/01/04 12:19:40 | 000,001,692 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\comcast.xml

    O1 HOSTS File: ([2008/04/13 18:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe (Brother Industries, Ltd.)
    O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
    O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
    O4 - HKU\Owner_ON_C..\Run: [Desktop Software] C:\Program Files\Common Files\SupportSoft\bin\bcont.exe (SupportSoft, Inc.)
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
    O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/09/26 15:50:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/03 18:13:40 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
    [2012/03/03 17:48:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\My Documents\My Videos
    [2012/03/03 17:48:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Administrative Tools
    [2012/03/03 17:48:03 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2012/03/03 17:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Deep Cleaners
    [2012/03/03 17:18:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\U3
    [2012/03/02 22:41:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Smart Fortress 2012
    [2012/03/02 22:37:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E
    [2012/02/27 10:56:57 | 000,005,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstee.sys
    [2012/02/27 10:56:56 | 000,010,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndisip.sys
    [2012/02/27 10:56:55 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipsink.ax
    [2012/02/27 10:56:55 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ipsink.ax
    [2012/02/27 10:56:55 | 000,015,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\streamip.sys
    [2012/02/27 10:56:54 | 000,011,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\slip.sys
    [2012/02/27 10:56:52 | 000,019,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wstcodec.sys
    [2012/02/27 10:56:51 | 000,085,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nabtsfec.sys
    [2012/02/27 10:56:50 | 000,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ccdecode.sys
    [2012/02/27 10:56:29 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kswdmcap.ax
    [2012/02/27 10:56:29 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kswdmcap.ax
    [2012/02/27 10:56:29 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kstvtune.ax
    [2012/02/27 10:56:29 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kstvtune.ax
    [2012/02/27 10:56:29 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vidcap.ax
    [2012/02/27 10:56:29 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vidcap.ax
    [2012/02/27 10:56:28 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vfwwdm32.dll
    [2012/02/27 10:56:28 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vfwwdm32.dll
    [2012/02/27 10:56:27 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksxbar.ax
    [2012/02/27 10:56:27 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ksxbar.ax
    [2012/02/27 10:52:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
    [2012/02/27 10:52:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
    [2012/02/27 10:52:35 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
    [2012/02/27 10:44:15 | 000,943,752 | ---- | C] (Skype Technologies S.A.) -- C:\Documents and Settings\Owner\Desktop\SkypeSetup.exe
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/03 18:16:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/03/03 18:02:04 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/03/03 18:02:04 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/03/03 17:58:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/03/03 17:48:07 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2012/03/03 17:39:10 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.scr
    [2012/03/03 17:22:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1960408961-1417001333-1003UA.job
    [2012/03/02 19:16:46 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012/02/27 20:22:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1960408961-1417001333-1003Core.job
    [2012/02/27 10:56:39 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
    [2012/02/27 10:52:40 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
    [2012/02/27 10:52:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
    [2012/02/27 10:44:19 | 000,943,752 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\Owner\Desktop\SkypeSetup.exe
    [2012/02/26 23:42:42 | 000,160,083 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Bob Evans, Mar., '12.pdf
    [2012/02/22 19:13:28 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
    [2012/02/19 21:04:13 | 000,078,196 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\2012 Cinco flyer.pdf
    [2012/02/17 23:03:19 | 000,132,900 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\5th Annual Cinco DeMayo Dinner Auction flyer 2012.pdf
    [2012/02/16 22:23:25 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
    [2012/02/16 22:23:25 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2012/02/15 22:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
    [2012/02/15 09:56:09 | 000,266,208 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/02/14 23:34:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/02/09 22:56:11 | 000,157,620 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\FMARFEB12.pdf
    [2012/02/03 16:16:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/03/03 17:39:04 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.scr
    [2012/02/26 23:42:42 | 000,160,083 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Bob Evans, Mar., '12.pdf
    [2012/02/19 21:04:10 | 000,078,196 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\2012 Cinco flyer.pdf
    [2012/02/17 23:03:16 | 000,132,900 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\5th Annual Cinco DeMayo Dinner Auction flyer 2012.pdf
    [2012/02/14 22:36:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/14 22:36:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
    [2012/02/09 22:56:09 | 000,157,620 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\FMARFEB12.pdf
    [2012/01/05 10:21:43 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
    [2012/01/05 10:21:43 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\BRADM10A.DAT
    [2012/01/05 10:21:42 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
    [2011/11/18 22:07:39 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/10/23 22:30:53 | 000,159,112 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/10/23 20:16:25 | 000,007,573 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
    [2011/10/23 20:15:42 | 000,000,478 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
    [2011/09/28 15:06:01 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/09/27 13:08:42 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2011/09/27 12:57:50 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2011/09/27 12:57:49 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2011/09/27 12:57:49 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2011/09/27 12:57:49 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
    [2011/09/27 12:57:48 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2011/09/27 08:27:13 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2011/09/26 16:36:13 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
    [2011/09/26 16:36:09 | 000,104,636 | R--- | C] () -- C:\WINDOWS\System32\igmedcompkrn.dll
    [2011/09/26 16:36:08 | 001,843,784 | R--- | C] () -- C:\WINDOWS\System32\igklg400.dll
    [2011/09/26 16:36:08 | 001,399,880 | R--- | C] () -- C:\WINDOWS\System32\igklg450.dll
    [2011/09/26 15:53:12 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2011/09/26 15:48:10 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2011/09/26 11:13:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2011/09/26 11:12:40 | 000,266,208 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2009/06/26 17:21:02 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
    [2008/04/13 18:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2008/04/13 18:00:00 | 000,435,260 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2008/04/13 18:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2008/04/13 18:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2008/04/13 18:00:00 | 000,068,156 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2008/04/13 18:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2008/04/13 18:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2008/04/13 18:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2008/04/13 18:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2008/04/13 18:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2005/04/14 22:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2005/04/14 22:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2003/06/17 16:20:28 | 000,005,358 | ---- | C] () -- C:\WINDOWS\hpfmdl01.dat
    [2003/06/17 16:13:16 | 000,000,332 | ---- | C] () -- C:\WINDOWS\hpfins01.dat

    ========== LOP Check ==========

    [2012/03/02 22:58:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E
    [2011/09/27 13:04:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2012/03/02 19:16:46 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

    ========== Purity Check ==========


    < End of report >
     
  4. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Please don't wrap logs in "code".

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    [2012/03/02 22:41:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Smart Fortress 2012
    [2012/03/02 22:37:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E
    [2011/09/27 13:04:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.
     
  5. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    If I can't compress the logs for easier scrolling through older posts, at least let me differentiate them from the rest of my message! Anyway...

    I believe I missed a step between acquiring the OTL Fix log and attempting to boot the computer normally. I was able to boot normally, but the SmartFortress still appeared. I'm going to repeat the process you posted and post any additional logs that appear.
     
  6. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    I don't want you to wrap logs with anything.

    The log is correct.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Will this process work through the REATOGO-X-PE desktop? That is what I am attempting due to the aforementioned blocking properties of this malware.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    No. You can run it from safe mode though.
     
  9. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Even in SafeMode, SmartFortress loads before my puny human reflexes can access my USB drive and blocks all three versions of Rkill. What now?
     
  10. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Boot back to OTLPE CD.

    Re-run OTL but this time paste the following in "Custom Scan" box:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    %AllUsersProfile%
    %AppData%\Microsoft\Windows\Start Menu\Programs
    %AppData%\Microsoft\Windows\Start Menu
    %UserProfile%\Desktop


    Post new log.
     
  11. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Here it is.


    OTL logfile created on: 3/4/2012 4:44:44 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.88 Gb Total Space | 214.16 Gb Free Space | 91.96% Space Free | Partition Type: NTFS
    Drive D: | 5.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive E: | 1.90 Gb Total Space | 1.88 Gb Free Space | 98.59% Space Free | Partition Type: FAT32
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled] -- -- (HidServ)
    SRV - [2012/02/15 13:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
    SRV - [2010/01/25 08:22:56 | 000,245,760 | ---- | M] (Brother Industries, Ltd.) [On_Demand] -- C:\Program Files\Browny02\BrYNSvc.exe -- (BrYNSvc)
    SRV - [2008/07/29 09:11:00 | 000,071,512 | ---- | M] (O2Micro International) [Auto] -- C:\WINDOWS\system32\drivers\o2flash.exe -- (o2flash)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | Boot] -- -- (cerc6)
    DRV - [2009/11/12 13:48:56 | 000,005,504 | ---- | M] () [File_System | Auto] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2009/06/26 17:21:02 | 001,956,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
    DRV - [2008/07/29 09:11:30 | 000,051,288 | ---- | M] (O2Micro ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\o2media.sys -- (O2MDRDR)
    DRV - [2008/06/12 08:30:12 | 000,043,608 | ---- | M] (O2Micro ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\o2sd.sys -- (O2SDRDR)
    DRV - [2008/01/03 21:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
    DRV - [2007/11/14 16:14:02 | 004,625,408 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2007/10/09 12:17:42 | 001,123,328 | R--- | M] (Broadcom Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=14
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/27 13:03:50 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2011/09/27 12:55:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/09/27 12:55:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
    [2011/09/22 23:28:29 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/09/22 20:16:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/01/04 12:19:40 | 000,001,692 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\comcast.xml

    O1 HOSTS File: ([2008/04/13 18:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe (Brother Industries, Ltd.)
    O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
    O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
    O4 - HKU\Owner_ON_C..\Run: [Desktop Software] C:\Program Files\Common Files\SupportSoft\bin\bcont.exe (SupportSoft, Inc.)
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
    O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/09/26 15:50:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/12/11 15:03:59 | 000,000,277 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/04 15:35:52 | 000,000,000 | ---D | C] -- C:\_OTL
    [2012/03/03 18:13:40 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
    [2012/03/03 17:48:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\My Documents\My Videos
    [2012/03/03 17:48:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Administrative Tools
    [2012/03/03 17:48:03 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2012/03/03 17:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Deep Cleaners
    [2012/03/03 17:18:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\U3
    [2012/03/02 22:37:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E
    [2012/02/27 10:56:57 | 000,005,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstee.sys
    [2012/02/27 10:56:56 | 000,010,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndisip.sys
    [2012/02/27 10:56:55 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipsink.ax
    [2012/02/27 10:56:55 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ipsink.ax
    [2012/02/27 10:56:55 | 000,015,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\streamip.sys
    [2012/02/27 10:56:54 | 000,011,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\slip.sys
    [2012/02/27 10:56:52 | 000,019,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wstcodec.sys
    [2012/02/27 10:56:51 | 000,085,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nabtsfec.sys
    [2012/02/27 10:56:50 | 000,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ccdecode.sys
    [2012/02/27 10:56:29 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kswdmcap.ax
    [2012/02/27 10:56:29 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kswdmcap.ax
    [2012/02/27 10:56:29 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kstvtune.ax
    [2012/02/27 10:56:29 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kstvtune.ax
    [2012/02/27 10:56:29 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vidcap.ax
    [2012/02/27 10:56:29 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vidcap.ax
    [2012/02/27 10:56:28 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vfwwdm32.dll
    [2012/02/27 10:56:28 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vfwwdm32.dll
    [2012/02/27 10:56:27 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksxbar.ax
    [2012/02/27 10:56:27 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ksxbar.ax
    [2012/02/27 10:52:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
    [2012/02/27 10:52:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
    [2012/02/27 10:52:35 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
    [2012/02/27 10:44:15 | 000,943,752 | ---- | C] (Skype Technologies S.A.) -- C:\Documents and Settings\Owner\Desktop\SkypeSetup.exe
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/04 16:30:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/03/04 16:26:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/03/04 16:16:12 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe
    [2012/03/04 15:44:56 | 000,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/03/04 15:44:56 | 000,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/03/03 17:48:07 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2012/03/03 17:39:10 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.scr
    [2012/03/03 17:22:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1960408961-1417001333-1003UA.job
    [2012/03/02 19:16:46 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012/02/27 20:22:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1960408961-1417001333-1003Core.job
    [2012/02/27 10:56:39 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
    [2012/02/27 10:52:40 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
    [2012/02/27 10:52:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
    [2012/02/27 10:44:19 | 000,943,752 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\Owner\Desktop\SkypeSetup.exe
    [2012/02/26 23:42:42 | 000,160,083 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Bob Evans, Mar., '12.pdf
    [2012/02/22 19:13:28 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
    [2012/02/19 21:04:13 | 000,078,196 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\2012 Cinco flyer.pdf
    [2012/02/17 23:03:19 | 000,132,900 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\5th Annual Cinco DeMayo Dinner Auction flyer 2012.pdf
    [2012/02/16 22:23:25 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
    [2012/02/16 22:23:25 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2012/02/15 22:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
    [2012/02/15 09:56:09 | 000,266,208 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/02/14 23:34:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/02/09 22:56:11 | 000,157,620 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\FMARFEB12.pdf
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/03/04 16:25:25 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe
    [2012/03/04 16:25:25 | 000,719,873 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.com
    [2012/03/03 17:39:04 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.scr
    [2012/02/26 23:42:42 | 000,160,083 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Bob Evans, Mar., '12.pdf
    [2012/02/19 21:04:10 | 000,078,196 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\2012 Cinco flyer.pdf
    [2012/02/17 23:03:16 | 000,132,900 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\5th Annual Cinco DeMayo Dinner Auction flyer 2012.pdf
    [2012/02/14 22:36:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/14 22:36:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
    [2012/02/09 22:56:09 | 000,157,620 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\FMARFEB12.pdf
    [2012/01/05 10:21:43 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
    [2012/01/05 10:21:43 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\BRADM10A.DAT
    [2012/01/05 10:21:42 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
    [2011/11/18 22:07:39 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/10/23 22:30:53 | 000,159,112 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/10/23 20:16:25 | 000,007,573 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
    [2011/10/23 20:15:42 | 000,000,478 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
    [2011/09/28 15:06:01 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/09/27 13:08:42 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2011/09/27 12:57:50 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2011/09/27 12:57:49 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2011/09/27 12:57:49 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2011/09/27 12:57:49 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
    [2011/09/27 12:57:48 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2011/09/27 08:27:13 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2011/09/26 16:36:13 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
    [2011/09/26 16:36:09 | 000,104,636 | R--- | C] () -- C:\WINDOWS\System32\igmedcompkrn.dll
    [2011/09/26 16:36:08 | 001,843,784 | R--- | C] () -- C:\WINDOWS\System32\igklg400.dll
    [2011/09/26 16:36:08 | 001,399,880 | R--- | C] () -- C:\WINDOWS\System32\igklg450.dll
    [2011/09/26 15:53:12 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2011/09/26 15:48:10 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2011/09/26 11:13:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2011/09/26 11:12:40 | 000,266,208 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2009/06/26 17:21:02 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
    [2008/04/13 18:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2008/04/13 18:00:00 | 000,435,828 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2008/04/13 18:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2008/04/13 18:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2008/04/13 18:00:00 | 000,068,558 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2008/04/13 18:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2008/04/13 18:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2008/04/13 18:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2008/04/13 18:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2008/04/13 18:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2005/04/14 22:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2005/04/14 22:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2003/06/17 16:20:28 | 000,005,358 | ---- | C] () -- C:\WINDOWS\hpfmdl01.dat
    [2003/06/17 16:13:16 | 000,000,332 | ---- | C] () -- C:\WINDOWS\hpfins01.dat

    ========== LOP Check ==========

    [2012/03/02 22:58:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E
    [2012/03/02 19:16:46 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run >
    "IgfxTray" = C:\WINDOWS\system32\igfxtray.exe -- [2007/12/19 04:08:08 | 000,135,168 | R--- | M] (Intel Corporation)
    "HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe -- [2007/12/19 04:08:12 | 000,159,744 | R--- | M] (Intel Corporation)
    "Persistence" = C:\WINDOWS\system32\igfxpers.exe -- [2007/12/19 04:07:42 | 000,131,072 | R--- | M] (Intel Corporation)
    "RTHDCPL" = RTHDCPL.EXE -- [2007/11/06 09:50:08 | 016,855,552 | ---- | M] (Realtek Semiconductor Corp.)
    "Alcmtr" = ALCMTR.EXE -- [2005/05/03 17:43:28 | 000,069,632 | ---- | M] (Realtek Semiconductor Corp.)
    "MSC" = "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey -- [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation)
    "QuickTime Task" = "C:\Program Files\QuickTime\qttask.exe" -atboottime -- [2011/07/05 17:36:48 | 000,421,888 | ---- | M] (Apple Inc.)
    "HPDJ Taskbar Utility" = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe -- [2003/09/01 06:42:50 | 000,176,128 | ---- | M] (HP)
    "HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" -- [2003/06/25 10:24:48 | 000,049,152 | ---- | M] (Hewlett-Packard)
    "HP Component Manager" = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" -- [2004/05/12 14:18:56 | 000,241,664 | ---- | M] (Hewlett-Packard Company)
    "DeviceDiscovery" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -- [2003/05/21 17:37:08 | 000,229,437 | ---- | M] (Hewlett-Packard)
    "BrStsMon00" = C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN -- [2010/06/10 13:42:44 | 002,621,440 | R--- | M] (Brother Industries, Ltd.)
    "Adobe ARM" = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" -- [2012/01/03 02:37:53 | 000,843,712 | ---- | M] (Adobe Systems Incorporated)
    "VX1000" = C:\WINDOWS\vVX1000.exe -- [2009/06/26 17:21:00 | 000,757,248 | ---- | M] (Microsoft Corporation)

    Invalid Environment Variable: %AllUsersProfile%

    Invalid Environment Variable: %AppData%\Microsoft\Windows\Start Menu\Programs

    Invalid Environment Variable: %AppData%\Microsoft\Windows\Start Menu

    Invalid Environment Variable: %UserProfile%\Desktop
    < End of report >
     
  12. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    I gave you incorrect script.
    I apologize.

    Try again:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    %AllUsersProfile%\*.*
    %AppData%\Microsoft\Windows\Start Menu\Programs\*.*
    %AppData%\Microsoft\Windows\Start Menu\*.*
    %UserProfile%\Desktop\*.*
     
  13. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Once more, with feeling!

    OTL logfile created on: 3/4/2012 5:00:55 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.88 Gb Total Space | 214.16 Gb Free Space | 91.96% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled] -- -- (HidServ)
    SRV - [2012/02/15 13:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
    SRV - [2010/01/25 08:22:56 | 000,245,760 | ---- | M] (Brother Industries, Ltd.) [On_Demand] -- C:\Program Files\Browny02\BrYNSvc.exe -- (BrYNSvc)
    SRV - [2008/07/29 09:11:00 | 000,071,512 | ---- | M] (O2Micro International) [Auto] -- C:\WINDOWS\system32\drivers\o2flash.exe -- (o2flash)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | Boot] -- -- (cerc6)
    DRV - [2009/11/12 13:48:56 | 000,005,504 | ---- | M] () [File_System | Auto] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2009/06/26 17:21:02 | 001,956,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
    DRV - [2008/07/29 09:11:30 | 000,051,288 | ---- | M] (O2Micro ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\o2media.sys -- (O2MDRDR)
    DRV - [2008/06/12 08:30:12 | 000,043,608 | ---- | M] (O2Micro ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\o2sd.sys -- (O2SDRDR)
    DRV - [2008/01/03 21:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
    DRV - [2007/11/14 16:14:02 | 004,625,408 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2007/10/09 12:17:42 | 001,123,328 | R--- | M] (Broadcom Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=14
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/27 13:03:50 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2011/09/27 12:55:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/09/27 12:55:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
    [2011/09/22 23:28:29 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/09/22 20:16:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/01/04 12:19:40 | 000,001,692 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\comcast.xml

    O1 HOSTS File: ([2008/04/13 18:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe (Brother Industries, Ltd.)
    O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
    O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
    O4 - HKU\Owner_ON_C..\Run: [Desktop Software] C:\Program Files\Common Files\SupportSoft\bin\bcont.exe (SupportSoft, Inc.)
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
    O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/09/26 15:50:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/04 15:35:52 | 000,000,000 | ---D | C] -- C:\_OTL
    [2012/03/03 18:13:40 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
    [2012/03/03 17:48:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\My Documents\My Videos
    [2012/03/03 17:48:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Administrative Tools
    [2012/03/03 17:48:03 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2012/03/03 17:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Deep Cleaners
    [2012/03/03 17:18:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\U3
    [2012/03/02 22:37:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E
    [2012/02/27 10:56:57 | 000,005,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstee.sys
    [2012/02/27 10:56:56 | 000,010,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndisip.sys
    [2012/02/27 10:56:55 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipsink.ax
    [2012/02/27 10:56:55 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ipsink.ax
    [2012/02/27 10:56:55 | 000,015,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\streamip.sys
    [2012/02/27 10:56:54 | 000,011,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\slip.sys
    [2012/02/27 10:56:52 | 000,019,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wstcodec.sys
    [2012/02/27 10:56:51 | 000,085,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nabtsfec.sys
    [2012/02/27 10:56:50 | 000,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ccdecode.sys
    [2012/02/27 10:56:29 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kswdmcap.ax
    [2012/02/27 10:56:29 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kswdmcap.ax
    [2012/02/27 10:56:29 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kstvtune.ax
    [2012/02/27 10:56:29 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kstvtune.ax
    [2012/02/27 10:56:29 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vidcap.ax
    [2012/02/27 10:56:29 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vidcap.ax
    [2012/02/27 10:56:28 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vfwwdm32.dll
    [2012/02/27 10:56:28 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vfwwdm32.dll
    [2012/02/27 10:56:27 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksxbar.ax
    [2012/02/27 10:56:27 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ksxbar.ax
    [2012/02/27 10:52:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
    [2012/02/27 10:52:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
    [2012/02/27 10:52:35 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
    [2012/02/27 10:44:15 | 000,943,752 | ---- | C] (Skype Technologies S.A.) -- C:\Documents and Settings\Owner\Desktop\SkypeSetup.exe
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/04 16:30:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/03/04 16:26:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/03/04 16:16:12 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe
    [2012/03/04 15:44:56 | 000,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/03/04 15:44:56 | 000,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/03/03 17:48:07 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2012/03/03 17:39:10 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.scr
    [2012/03/03 17:22:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1960408961-1417001333-1003UA.job
    [2012/03/02 19:16:46 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012/02/27 20:22:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1960408961-1417001333-1003Core.job
    [2012/02/27 10:56:39 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
    [2012/02/27 10:52:40 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
    [2012/02/27 10:52:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
    [2012/02/27 10:44:19 | 000,943,752 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\Owner\Desktop\SkypeSetup.exe
    [2012/02/26 23:42:42 | 000,160,083 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Bob Evans, Mar., '12.pdf
    [2012/02/22 19:13:28 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
    [2012/02/19 21:04:13 | 000,078,196 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\2012 Cinco flyer.pdf
    [2012/02/17 23:03:19 | 000,132,900 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\5th Annual Cinco DeMayo Dinner Auction flyer 2012.pdf
    [2012/02/16 22:23:25 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
    [2012/02/16 22:23:25 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2012/02/15 22:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
    [2012/02/15 09:56:09 | 000,266,208 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/02/14 23:34:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/02/09 22:56:11 | 000,157,620 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\FMARFEB12.pdf
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/03/04 16:25:25 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe
    [2012/03/04 16:25:25 | 000,719,873 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.com
    [2012/03/03 17:39:04 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.scr
    [2012/02/26 23:42:42 | 000,160,083 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Bob Evans, Mar., '12.pdf
    [2012/02/19 21:04:10 | 000,078,196 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\2012 Cinco flyer.pdf
    [2012/02/17 23:03:16 | 000,132,900 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\5th Annual Cinco DeMayo Dinner Auction flyer 2012.pdf
    [2012/02/14 22:36:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/14 22:36:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
    [2012/02/09 22:56:09 | 000,157,620 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\FMARFEB12.pdf
    [2012/01/05 10:21:43 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
    [2012/01/05 10:21:43 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\BRADM10A.DAT
    [2012/01/05 10:21:42 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
    [2011/11/18 22:07:39 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/10/23 22:30:53 | 000,159,112 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/10/23 20:16:25 | 000,007,573 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
    [2011/10/23 20:15:42 | 000,000,478 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
    [2011/09/28 15:06:01 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/09/27 13:08:42 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2011/09/27 12:57:50 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2011/09/27 12:57:49 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2011/09/27 12:57:49 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2011/09/27 12:57:49 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
    [2011/09/27 12:57:48 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2011/09/27 08:27:13 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2011/09/26 16:36:13 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
    [2011/09/26 16:36:09 | 000,104,636 | R--- | C] () -- C:\WINDOWS\System32\igmedcompkrn.dll
    [2011/09/26 16:36:08 | 001,843,784 | R--- | C] () -- C:\WINDOWS\System32\igklg400.dll
    [2011/09/26 16:36:08 | 001,399,880 | R--- | C] () -- C:\WINDOWS\System32\igklg450.dll
    [2011/09/26 15:53:12 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2011/09/26 15:48:10 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2011/09/26 11:13:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2011/09/26 11:12:40 | 000,266,208 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2009/06/26 17:21:02 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
    [2008/04/13 18:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2008/04/13 18:00:00 | 000,435,828 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2008/04/13 18:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2008/04/13 18:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2008/04/13 18:00:00 | 000,068,558 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2008/04/13 18:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2008/04/13 18:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2008/04/13 18:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2008/04/13 18:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2008/04/13 18:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2005/04/14 22:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2005/04/14 22:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2003/06/17 16:20:28 | 000,005,358 | ---- | C] () -- C:\WINDOWS\hpfmdl01.dat
    [2003/06/17 16:13:16 | 000,000,332 | ---- | C] () -- C:\WINDOWS\hpfins01.dat

    ========== LOP Check ==========

    [2012/03/02 22:58:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E
    [2012/03/02 19:16:46 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run >
    "IgfxTray" = C:\WINDOWS\system32\igfxtray.exe -- [2007/12/19 04:08:08 | 000,135,168 | R--- | M] (Intel Corporation)
    "HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe -- [2007/12/19 04:08:12 | 000,159,744 | R--- | M] (Intel Corporation)
    "Persistence" = C:\WINDOWS\system32\igfxpers.exe -- [2007/12/19 04:07:42 | 000,131,072 | R--- | M] (Intel Corporation)
    "RTHDCPL" = RTHDCPL.EXE -- [2007/11/06 09:50:08 | 016,855,552 | ---- | M] (Realtek Semiconductor Corp.)
    "Alcmtr" = ALCMTR.EXE -- [2005/05/03 17:43:28 | 000,069,632 | ---- | M] (Realtek Semiconductor Corp.)
    "MSC" = "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey -- [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation)
    "QuickTime Task" = "C:\Program Files\QuickTime\qttask.exe" -atboottime -- [2011/07/05 17:36:48 | 000,421,888 | ---- | M] (Apple Inc.)
    "HPDJ Taskbar Utility" = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe -- [2003/09/01 06:42:50 | 000,176,128 | ---- | M] (HP)
    "HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" -- [2003/06/25 10:24:48 | 000,049,152 | ---- | M] (Hewlett-Packard)
    "HP Component Manager" = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" -- [2004/05/12 14:18:56 | 000,241,664 | ---- | M] (Hewlett-Packard Company)
    "DeviceDiscovery" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -- [2003/05/21 17:37:08 | 000,229,437 | ---- | M] (Hewlett-Packard)
    "BrStsMon00" = C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN -- [2010/06/10 13:42:44 | 002,621,440 | R--- | M] (Brother Industries, Ltd.)
    "Adobe ARM" = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" -- [2012/01/03 02:37:53 | 000,843,712 | ---- | M] (Adobe Systems Incorporated)
    "VX1000" = C:\WINDOWS\vVX1000.exe -- [2009/06/26 17:21:00 | 000,757,248 | ---- | M] (Microsoft Corporation)

    Invalid Environment Variable: %AllUsersProfile%\*.*

    Invalid Environment Variable: %AppData%\Microsoft\Windows\Start Menu\Programs\*.*

    Invalid Environment Variable: %AppData%\Microsoft\Windows\Start Menu\*.*

    Invalid Environment Variable: %UserProfile%\Desktop\*.*
    < End of report >
     
  14. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    DRV - File not found [Kernel | Boot] -- -- (cerc6)
    [2012/03/02 22:37:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.
     
  15. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Do you expect this fix to remove the malware, or should I be ready to jump in with Rkill + Combofix?

    Also, I'm not clear on whether I should reboot once or twice before booting into normal Windows.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Run the fix first.

    Then restart to safe mode (not safe mode with networking) and see if you can get rKill + Combofix working.

    I don't see much more through OTLPE log.
     
  17. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cerc6 deleted successfully.
    Folder C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E\ not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 03042012_174951

    ------------
    I assume the offending registry file was removed, but upon rebooting into Safe Mode, the malware was yet again too fast for Rkill, therefore sticking it right back in, possibly under a different/randomly generated filename. Are we still making progress?
     
  18. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    OK the malware pops up and?
    Can you minimize/close it?
     
  19. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    I can minimize it, but not close it. It generates frequent pop-ups in the lower-right corner of the screen, and occasionally generates a larger pop-up in the center of the screen.

    It basically blocks any other executable file, claiming it as "infected." This includes Task Manager and all flavors of Rkill.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,904   +344

  21. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Presumably, I was able to use Chameleon to update the version of MBAM currently on the infected computer. However, Chameleon itself seems unable to run invisibly beyond that and allow MBAM to run.

    The only indication I have that something different is happening is that AppleMobileServiceDevice.exe is being continually blocked. I received no such notifications previously.

    Edit: *gaaaasp!* After restarting, I managed to run Chameleon again and this time, MBAM opened! It's scanning now!
     
  22. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Rkill Log (once it finally managed to run)
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/05/2012 at 10:33:01.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 03/05/2012 at 10:33:10.

    MBAM Log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 912030505

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/5/2012 10:41:50 AM
    mbam-log-2012-03-05 (10-41-50).txt

    Scan type: Quick scan
    Objects scanned: 203657
    Time elapsed: 11 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (F4D55) Good: (exefile) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Owner\local settings\Temp\0.0826622925700824.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\local settings\Temp\0.16349216210994022.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

    ComboFix Log

    ComboFix 12-03-04.02 - Owner 03/05/2012 11:14:32.1.2 - x86
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1028\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1031\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1032\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1033\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1034\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1036\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1040\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1041\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1042\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1046\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1049\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\2052\VX1000.dll
    c:\docume~1\Owner\LOCALS~1\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\2070\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1028\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1031\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1032\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1033\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1034\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1036\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1040\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1041\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1042\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1046\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\1049\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\2052\VX1000.dll
    c:\documents and settings\Owner\Local Settings\Temp\CDM\{9A08AA3F-291C-4AF1-B7D1-07F7D03B0F33}\2070\VX1000.dll
    c:\windows\$NtUninstallKB51305$
    c:\windows\$NtUninstallKB51305$\1245676118\@
    c:\windows\$NtUninstallKB51305$\1245676118\cfg.ini
    c:\windows\$NtUninstallKB51305$\1245676118\Desktop.ini
    c:\windows\$NtUninstallKB51305$\1245676118\L\mnjvahqj
    c:\windows\$NtUninstallKB51305$\1245676118\U\00000001.@
    c:\windows\$NtUninstallKB51305$\1245676118\U\00000002.@
    c:\windows\$NtUninstallKB51305$\1245676118\U\00000004.@
    c:\windows\$NtUninstallKB51305$\1245676118\U\80000000.@
    c:\windows\$NtUninstallKB51305$\1245676118\U\80000004.@
    c:\windows\$NtUninstallKB51305$\1245676118\U\80000032.@
    c:\windows\$NtUninstallKB51305$\1245676118\version
    c:\windows\$NtUninstallKB51305$\2586084552
    .
    Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
    Restored copy from - The cat found it :)
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-05 to 2012-03-05 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-05 16:01 . 2011-07-15 13:29 456320 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
    2012-03-05 16:01 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2012-03-05 15:40 . 2012-03-05 15:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-03-05 15:11 . 2012-03-05 15:11 -------- d-----w- c:\windows\system32\LogFiles
    2012-03-05 15:10 . 2012-03-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F3EDEADFEAD6716A5F1D151FC4E
    2012-03-05 15:09 . 2012-03-05 15:09 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2012-03-04 20:35 . 2012-03-04 20:35 -------- d-----w- C:\_OTL
    2012-03-03 23:13 . 2012-03-03 23:13 -------- d--h--w- c:\windows\PIF
    2012-03-03 22:18 . 2012-03-03 22:18 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
    2012-03-03 03:37 . 2012-03-05 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E
    2012-03-02 02:50 . 2012-02-08 06:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{14A5EA6B-9620-4258-9686-A580700AB293}\mpengine.dll
    2012-02-27 15:52 . 2012-02-27 15:52 -------- d-----w- c:\program files\Common Files\Skype
    2012-02-27 15:52 . 2012-02-27 15:52 -------- d-----r- c:\program files\Skype
    2012-02-15 03:36 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
    2012-02-15 03:36 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-23 00:13 . 2011-09-27 17:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-08 06:03 . 2011-09-29 21:02 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-01-31 12:44 . 2011-09-28 13:10 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-12 16:53 . 2008-04-13 23:00 1859968 ----a-w- c:\windows\system32\win32k.sys
    2011-12-17 19:46 . 2008-04-13 23:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:46 . 2008-04-13 23:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-12-17 19:46 . 2008-04-13 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22 . 2008-04-13 23:00 385024 ------w- c:\windows\system32\html.iec
    2011-09-23 04:28 . 2011-09-27 17:53 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-15 17146504]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "RTHDCPL"="RTHDCPL.EXE" [2007-11-06 16855552]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
    "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
    "BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-09-01 06:15 136176 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-08-19 05:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2012-02-15 18:35 17146504 ----a-r- c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
    "AntiVirusDisableNotify"=dword:00000001
    "AntiVirusOverride"=dword:00000001
    "FirewallDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\system32\\mshta.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [1/5/2012 10:21 AM 245760]
    R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [9/27/2011 8:26 AM 51288]
    R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [9/27/2011 8:26 AM 43608]
    S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/15/2012 1:30 PM 158856]
    S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [3/5/2012 10:09 AM 24064]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2012-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1960408961-1417001333-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 06:15]
    .
    2012-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1960408961-1417001333-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 06:15]
    .
    2012-03-03 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?ilc=14
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hatyqb65.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.xfinity.com/?cid=insDate01042012
    FF - prefs.js: browser.search.selectedEngine - Xfinity
    FF - prefs.js: browser.startup.homepage - hxxp://www.xfinity.com/?cid=insDate01042012
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-05 11:22
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3332)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\CDBurnerXP\NMSAccessU.exe
    c:\windows\system32\DRIVERS\o2flash.exe
    c:\program files\HP\hpcoretech\comp\hptskmgr.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-05 11:25:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-05 16:25
    .
    Pre-Run: 229,583,056,896 bytes free
    Post-Run: 230,205,763,584 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - A161173C1D8E908EB974CC8CA9537D5C
     
  23. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Good :)
    We're getting somewhere.

    Combofix log looks good.

    How is computer doing overall?

    See if you can update and run MBAM normally now.

    Then....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  24. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Performance-wise, everything appears to be back to normal. I can access MBAM, other programs and Internet just fine - including this page. However, I did not feel comfortable returning the machine until I got the final OK from you.

    aswMBR Log
    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-05 17:24:12
    -----------------------------
    17:24:12.312 OS Version: Windows 5.1.2600 Service Pack 3
    17:24:12.312 Number of processors: 2 586 0xF0D
    17:24:12.312 ComputerName: OWNER-87794DCF5 UserName: Owner
    17:24:13.765 Initialize success
    17:27:24.968 AVAST engine defs: 12030501
    17:29:30.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    17:29:30.781 Disk 0 Vendor: ST925031 0001 Size: 238475MB BusType: 3
    17:29:31.140 Disk 0 MBR read successfully
    17:29:31.140 Disk 0 MBR scan
    17:29:31.171 Disk 0 Windows XP default MBR code
    17:29:31.218 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
    17:29:31.218 Disk 0 scanning sectors +488376000
    17:29:31.406 Disk 0 scanning C:\WINDOWS\system32\drivers
    17:29:41.812 Service scanning
    17:30:00.000 Modules scanning
    17:30:04.468 Disk 0 trace - called modules:
    17:30:04.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iastor.sys
    17:30:04.500 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a453868]
    17:30:04.500 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8a4beab0]
    17:30:04.500 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a454028]
    17:30:05.453 AVAST engine scan C:\WINDOWS
    17:30:14.468 AVAST engine scan C:\WINDOWS\system32
    17:32:55.156 AVAST engine scan C:\WINDOWS\system32\drivers
    17:33:18.515 AVAST engine scan C:\Documents and Settings\Owner
    17:33:40.750 File: C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\25\56ff4559-63689346 **INFECTED** Win32:MalOb-IB [Cryp]
    17:33:41.468 File: C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\60\3476e1fc-33db3c5a **INFECTED** Win32:FakeSysdefs-A [Trj]
    17:37:03.375 AVAST engine scan C:\Documents and Settings\All Users
    17:37:05.421 File: C:\Documents and Settings\All Users\Application Data\F4D55F3E000183636716A5F1D151FC4E\F4D55F3E000183636716A5F1D151FC4E.exe **INFECTED** Win32:FakeAlert-CCS [Trj]
    17:37:05.578 File: C:\Documents and Settings\All Users\Application Data\F4D55F3EDEADFEAD6716A5F1D151FC4E\F4D55F3EDEADFEAD6716A5F1D151FC4E.exe **INFECTED** Win32:FakeAlert-CCS [Trj]
    17:37:17.937 Scan finished successfully
    17:40:33.484 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
    17:40:33.484 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

    Bootkit Remover output
    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  25. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Of course :)

    Update MBAM, run quick scan and post new log.

    Then re-run aswMBR one more time.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...